HackTheBox - Toby

Name: HackTheBox - Toby
Uploaded: 2022-04-16T15:35:06Z
Channel: IppSec
Description: 00:00 - Intro 00:50 - Start of nmap 03:30 - Discovering backup.toby.htb and discovering GOGS 07:40 - Discovering a backup project in toby-admin, which i...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 00:50 - Start of nmap 03:30 - Discovering backup.toby.htb and discovering GOGS 07:40 - Discovering a backup project in toby-admin, which is wordpress 09:38 - Downloading and running php malicious file scanner and finding a backdoor in the web code 13:30 - Finding the backdoor in comment.php and finding out its packed a bunch of times. Using a loop to get it back to the original code. 19:00 - Analyzing the depacked malware, to see it will run a function on a specially crafted comment 22:40 - Placing the comment which should trigger the backdoor, then analyzing what happens 23:40 -…

Watch on YouTube ↗ (saves to browser)

Chapters (23)

Intro

0:50 Start of nmap

3:30 Discovering backup.toby.htb and discovering GOGS

7:40 Discovering a backup project in toby-admin, which is wordpress

9:38 Downloading and running php malicious file scanner and finding a backdoor in t

13:30 Finding the backdoor in comment.php and finding out its packed a bunch of time

19:00 Analyzing the depacked malware, to see it will run a function on a specially c

22:40 Placing the comment which should trigger the backdoor, then analyzing what hap

23:40 Wireshark shows the box starts a request on port 20053, listening and discover

28:20 Changing the secret to be 00, so it doesn't xor anything making it a bit easie

29:25 Sending it a command by XOR'ing it with the key the server sends back to us

32:00 Creating a python script to automate this

40:22 Reverse shell returned python isn't there so using script to get our regular T

42:15 Looking at /proc to see network information since ifconfig and ip are not on t

50:20 Running chisel to setup a proxy back to us

58:00 Connecting to the MySQL Database to crack wordpress accounts

1:01:10 Logging into the GOGS instance as toby-admin, downloading personal-webapp sour

1:04:30 Making the webapp talk initiate a MySQL Connection back to us

1:06:20 Editing our mysql instance to allow a host, but first we have to reset our mys

1:10:00 Extracting the SALT + Password from wireshark of MySQL Trying to log into us,

1:16:38 Converting the SALTS to hex, which is what hashcat needs, then trying to crack

1:18:35 Discovering the password used the password generator which is using the epoch

1:19:30 Copying the PWGenerator code to create a new wordlist of all potential passwor

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →