HackTheBox - Retired
00:00 - Intro
01:00 - Start of nmap
01:50 - Talking about what the page parameter does and why its normally vulnerable to LFI
03:20 - Running gobuster to get a list of files on the webserver while we poke at the LFI
04:45 - Finding an LFI in combination with an EAR (Execute After Read) Vulnerability. Then examining the source code of index.php to see the vulnerability
06:50 - There was an sanitize string function that wasn't recursive, explaining how we could exploit this.
10:00 - Discovering beta.html which is a license upload, grabbing the source code and vulnerable application
13:00 - Grabbing netstat like information, running processes, and memory maps with our LFI Vulnerability
16:25 - Playing with the activate_license executable and finding a buffer overflow
19:50 - Using GDB to examine the crash, need to use set follow-fork-mode child to follow the fork
22:55 - Crashing the program with a pattern and finding the offset to RSP
23:55 - Start of creating our exploit script
24:30 - Extracting where activate_license and libc exists within memory using the /proc/pid/maps file
22:55 - Using objdump to dump the location of system() within the libc version running on the target
27:57 - Using ropper to search for gadgets, pop rdi - pop rdx - and one to move values from rdx to rdi
30:20 - Using readelf to look for a writable space within memory for us to write our malicious command to
32:00 - Building the rop chain to write our command to memory, then call system
37:43 - Reverse shell returned running linpeas a
40:00 - Failing to run CVE-2022-0847, not sure why
43:50 - Discovering a timer that backs up the website as the dev user and its vulnerable to a symlink attack. Grabbing the home directory of dev which has an ssh key
46:20 - Examining the ememu directory in dev which is a C Program
47:30 - Talking about Binfms and how we will be able to create an interpreter for extensions that executes code as root
49:30 - Talking about the cap_dac_override permission
50:20 - Exploiting our ability to write to the binfmt_misc/register to get root
Watch video HackTheBox - Retired online without registration, duration hours minute second in high quality. This video was added by user IppSec 13 August 2022, don't forget to share it with your friends and acquaintances, it has been viewed on our site 18,688 once and liked it 507 people.