HackTheBox Zipping

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·2y ago

Skills: Security Basics90%Network Security80%

00:00 - Introduction 01:00 - Start of nmap 02:50 - Discovering a likely LFI in product.php but cannot use filters, likely because there is a file_exists() check 05:30 - Playing with the File Upload functionality 08:40 - Talking about the PHAR wrapper in PHP, showing it will bypass the file_exist and we can go into the ZIP to bypass the .pdf check 10:55 - Uploading the phar archive, and getting RCE through the LFI and PHAR wrapper 16:40 - Showing the intended File Disclosure vulnerability, by uploading a zip with a symlink 18:00 - Creating a python script to automate the file disclosure vulnerability, making it easier for us to download files 28:30 - Script completed, looking at the PHP Code, then showing another unintended solution with a zip file and null byte 37:30 - Explaining what happened with the null byte 40:00 - Showing the intended solution with the null byte, talking about how we can bypass this regex with CRLF Injection due to lack of multi-line 48:00 - Dumping the SQL Database with a union injection 51:15 - Dropping a file from MySQL and then including it with the LFI to get a shell 58:00 - As Rektsu we can execute a binary with sudo, running strings discovers a hard coded password. Strace reveals it loads a library that doesn't exist, so we can use MSFVenom to create a malicious library

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: Security Basics

View skill →

HackTheBox - Analytics

HackTheBox - Analytics

AWS Security Agent (Preview) Overview - Frontier Agent for Proactive AppSec | Amazon Web Services

AWS Security Agent (Preview) Overview - Frontier Agent for Proactive AppSec | Amazon Web Services

Amazon Web Services

HOW FRCKN' HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128

HOW FRCKN' HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128

Secure Hash Algorithms Using Python- SHA256,SHA384,SHA224,SHA512,SHA1- Hashing In BlockChain

Secure Hash Algorithms Using Python- SHA256,SHA384,SHA224,SHA512,SHA1- Hashing In BlockChain

Bruteforce 32bit Stack Cookie. stack0: part 3 - bin 0x23

Bruteforce 32bit Stack Cookie. stack0: part 3 - bin 0x23

Configure and Deploy AWS Client VPN

Configure and Deploy AWS Client VPN

Related AI Lessons

Managing Permissions Directly via SQL in BigQuery

Manage BigQuery permissions directly via SQL to streamline LLM inference workflows

Medium · Data Science

Data’s Best Decade is Ahead. Most Companies Are Looking at it Wrong.

Learn how to leverage data correctly to drive business decisions and stay ahead in the industry

Data’s Best Decade is Ahead. Most Companies Are Looking at it Wrong.

Learn how to leverage data effectively to drive business decisions and unlock its full potential in the upcoming decade

Medium · Machine Learning

Data’s Best Decade is Ahead. Most Companies Are Looking at it Wrong.

Learn how to leverage data effectively by shifting focus from reporting to decision-making, a crucial skill for companies to thrive in the upcoming decade

Medium · Data Science

Chapters (14)

Introduction

1:00 Start of nmap

2:50 Discovering a likely LFI in product.php but cannot use filters, likely because

5:30 Playing with the File Upload functionality

8:40 Talking about the PHAR wrapper in PHP, showing it will bypass the file_exist a

10:55 Uploading the phar archive, and getting RCE through the LFI and PHAR wrapper

16:40 Showing the intended File Disclosure vulnerability, by uploading a zip with a

18:00 Creating a python script to automate the file disclosure vulnerability, making

28:30 Script completed, looking at the PHP Code, then showing another unintended sol

37:30 Explaining what happened with the null byte

40:00 Showing the intended solution with the null byte, talking about how we can byp

48:00 Dumping the SQL Database with a union injection

51:15 Dropping a file from MySQL and then including it with the LFI to get a shell

58:00 As Rektsu we can execute a binary with sudo, running strings discovers a hard

AI/BI Genie for Marketing