HackTheBox Zipping
00:00 - Introduction
01:00 - Start of nmap
02:50 - Discovering a likely LFI in product.php but cannot use filters, likely because there is a file_exists() check
05:30 - Playing with the File Upload functionality
08:40 - Talking about the PHAR wrapper in PHP, showing it will bypass the file_exist and we can go into the ZIP to bypass the .pdf check
10:55 - Uploading the phar archive, and getting RCE through the LFI and PHAR wrapper
16:40 - Showing the intended File Disclosure vulnerability, by uploading a zip with a symlink
18:00 - Creating a python script to automate the file disclosure vulnerability, making it easier for us to download files
28:30 - Script completed, looking at the PHP Code, then showing another unintended solution with a zip file and null byte
37:30 - Explaining what happened with the null byte
40:00 - Showing the intended solution with the null byte, talking about how we can bypass this regex with CRLF Injection due to lack of multi-line
48:00 - Dumping the SQL Database with a union injection
51:15 - Dropping a file from MySQL and then including it with the LFI to get a shell
58:00 - As Rektsu we can execute a binary with sudo, running strings discovers a hard coded password. Strace reveals it loads a library that doesn't exist, so we can use MSFVenom to create a malicious library
Watch video HackTheBox Zipping online without registration, duration hours minute second in high quality. This video was added by user IppSec 13 January 2024, don't forget to share it with your friends and acquaintances, it has been viewed on our site 12,012 once and liked it 378 people.