HackTheBox - UpDown

IppSec · Beginner ·💻 AI-Assisted Coding ·3y ago

Skills: AI Pair Programming53%

00:00 - Intro 01:00 - Start of nmap 01:30 - Testing the webhook, examining the request the server makes 05:30 - Trying other URL Wrappers to see how the application behaves 08:10 - Finding the .git sub directory, running git-dumper to extract source code 10:55 - Finding and explaining the LFI Vulnerability 12:10 - Attempting to use the php filter to extract source code, does not work, turns out there's another website 14:00 - Discovering there is a special header requried to access the DEV Website 16:00 - Configuring BurpSuite to add the header for us 18:15 - Explaining the LFI And why we are going to use a phar file to get code execution 22:30 - Attempting to get a shell, when executing our file we get a ERROR 500. Simplify the payload to see it works. 26:00 - Examining phpinfo to see disabled functions, and discovering system() was blocked 27:00 - Converting the dfunc-bypasser script to PHP, so we can just upload it to the server and have it tell us what is available 29:15 - Showing off github co-pilot, turns out it didn't exactly give me what I wanted. 31:00 - Uploading our script to check dangerous functions and identifying we can use the proc_open() function 32:00 - Creating a script to send us a reverse shell, more github copilot finishing our code for us 35:20 - Exploring the developer home directory, finding a setuid python binary that uses input(), exploiting to get developer user 39:30 - We can run easy_install with sudo, getting root 40:30 - Explaining the Code Execution without dropping a file, by using gadgets with php filters to create text for us

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: AI Pair Programming

View skill →

Build a JavaScript chat bot with us

Build a JavaScript chat bot with us

Live-code an emoji game with us | HTML, CSS & JavaScript

Live-code an emoji game with us | HTML, CSS & JavaScript

Group Coding: Working on the Coupon-API, Part 2

Group Coding: Working on the Coupon-API, Part 2

Can I Make Brick Breaker in One Hour - Coding Challenge

Can I Make Brick Breaker in One Hour - Coding Challenge

Speaking with a Webpage - Streaming Speech Transcripts

How to Make an Asteroids Game Bot (LIVE)

How to Make an Asteroids Game Bot (LIVE)

Related AI Lessons

How Nometria Handles Code Migration When Your Infrastructure Can't

Learn how to handle code migration when your AI-built app's infrastructure can't scale to production load

TypeScript Generics That Actually Matter — A Practical Guide for 2026

Master TypeScript generics to eliminate runtime type errors with zero overhead

Dev.to · kol kol

10 AI Automation Ideas That Actually Help Developers Build Faster

Discover 10 AI automation ideas to boost development speed and reduce repetitive tasks, enhancing overall engineering efficiency

Medium · Programming

I Kept Hitting Claude Code's 5-Hour Limit After 2 Hours. So I Built This.

Learn how to overcome Claude Code's 5-hour limit by building a custom solution to extend usage time

Dev.to · ec1980

Chapters (19)

Intro

1:00 Start of nmap

1:30 Testing the webhook, examining the request the server makes

5:30 Trying other URL Wrappers to see how the application behaves

8:10 Finding the .git sub directory, running git-dumper to extract source code

10:55 Finding and explaining the LFI Vulnerability

12:10 Attempting to use the php filter to extract source code, does not work, turns

14:00 Discovering there is a special header requried to access the DEV Website

16:00 Configuring BurpSuite to add the header for us

18:15 Explaining the LFI And why we are going to use a phar file to get code executi

22:30 Attempting to get a shell, when executing our file we get a ERROR 500. Simplif

26:00 Examining phpinfo to see disabled functions, and discovering system() was bloc

27:00 Converting the dfunc-bypasser script to PHP, so we can just upload it to the s

29:15 Showing off github co-pilot, turns out it didn't exactly give me what I wanted

31:00 Uploading our script to check dangerous functions and identifying we can use t

32:00 Creating a script to send us a reverse shell, more github copilot finishing ou

35:20 Exploring the developer home directory, finding a setuid python binary that us

39:30 We can run easy_install with sudo, getting root

40:30 Explaining the Code Execution without dropping a file, by using gadgets with p

Why Microsoft's GitHub is Breaking

The Information