HackTheBox - Travel

Name: HackTheBox - Travel
Uploaded: 2020-09-12T14:59:37Z
Channel: IppSec
Description: 00:00 - Intro 00:58 - Start of recon, discovering a bunch of hostnames in a cert 04:24 - Running wpscan against blog.travel.htb 06:10 - Running the raft...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·5y ago

00:00 - Intro 00:58 - Start of recon, discovering a bunch of hostnames in a cert 04:24 - Running wpscan against blog.travel.htb 06:10 - Running the raft-large-files.txt against blog-dev.travel.htb to discover the git repo 07:45 - Using git-dumper to download the git repo 10:28 - Examining the git project to discover what it is and where its installed on the webserver 14:20 - Discovering a debug file 16:30 - Hunting for where web app accepts user input 19:10 - Getting the server to make a request back to us 21:00 - Examining what debug.php is telling us (memcache) 26:15 - Hunting around wordpre…

Watch on YouTube ↗ (saves to browser)

Chapters (24)

Intro

0:58 Start of recon, discovering a bunch of hostnames in a cert

4:24 Running wpscan against blog.travel.htb

6:10 Running the raft-large-files.txt against blog-dev.travel.htb to discover the g

7:45 Using git-dumper to download the git repo

10:28 Examining the git project to discover what it is and where its installed on th

14:20 Discovering a debug file

16:30 Hunting for where web app accepts user input

19:10 Getting the server to make a request back to us

21:00 Examining what debug.php is telling us (memcache)

26:15 Hunting around wordpress/simplepie to see how it is using memcache

33:00 Begin of trying to poison the memcache object, talking about bypass the ip fil

36:00 Bypassing the file:// filter by using gopher to smuggle in a request to memcac

39:15 Explaining what gopherus is doing

41:48 Creating a php serialized object to drop a file to the webserver

44:24 Having gopherus generate a malicious payload then dropping a web shell to the

47:00 Getting a reverse shell

50:50 Examining the MySQL database

53:45 Discovering the wordpress backup file with additional users

56:40 Logging in with lynik-admin and cracked password from WP backup. Finding ldap

58:45 Downloading Apache Directory Studio so we have a gui to LDAP

59:45 Using SSH to forwarding port 389 to our box, so our LDAP Gui can access the se

1:06:00 Using Apache Directory Studio to add an SSH Key

1:09:10 Using Apache Directory Studio to modify the user group to sudo, then we can su

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →