UHC - Spooktrol

00:00 - Intro Hacking a Command and Control Server 01:07 - Running nmap and discovering two different SSH Instances, guessing one is Docker 03:30 - Looking at robots.txt which includes a link to the implant, looking at the error message and discovering its a cpp binary 05:30 - Using Wireshark to discover it makes a DNS Request to Spooktrol.htb, then walking through the C2's handshake 08:45 - Using BurpSuite and socat to proxy the connection of our binary 12:10 - Using BurpSuites find and replace to edit the Task that is getting to our C2 13:00 - Opening up the binary in Ghidra 14:15 - Looking at the decompiled output for the main function, which calls Spooky. Setting a break point on the XOR Function and discovering the first flag 16:45 - Discovering the Case Statement and analyzing Task number 1 (Exec) 19:50 - Stepping through each other task to discover what each function does 22:00 - The Perform Upload function builds a curl command 24:45 - Breaking after the curl string is assembled to show the full command it runs (Using BurpSuite to get to this part of the code) 27:50 - Accessing Task 3 a different way, breaking at the switch statement and editing the JMP. 32:45 - Editing the filename in the PUT Command to perform directory traversal and upload an SSH Key 34:30 - Logging into the C2, and inspecting the database to discover another beacon is running, which is on the Host Operating System 37:00 - Inserting a task into the database to ask the rogue beacon to execute a reverse shell for us 39:25 - Extra Content: Exploiting the box with no reverse engineering! Using an LFI to dump the source code to the application 41:40 - The server.py file has been leaked, grabbing all the other python scripts 43:20 - The application is now running on our box! Can identify the file upload functionality and how to exploit it. 51:45 - Extra Content: Going over the CPP code which shows how the implant works.