AE

Loading...

HackTheBox - AI

18,909 views

Loading...

Loading...

Transcript

The interactive transcript could not be loaded.

Loading...

Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Jan 25, 2020

01:05 - Begin of Recon
01:50 - Taking a look at the page, noticing the site is PHP, running GoBuster to find other PHP Files.
03:45 - Playing with the File Upload, failing to identify how uploaded files are stored
05:20 - Investigating PHP Files that GoBuster found, discovering intelligence.php
06:30 - Searching for Text to Speach programs (create WAV Files)
08:50 - The first program didn't do a good job saving WAV Files, Downloading Festival
09:17 - Installing apt-file so we can use apt to search for what package contains a file (like yum whatprovides)
11:05 - Using text2wave to create wav files and upload them, then discover a SQL Injection over voice
14:04 - Having trouble getting the voice recognition to recognize the word union. Using "intelligence.php" to discover alternative words.
19:10 - Extracting the username and password out of the database, then logging in via SSH
21:00 - Investigating how the file upload script works, turns out to be a dead end
23:40 - Running linPEAS to check other privesc paths (see JDWP)
26:50 - Enumerating the local MySQL Database to get other credentials
28:00 - Starting to investigate the Tomcat ports (8000, 8009, and 8080)
29:00 - Doing SSH Tunnels via the SSH Binary to forward 8080/8009 to our box then looking at Tomcat
30:20 - Doing SSH Tunnels from within a SSH Session (~c) to forward port 8000 without reconnecting to SSH
32:10 - Manually using JDB to execute a command via java.lang.Runtime
42:30 - Manually debugging JDWP is a bad idea, doing it the better way with jdwp-shellifier

Loading...

Advertisement
When autoplay is enabled, a suggested video will automatically play next.

Up next


to add this to Watch Later

Add to

Loading playlists...