HackTheBox - Writer

Name: HackTheBox - Writer
Uploaded: 2021-12-11T14:57:46Z
Channel: IppSec
Description: 00:00 - Into 00:49 - Start of nmap 06:10 - Discovering admin login page, running SQLMap and discovering it is SQL Injectable 07:45 - Testing for SQL Inj...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Into 00:49 - Start of nmap 06:10 - Discovering admin login page, running SQLMap and discovering it is SQL Injectable 07:45 - Testing for SQL Injections in the username and password, discovering injection in the username 10:15 - The adminsitrative interface lets us upload images, failing to upload a PHP Shell 14:30 - Using the SQL Union Injection to extract source code via Load_file, then creating a python script to automate it 17:35 - Creating a Regular Expression in Python to grab only the data we want and be multiline 22:45 - Downloading a good LFI Wordlist and then using it with our…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Into

0:49 Start of nmap

6:10 Discovering admin login page, running SQLMap and discovering it is SQL Injecta

7:45 Testing for SQL Injections in the username and password, discovering injection

10:15 The adminsitrative interface lets us upload images, failing to upload a PHP Sh

14:30 Using the SQL Union Injection to extract source code via Load_file, then creat

17:35 Creating a Regular Expression in Python to grab only the data we want and be m

22:45 Downloading a good LFI Wordlist and then using it with our python script to fi

26:30 Finding the apache configuration which gives us where the web application live

27:10 Updating our LOAD_FILE command to utilize TO_BASE64 in order to get around the

33:30 Discoving an hardcoded password in the python flask web application

35:05 Discovering command injection in how the web application handles URL's

37:20 Simplifying our reverse shell by using a base64 cradle

40:04 Having troubles uploading the image, create the image manually on our box, so

45:10 Discovering another database password within the second web application, crack

51:00 Using find to find files owned by a group

51:45 Examaning the Postfix config to see it executes the Disclaimer script as John

55:00 Showing John doesn't get all the groups assigned to him from the Postfix shell

57:24 Write access to apt.conf.d, creating a pre-invoke script which is a persistenc

1:01:04 Showing the intended route of this box by editing a python script over SMB

1:04:30 Using the Image Upload form as a SSRF in order to ac

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →