UHC - Altered

Name: UHC - Altered
Uploaded: 2022-04-01T16:22:50Z
Channel: IppSec
Description: 00:00 - Intro 00:55 - Start of nmap 01:35 - Enumerating the web page, finding a way to validate potential users 02:50 - Examining the data the website s...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 00:55 - Start of nmap 01:35 - Enumerating the web page, finding a way to validate potential users 02:50 - Examining the data the website stores in our browser 05:20 - Attempting type juggling, finding out its not vulnerable 06:20 - Before we WFUZZ, just playing with PHP to see how it handles numbers. 08:15 - Running WFUZZ with the range payload to bruteforce all possible pin code, find out we get blocked. 10:15 - Searching for ways to bypass rate limits, testing out the X-FORWARDED-FOR header 12:15 - Using WFUZZ with two wordlists in the zip mode, so we can fuzz with pin codes a…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Intro

0:55 Start of nmap

1:35 Enumerating the web page, finding a way to validate potential users

2:50 Examining the data the website stores in our browser

5:20 Attempting type juggling, finding out its not vulnerable

6:20 Before we WFUZZ, just playing with PHP to see how it handles numbers.

8:15 Running WFUZZ with the range payload to bruteforce all possible pin code, find

10:15 Searching for ways to bypass rate limits, testing out the X-FORWARDED-FOR head

12:15 Using WFUZZ with two wordlists in the zip mode, so we can fuzz with pin codes

17:30 Logged into the application, discovering the secret parameter which prevents u

19:45 Doing type juggling to bypass the tamper detection and finding SQL Injection

20:15 Extracting information out of the database with union injections with group_co

26:40 Nothing interesting in the database, dropping a webshell but first we have to

30:30 Using the INTO OUTFILE command to write a shell to /srv/altered/public/

33:55 Reverse shell returned

35:15 Explaining some basics around dirty pipe and why people use /etc/passwd

38:50 Using the DirtyPipe exploit that resets root's password to aaron

39:50 In order to use the "su" command, we need to beat wordle with a custom diction

42:50 Using a DirtyPipe exploit to overwrite a SetUID Binary, which bypasses our wor

45:10 Extra: Revisiting wordle, but now we have the dictionary it uses, so we can ch

49:30 Extra: Fumbling around in the source code, learning some things but failing to

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →