HackTheBox - Unattended

Name: HackTheBox - Unattended
Uploaded: 2019-08-24T15:00:00Z
Channel: IppSec
Description: 01:00 - Begin of recon 03:30 - Running GoBuster to discover /dev and index.php 06:50 - Checking out the web application 07:55 - Discovering SQL Injectio...

IppSec · Intermediate ·📊 Data Analytics & Business Intelligence ·6y ago

01:00 - Begin of recon 03:30 - Running GoBuster to discover /dev and index.php 06:50 - Checking out the web application 07:55 - Discovering SQL Injection in ID and playing with it 11:45 - Running SQLMap to dump pieces of the database 14:55 - Nginx Misconfiguration, missing trailing slash 19:10 - Downloading source code of the application 21:20 - Exploring the source of the application 25:47 - Specifying an error string in SQLMap to have it do boolean logic versus time-based 27:00 - Installing a Docker LAMP Server to run the web application 45:40 - Finally got the application running locally (M…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

1:00 Begin of recon

3:30 Running GoBuster to discover /dev and index.php

6:50 Checking out the web application

7:55 Discovering SQL Injection in ID and playing with it

11:45 Running SQLMap to dump pieces of the database

14:55 Nginx Misconfiguration, missing trailing slash

19:10 Downloading source code of the application

21:20 Exploring the source of the application

25:47 Specifying an error string in SQLMap to have it do boolean logic versus time-b

27:00 Installing a Docker LAMP Server to run the web application

45:40 Finally got the application running locally (Missed a comma which created a lo

46:15 Analyzing the SQL Injection with Debug turned on to see how it works

50:00 Explanation of gaining code execution through an LFI + PHP Cookies

53:00 Exploring the cookie

55:40 Have code execution on our docker, lets exploit the server

1:00:00 Reverse Shell returned

1:02:35 Exploring MySQL database and escalating to GULY

1:08:30 Running LinEnum as Guly and going through the results

1:12:00 Exploring files Guly can access due to Grub Group, downloading initrd

1:14:10 Decompressing initrd.img and looking for the file GULY modified

1:21:20 Running STRACE to see what uinitrd does

1:24:20 Running uinitrd after modifying /etc/hosts and /boot/guid

1:26:20 Extra Content: If you had trouble with TTY, SSH is accessible via IPv6

1:30:50 Extra Content: Runing GIXY to analyze the NGINX Configuration

1:35:20 Extra Content: Looking at uinitrd in Ghidra

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →