HackTheBox - Retired
00:00 - Intro
01:00 - Start of nmap
01:50 - Talking about what the page parameter does and why its normally vulnerable to LFI
03:20 - Running gobuster to get a list of files on the webserver while we poke at the LFI
04:45 - Finding an LFI in combination with an EAR (Execute After Read) Vulnerability. Then examining the source code of to see the vulnerability
06:50 - There was an sanitize string function that wasn’t recursive, explaining how we could exploit this.
10:00 - Discovering which is a license upload, grabbing the source code and vulnerable application
13:00 - Grabbing netstat like information, running processes, and memory maps with our LFI Vulnerability
16:25 - Playing with the activate_license executable and finding a buffer overflow
19:50 - Using GDB to examine the crash, need to use set follow-fork-mode child to follow the fork
22:55 - Crashing the program with a pattern and finding the offset to RSP
23:55 - Start of creating our exploit script
24:30 - Extracting where activate_license and libc exists within memory using the /proc/pid/maps file
22:55 - Using objdump to dump the location of system() within the libc version running on the target
27:57 - Using ropper to search for gadgets, pop rdi - pop rdx - and one to move values from rdx to rdi
30:20 - Using readelf to look for a writable space within memory for us to write our malicious command to
32:00 - Building the rop chain to write our command to memory, then call system
37:43 - Reverse shell returned running linpeas a
40:00 - Failing to run CVE-2022-0847, not sure why
43:50 - Discovering a timer that backs up the website as the dev user and its vulnerable to a symlink attack. Grabbing the home directory of dev which has an ssh key
46:20 - Examining the ememu directory in dev which is a C Program
47:30 - Talking about Binfms and how we will be able to create an interpreter for extensions that executes code as root
49:30 - Talking about the cap_dac_override permission
50:20 - Exploiting our ability to write to the binfmt_misc/register to get root
4 months ago 00:10:23 1
7 months ago 00:00:00 1
8 months ago 00:04:06 1
9 months ago 00:32:44 18
9 months ago 00:34:38 2
9 months ago 01:27:34 5
9 months ago 00:37:18 6
9 months ago 00:41:25 5
9 months ago 01:46:13 2
9 months ago 01:12:42 4
9 months ago 00:26:29 1
9 months ago 02:06:46 2
9 months ago 00:54:43 11
9 months ago 02:05:30 1
9 months ago 00:33:44 1
9 months ago 00:27:16 1
10 months ago 00:30:39 1
10 months ago 11:21:04 1
12 months ago 05:30:24 3
12 months ago 01:02:06 16
12 months ago 00:16:21 18
12 months ago 02:09:39 15
1 year ago 00:29:19 2
1 year ago 00:39:17 7
