HackTheBox - VariaType

IppSec · Beginner ·🔐 Cybersecurity ·1h ago
00:00 - Introduction 01:00 - Start of nmap 02:10 - Finding some CVE's in FontTools, but doing more recon on the site before we dive too deep 06:30 - Enumerating the website is flask based upon error message (cookie works too) 09:20 - Trying to create an error message which could leak information about the server like its local path 11:30 - Taking a look at portal.variatype.htb which shows it is PHP 13:50 - Gobuster found a .git, running git-dumper to get the source 15:30 - Finding a File Disclosure in the PHP App because the ../ removal was not recursive 20:30 - Updating the FontTools script to put a reverse shell in, then using it to upload a php reverse shell to the portal 22:00 - Reverse shell returned 22:30 - Looking at the sudoers file, we can't read it but the metadata is a treasure trove of information. Looking at timestamps, doing some filtering getting nothing 26:30 - Using docker to spin up a debian image quickly, looking at the size of the default sudoers file and then comparing it to the box to see it has likely been modified 28:00 - Using find to look for files owned by steve, finding a backup script. It uses FontForge which has a CVE. We can put a malicious archive file and get RCE 37:00 - Shell returned as Steve 39:00 - Looking at the validator python script, first thought with symlinks won't work because we don't own the plugin directory 41:30 - Finding a CVE within SetupTools, using it to write an SSH Key
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Related AI Lessons

Structural exclusion is the only defense that scales
Learn how structural exclusion can be an effective defense mechanism that scales, and why it matters for building robust systems
Dev.to AI
How I Won a $670 Bug Bounty Using Burp AI: From Recon to Responsible Disclosure
Learn how to win bug bounties using Burp AI, from reconnaissance to responsible disclosure, and earn rewards like $670
Medium · DevOps
How I Won a $670 Bug Bounty Using Burp AI: From Recon to Responsible Disclosure
Learn how to win bug bounties using Burp AI, from reconnaissance to responsible disclosure, and earn rewards like $670
Medium · Cybersecurity
The npm package you installed yesterday might own your machine.
Learn how to protect your machine from malicious npm packages that can steal sensitive data
Medium · Programming

Chapters (16)

Introduction
1:00 Start of nmap
2:10 Finding some CVE's in FontTools, but doing more recon on the site before we di
6:30 Enumerating the website is flask based upon error message (cookie works too)
9:20 Trying to create an error message which could leak information about the serve
11:30 Taking a look at portal.variatype.htb which shows it is PHP
13:50 Gobuster found a .git, running git-dumper to get the source
15:30 Finding a File Disclosure in the PHP App because the ../ removal was not recur
20:30 Updating the FontTools script to put a reverse shell in, then using it to uplo
22:00 Reverse shell returned
22:30 Looking at the sudoers file, we can't read it but the metadata is a treasure t
26:30 Using docker to spin up a debian image quickly, looking at the size of the def
28:00 Using find to look for files owned by steve, finding a backup script. It uses
37:00 Shell returned as Steve
39:00 Looking at the validator python script, first thought with symlinks won't work
41:30 Finding a CVE within SetupTools, using it to write an SSH Key
Up next
New AI attack reality💥
IBM Technology
Watch →