UHC - Spooktrol

Name: UHC - Spooktrol
Uploaded: 2021-10-26T15:18:26Z
Channel: IppSec
Description: 00:00 - Intro Hacking a Command and Control Server 01:07 - Running nmap and discovering two different SSH Instances, guessing one is Docker 03:30 - Look...

IppSec · Intermediate ·🔐 Cybersecurity ·4y ago

00:00 - Intro Hacking a Command and Control Server 01:07 - Running nmap and discovering two different SSH Instances, guessing one is Docker 03:30 - Looking at robots.txt which includes a link to the implant, looking at the error message and discovering its a cpp binary 05:30 - Using Wireshark to discover it makes a DNS Request to Spooktrol.htb, then walking through the C2's handshake 08:45 - Using BurpSuite and socat to proxy the connection of our binary 12:10 - Using BurpSuites find and replace to edit the Task that is getting to our C2 13:00 - Opening up the binary in Ghidra 14:15 - Looking …

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Intro Hacking a Command and Control Server

1:07 Running nmap and discovering two different SSH Instances, guessing one is Dock

3:30 Looking at robots.txt which includes a link to the implant, looking at the err

5:30 Using Wireshark to discover it makes a DNS Request to Spooktrol.htb, then walk

8:45 Using BurpSuite and socat to proxy the connection of our binary

12:10 Using BurpSuites find and replace to edit the Task that is getting to our C2

13:00 Opening up the binary in Ghidra

14:15 Looking at the decompiled output for the main function, which calls Spooky. S

16:45 Discovering the Case Statement and analyzing Task number 1 (Exec)

19:50 Stepping through each other task to discover what each function does

22:00 The Perform Upload function builds a curl command

24:45 Breaking after the curl string is assembled to show the full command it runs (

27:50 Accessing Task 3 a different way, breaking at the switch statement and editing

32:45 Editing the filename in the PUT Command to perform directory traversal and upl

34:30 Logging into the C2, and inspecting the database to discover another beacon is

37:00 Inserting a task into the database to ask the rogue beacon to execute a revers

39:25 Extra Content: Exploiting the box with no reverse engineering! Using an LFI t

41:40 The server.py file has been leaked, grabbing all the other python scripts

43:20 The application is now running on our box! Can identify the file upload funct

51:45 Extra Content: Going over the CPP code which shows how the implant works.

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →