IppSec
HackTheBox - Popcorn
updated
01:00 - Start of nmap
02:40 - Examining the webpage, not finding much
05:30 - Checking out SNMP, discovering its open with the default community string. Installing MIBS so we can make sense of the data
08:20 - The process list is in SNMP, explaining how to read this data
12:40 - Grepping interesting processes discovering there's a bash script that has user credentials in arguments! Attempting to log into Nagios with it
14:00 - The SVC Account couldn't log in on the GUI, Looking for how to login via an API
15:45 - Logging into Nagios, discovering it is version 5.11.0 which is vulnerable to a SQL Injection
17:40 - Manually exploiting this Error Based SQL Injection with XPATH
26:45 - Using Burpsuite Intruder to dump the TABLES, then edit the columns in burpsuite to show tables easily
33:40 - The APIKEY is too long to display, using SUBSTRING to grab the APIKEY in multiple requests
35:45 - Finding a way to register a new user with our API KEY and make them an administrator
39:00 - Creating a Nagios Check to send us a shell
41:20 - Showing how to perform the SQL Injection through SQLMap
49:00 - Finding the MySQL Password of Nagios
51:00 - Discovering the Nagios user has a bunch of sudo rules
57:00 - (Root method 1) Exploiting GetProfile through creating a SymLink
59:00 - (Root method 2) Overwriting the Nagios Binary than using Sudo to restart the service to get a root shell
00:55 - Start of nmap, showing -vv will cause the output to contain TTL
04:40 - Checking out the website
05:23 - Doing a VHOST Bruteforce to discover the internal domain and discovering credentials on a blog post
07:30 - Checking out the NAPListener blog post, which gives us a way to enumerate for the NAPLISTENER Implant
10:30 - Showing the Backdoor code to discover how it works
12:30 - Building a DotNet Reverse Shell and renaming the method to Run, then using Mono (mcs) to compile
14:45 - Converting the DLL to base64 and getting NAPLISTENER to execute it
19:20 - Discovering a draft blog post talking about them getting rid of laps and building a custom solution that uses elastic
24:00 - Setting up a tunnel with Chisel so we can talk to Elastic
25:55 - Using curl to enumerate Elastic
30:20 - Reversing the Golang binary with Ghidra
42:30 - Creating a Golang Binary to grab a document (seed), then using search to grab the blob, and decrypting it with AES-CFB
47:30 - Connecting to Elastic, using a Proxy
56:00 - Grabbing the Seed with the Golang Elastic Library
1:03:00 - Grabbing the Blob with Golang Elastic Library
1:09:45 - Using the Seed to generate our 16 byte key
1:13:53 - Creating a decrypt function
1:16:30 - Getting the PlainText then using RunasCS to get a reverse shell as the Backup User, which is administrator
01:00 - Start of nmap
03:45 - Discovering dev.devvortex.htb is a Joomla Page, showing JoomScan and enumerating version manually through manifests
07:00 - Looking for Joomla Exploits for version 4.2.6, discovering a way to view application config as an unauthenticated user
09:40 - Start of deep dive into the exploit, looking at commits on the day the advisory said this was patched
10:50 - Showing the fix just shows it is a mass assignment vulnerability, looking at how this works
17:10 - Showing fuzzing for arguments with ffuf would have caught this
26:18 - Logging into Joomla, then placing a shell in the Joomla Templates
32:15 - Logging into the database, cracking a hash to gain access to another user
35:30 - Taking a look at sudo discovering apport-cli, gtfobins comes up with nothing, looking at the version to discover an exploit within how it uses PAGER
01:00 - Start of nmap
02:45 - Discovering an exploit for Craft CMS, it doesn't work out of the box because of a typo on exploit-db looking into this exploit
06:00 - Walking through the Exploit Script
11:45 - Getting a shell on the box with the script that was on Github
14:45 - Logging into the CraftCMS Database, finding the password
17:30 - There is a backup of the database in the storage directory, which contains an old password for Matthew
22:45 - Linpeas shows us configurations for ZoneMinder, which lets us into another table of the database
25:20 - Setting a port forward so we can access ZoneMinder, then updating the password so we could login (not needed but fun to do)
29:20 - Showing an unauthenticated exploit in ZoneMinder
31:40 - The ZoneMinder user can run zoneminder scripts with sudo
33:30 - Finding a command injection in ZMUPDATE, getting shell as root
42:20 - Showing ZoneMinder lets you set the LD_PRELOAD which is another way to get root
55:50 - Showing the intended way to exploit ZoneMinder to get a shell as the ZM User, authenticated RCE
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files
13:48 - Uploading a php shell, discovering there are disabled functions blocking system
17:15 - Using dfunc bypass to identify proc_open is not disabled and then getting code execution
23:00 - Reverse shell returned on the linux host
26:00 - Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password
29:20 - Talking about Man Pages and how they are organized to identify $y$ is yescrypt
33:40 - Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit
36:00 - Building a malicious EPS File with a powershell reverse shell
43:40 - PRIVESC 1: Uploading a shell in XAMPP and getting system
52:30 - PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password
1:01:50 - While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen
1:10:08 - PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password
01:00 - Start of nmap
02:50 - Playing with the Javascript Editor, discovering filesystem calls are blocked
04:45 - Discovering the sandbox is vm2, going to github discovering it is discontinued with known security issues
06:30 - Getting code execution, then a reverse shell
09:50 - Discovering a second website with a database, cracking hashes in the database
12:50 - Discovering Joshua can run a bash script with sudo
15:00 - Looking at the Bash Common Pitfall guide which shows the error in the if/then logic in the bash script
15:55 - Explaining why the bash if/then is exploitable when user input is on the right side and unquoted
18:30 - Bypassing authentication in the script with a *, then looking at processes and seeing mysql censored the password on ps
20:50 - Running pspy which will grab the cmdline arguments before mysql has a chance to rewrite argv
21:50 - Showing HIDEPIDS in /etc/fstab to hide processes of other users
24:30 - Writing a program that can spoof argv on linux
26:30 - Showing how we grab the memory location of argv
27:30 - Looping over each argument, so we could overwrite a specific one if we wanted to
29:15 - Showing our process run with a blank process
33:30 - Making our program ps output blend in more
01:07 - Start of nmap then checking SMB Shares
04:05 - Using NetExec to do a RID Brute Force and increase the maximum to 10000
07:00 - Using vim g!/{string}/d to delete all lines that do not contain something to build wordlists
10:40 - Using ASREP Roasting to perform a Kerberoast attack without authentication
17:40 - Using NetExec to run Bloodhound as ldap_monitor
25:30 - Discovering Oorend can add themself to the ServiceMgmt group, which can take over the WinRM Account
28:30 - Spraying the password of the ldap_monitor account to discover it shares oorend's password
34:20 - Showing BloodyAD to add Oorend to ServiceMGMT then abusing the GenericAll to Service Users, so we can reset WinRM_SVC's password
40:30 - Showing a more opsec friendly way to take over WINRM_SVC by abusing shadow credentials so we don't change the accounts password
50:00 - As WINRM_SVC we cannot run some commands like qwinsta or tasklist. Using RunasCS, to switch our login to a non-remote login which will let us run these commands
54:10 - Performing a Cross Session attack with Remote Potato to steal the NTLMv2 Hash of another user logged into the same box we are
59:20 - Using NetExec to read GMSA Passwords as TBRADY
1:04:00 - Using findDelagation.py to show constrained delegation from the GMSA delegator account
1:11:20 - Using RBCD.py to setup the Resource-Based Constrained Delegation so we can get a forwardable ticket to abuse delegators delegation and impersonate users
1:18:20 - Using our ticket that impersonates DC01 and performing secretsdump and then getting Adminsitrator's hash so we can login
01:00 - Start of nmap
03:20 - Discovering Metabase, noticing the HTTP Headers are different. Checking TTL just to see if it decrements from the main web page.
07:00 - Searching for an exploit for metabase, then enumerating version
09:30 - Manually exploiting Metabase by pulling the setup-token, then getting injection on the /setup/validate endpoint through the JDBC Driver
15:50 - Reverse shell returned
18:30 - Discovering credentials in the environment variables, then ssh into the box
20:12 - Googling the kernel to discover its vulnerable to GameOverlay
24:00 - Explaining the gameoverlay exploit (CVE-2023-23640, CVE-2023-32629)
25:50 - Stepping through the exploit manually to understand how the overlay fs works, and what the exploit did to abuse it
28:10 - Looking into the permissions of the binaries that were created
01:00 - Start of Nmap
03:20 - Checking out the website, deciding there isn't much of interest here
05:10 - Running Kerbrute with a userlist to identify valid users
05:50 - Showing what Kerbrute is doing with NetExec
09:00 - A better way to enumerate valid users, RID Bruteforce, showing it with NetExec
10:50 - Using RPCClient to show how RID Bruteforce works
14:00 - Using NetExec to bruteforce users with the password of their username
17:55 - Showing off the NetExec Database
19:30 - Switching over to testing accounts for MSSQL Access with NetExec
21:20 - Using Impacket's MSSQLClient to access the MSSQL Server and running XP_DIRTREE to find a backup on the webserver
23:20 - Finding a credential for Raven in the backup file
26:50 - Using Certipy to find out the server is exploitable to ADCS ESC7, then exploiting it
01:00 - Start of nmap, showing 5985 isn't in the top1000 so doing a full port scan
04:40 - Taking a look at the MedDigi website
07:07 - Taking a look at the Signup Request seeing AcctType
09:30 - Changing the AcctType to 2 and getting a different privilege
14:00 - VHost enumeration shows the portal.meddigi.htb domain, using our pre-existing session from the main page on this domain to bypass login
17:52 - Discovering SSRF in the Prescriptions page
19:40 - Discovering the File Upload requires a PDF but checks the magic bytes so we can make a PDF Header on our file and upload ASPX Web Shells
25:30 - Going back to the SSRF and discovering we can use time-based queries to identify ports listening on localhost
28:30 - Using FFUF to filter by duration to show us the requests that don't take a long time
38:22 - Discovering port 8080 shows our upload location, then navigating to it and getting a shell
42:22 - Finding DLL's the webserver uses, they are dotnet so copying them to a windows box so we can use dnspy and finding a password
45:40 - Using netexec to try the password against all users, then logging in as devdoc
53:00 - Looking at the ReportManagement.exe, opening it up in Ghidra
56:50 - Using chisel to forward port 100 to our box so we can access ReportManager
59:30 - Strings shows that externalupload.dll is right next to the Libraries string
1:00:15 - Looking at imports, see CreateProcessW, then going to where the binary calls that process
1:03:30 - Doing Dynamic Analysis with ProcMon, creating all the directories/files the program wants
1:18:50 - Eventually see it looking for files in the Libraries Directory when doing the upload command
1:21:45 - When externalupload.dll exists, we can see it doing a CreateProcess call, creating a DLL that sends a reverse shell
1:26:30 - When the DLL is in the libraries and we run upload, we get a shell
01:00 - Start of nmap
03:10 - Identify JSESSIONID with nginx, but nginx appears to be configured correctly
06:00 - Googling the error message to identify the page uses SpringBoot, using a SpringBoot wordlist to find actuators!
10:30 - Using the Sessions Actuator and seeing a session for kanderson, logging in to get to the admin interface
14:15 - Finding RCE in the ExecSSH Page
23:20 - Shell on CozyHosting, looking at running services
26:00 - Examining the CozyHosting Jar to identify PostGres credentials then dumping the users table and cracking hashes
33:00 - Josh can run SSH with sudo, using proxy command to get root
34:10 - Explaining what ProxyCommand is
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create a project and adding a solutions file to it
13:00 - Having the webapp download our repo, then looking at PreBuildEvents to execute commands before it is compiled
16:00 - Talking about why this PreBuildEvent exists
19:20 - Looking at why our build failed
21:30 - Adding a nishang reverse shell to the prebuild event
26:40 - Reverse Shell Returned!
29:45 - Writing a webshell as Enox, to get a shell as the Apache Service User
34:00 - Using FullPowers to restore our tokens while will enable the SeImpersonate privilege
36:00 - Grabbing a good PHP Reverse Shell Script that supports Windows!
39:15 - Using GotPotato to abuse the SeImpersonate Privilege and run code as system
01:00 - Start of nmap
02:30 - [MasterRecon] Examining CSRF Cookie to discover it is likely Django
07:50 - Using FFUF to bruteforce ID's of uploaded files, can discover valid ID's but not view the ID itself
14:00 - Accidentally deleting something important when FUZZING, always be careful of what you are doing with tools
16:45 - Discovering the /block endpoint allows us to view any file, discovering a file with credentials which lets us log into the server
23:00 - Setting up a SSH Tunnel to access port 3000, which is Gitea. Discovering an old commit that has the password to decrypt backups
32:00 - Logging into the box as Tom, discovering the DoodleGrive Binary, opening it up in Ghidra
38:45 - Looking at the Sanitize_String command, to see what characters we cannot use
41:40 - Exploiting DoodleGrive via SQL Injection with the EDIT command, this is easy to exploit because SetUID's preserve environment variables
47:40 - Got root, our path is messed up which makes the shell hard to use, however fixing the path is easy
50:45 - Exploiting DoodleGrive via LOAD_EXTENSION, by dropping a library and using char() to avoid the sanitize string function
54:00 - Our SQL Extension C Code
1:02:36 - Failing to use WriteFile() guessing this is because of the size of our input, may incorrectly say buffer overflow here.
1:16:20 - Exploit DoodleGrive via Binary Exploitation! Explaining the Overflow and Format String Vulnerability we will use
1:19:30 - Creating a python script to find where the Canary exists in memory via the Format String Exploit (%i$lx)
1:23:30 - Proving this is the canary by stepping through the program in GDB use $fs_base to examing fs
1:25:30 - Finding where we can overwrite the canary with pattern create
1:27:55 - Creating a python script to exploit this binary
1:43:40 - Converting our pwntools script to use SSH so we can exploit the binary on the target
00:45 - Start of nmap
01:45 - Looking at Jenkins Advisory 3314 (CVE-2024-23897), which has a File Read vulnerability in the CLI. Then downloading the Jar
03:00 - Explaining the Vulnerability with a quick demo
06:00 - Creating a really nasty bash script to fuzz many of the Jenkins Paramaters to see which produce the most number of lines
13:45 - Script working, discovering which commands let us export the entire passwd file
15:00 - Using docker to pull the latest version of Jenkins, in order to see how it stores credentials
21:40 - Extracting the Password Hash for Jennifer and cracking it to get logged into Jenkins
24:45 - Showing Jenkins Script Console, a fun way to get code execution on Jenkins. But this isn't the path
25:50 - Going into the Credentials Store for Jenkins, discovering a SSH Key is there. Exporting it and then using the Script Console to decrypt it
35:00 - Flailing around, trying to export all the secrets needed to decrypt the SSH Key... Don't get it working unfortunately but thought it was good to leave in here.
01:00:36 - Exporting the SSH Key through a Jenkins Pipeline
01:00 - Start of box
02:00 - Checking out Request Tracker, login with default creds
06:30 - Finding a password in the users description on RT
09:00 - Googling how to get keepass passwords from memory
11:00 - Talking about how this exploit actually works, its because of the textbox!
15:00 - Using strings on the dump file to show how the password looks in memory
20:30 - Searching the keepass, finding a putty private key
23:00 - Converting the putty key to openssh
26:00 - Grabbing root
01:00 - Start of nmap
03:10 - Enumerating port 5000/5001 to see a Docker Registry and Auth Server
06:10 - Creating our auth token for the Docker Registry
08:45 - Adding the SSL Cert to our certificate store, then doing a docker pull to download and run the container
13:00 - Discovering JSESSIONID Cookie, attempting the weird directory traversal bug of /..;/ (nginx directory didn't have a trailing slash on the location)
16:45 - The Examples directory has a sessions example that lets us modify the session, doing this to get a File Disclosure vulnerability then downloading the WAR file hosting the app
27:45 - Opening the WAR in JD-GUI then examining the source code, discovering we can change our user to admin by editing the session
33:30 - Pointing the RMI.HOST back to us, then use YSOSERIAL to host a malicious server
42:50 - YSOSERIAL-MODIFIED Docker is up, using YSOSERIAL to start a JRMP Listener and host a malicious payload
46:45 - Shell on the container, showing where IPv6 addresses are stored (/proc/if_inet6) and that we could have gotten this with the file disclosure which allows for bypassing the firewall, did not need to do the ysoserial step for this next one.
52:51 - Looking at the source code again, discovering we can use the RMI to perform file operations on the host
56:00 - Start of creating the RMI Client Java App
1:09:18 - Running into an error using our decompiled code. Having our exploit just reference the class files (before decompilation)
1:25:00 - Finishing up our exploit script, then writing an SSH Key
1:36:60 - Looking at running processes, discovering the RMI Server restarts every 3 minutes, then running PSPY discovering a quarentine.jar
1:43:00 - Looking at the initial JAR again, discovering it will give out a config. Using RECAF so I can just replace code in the jar without recompiling
1:48:00 - Looking at the Quarantine Service, which pulls a config from the RMI Server then runs CLAM AV
1:51:40 - Having CLAM AV scan /root, and flag every file as a virus sending it to /dev/shm
01:02 - Start of nmap and discovering NFS, which is hosting source code to the webserver
05:50 - Showing off the NFSClient Golang binary by Mubix, does not work here because NFS is Read-only
07:40 - Viewing the website for the first time, so we have an idea of what source code we are looking at
09:00 - Looking at the source code, Snyk doesn't give us anything
11:45 - Looking at database queries and finding a Mass Assignment Vulnerability
13:30 - Discovering we need to assign ourselves to Admin
14:45 - Using a line break, to bypass the check against the Key, allowing us to pass in the Role
17:48 - Showing another way to set our Role To Admin through SQL Injection in the Value
21:52 - Viewing the Administration page, discovering how the export function works
25:00 - We can place PHP Code in NICKNAME for our user, which then the export function writes to a php file which then executes
30:12 - Running LinPEAS, discovering a SetUID Binary (execute_query)
36:00 - Examining execute_query in Ghidra, discovering a File Disclosure Vulnerability
42:00 - Grabbing the SSH Key for Jack
44:27 - Jack can sudo run /opt/monitor.sh, and set the environment. We can use LD_PRELOAD to hijack dynamically compiled binaries.
50:15 - Showing the intended way by setting a proxy to CURL, allowing us to change the data the server sends and trigger an XXE
! Twitter Bad Words
twitter.com##[data-testid="cellInnerDiv"]:has-text(/ the | and | or /i)
! Discover more / More Tweets - Conversation view suggestions
twitter.com##[aria-label="Timeline: Conversation"] [data-testid="cellInnerDiv"] h2:has-text(/^(Discover more|More Tweets)$/):upward([data-testid="cellInnerDiv"])
twitter.com##[aria-label="Timeline: Conversation"] [data-testid="cellInnerDiv"] h2:has-text(/^(Discover more|More Tweets)$/):upward([data-testid="cellInnerDiv"])~div
The reddit post, not tweet lol: reddit.com/r/uBlockOrigin/comments/13twvuu/comment/jmg78ak/?utm_source=share&utm_medium=web2x&context=3
Github Page: github.com/gorhill/uBlock/wiki/Dashboard:-My-filters
00:00 - Introduction talking about why I block it on the browser not platform.
01:00 - Creating the rule to hide tweets that contain words
02:00 - Discovering we didn't filter words, but strings. So "the" would block "therefore", since the is a substring.
02:59 - Making it case insensitive
03:30 - Showing where the data-testid came from
04:20 - Showing some more filters, showing the reddit post not tweet (lol)
00:50 - Start of nmap
04:30 - Discovering a potential XSS in the Notes field of an order. Content Security Policy (CSP) blocks us, because JS cannot be on the same page. Looking for a file upload functionality.
08:29 - Finding out we can upload anything we want to the avatar. This should allow us to bypass the CSP in the book edit field
11:55 - Confirmed XSS on the page, checking if there's an IDOR Vulnerability that allows us to add notes to other people's items by creating a second account
16:00 - Creating a Python Script that will automatically poison items in peoples basket (cart)
28:00 - Backet Poisoner script is completed
28:50 - Creating a JavaScript payload, explaining why I'm doing await, fetch, and helper functions.
40:15 - Having the XSS Payload fetch profile, look for orders, then perform a get on all orders to examine the order page. Then send us the HTML of that page
49:55 - Creating a Python Flask Server that will save all of the orders the XSS Payload sends us
56:00 - Examining orders, discovering there is a "Download Everything" URL. Didn't show it but there is no IDOR Vulnerability here, need to have the XSS Trigger it. Exfilling /etc/passwd
01:12:00 - Extracting database.js, which contains the database information. The password lets us onto the system as Frank
01:15:52 - EDIT: Examining the source code to show why downloading a single book was not vulnerable. Talking about setting ROOT on res.download of express
01:21:04 - Enumerating the box as Frank discovering a second web application listening on 3001
01:30:00 - Looking at the source code to the book converter.
01:36:20 - Exploiting a SSRF/File Disclosure vulnerability in the Book Converter, but it doesn't get us anything
01:42:18 - Finding Arbitrary File Write vulnerability in the Book Converter by abusing SymLinks to bypass an File Extension Check.
01:51:50 - Shell as Neil who can run the GenLabel binary with Sudo, examining it to discover a SQL + PostScript Injection
01:57:10 - Using the SQL Injection to Inject a FileWrite command in the PostScript file which then gives us Arbitrary File Write as root
00:00 - Introduction
00:40 - Going over the file disclosure vulnerability we are using for the example (Zipping box from HTB)
03:50 - Showing the python script created in the file to exfil files one at a time
05:40 - Talking about why we created a file disclosure crawler, running it and opening VSCode
07:05 - Showing Snyk detecting vulnerabilities
09:55 - Going over the script we made on stream
01:00 - Start of nmap
02:50 - Discovering a likely LFI in product.php but cannot use filters, likely because there is a file_exists() check
05:30 - Playing with the File Upload functionality
08:40 - Talking about the PHAR wrapper in PHP, showing it will bypass the file_exist and we can go into the ZIP to bypass the .pdf check
10:55 - Uploading the phar archive, and getting RCE through the LFI and PHAR wrapper
16:40 - Showing the intended File Disclosure vulnerability, by uploading a zip with a symlink
18:00 - Creating a python script to automate the file disclosure vulnerability, making it easier for us to download files
28:30 - Script completed, looking at the PHP Code, then showing another unintended solution with a zip file and null byte
37:30 - Explaining what happened with the null byte
40:00 - Showing the intended solution with the null byte, talking about how we can bypass this regex with CRLF Injection due to lack of multi-line
48:00 - Dumping the SQL Database with a union injection
51:15 - Dropping a file from MySQL and then including it with the LFI to get a shell
58:00 - As Rektsu we can execute a binary with sudo, running strings discovers a hard coded password. Strace reveals it loads a library that doesn't exist, so we can use MSFVenom to create a malicious library
00:40 - Start of nmap
02:00 - Examining the website, playing with the basket, trying SSTI/SQL Injection special characters
04:30 - Looking at the settings, discovering we can perform a SSRF and get the response back. Grabbing localhost:80
06:10 - The local website runs maltrail 0.53, examining the exploit then manually exploiting it to get a shell
09:10 - Shell returned, checking if we really needed to encode the payload
13:00 - When systemctl runs status, it sends us to less which we can escape out of and run as root
01:00 - Start of nmap
03:30 - Exploring the file share
07:15 - Finding Encrypter.exe, which is a dotnet encrypter. Discovering the seed is based upon time, modifying it to decrypt using metadata from the encrypted file to get the seed.
15:30 - The encrypted file was a Keepass Database, looking into it and seeing credentials and a uthenticator backup
19:45 - Installing the "Authenticator" app and seeing the backup format is the same
21:30 - Explaining why we want to just bruteforce AES vs Argon2id
25:50 - Creating a program in javascript to bruteforce the AES by decrypting and examining the contents of what was decrypted
40:40 - Cracking program done, then logging into TeamCity
45:45 - We can't modify the files on TeamCity but we can use the personal build, supply a dif and get it to execute code that way
49:50 - Defender blocked nishang reverse shell, doing some quick obfuscation to bypass defender and get a shell
55:50 - Discovering Teamcity keeps track of personal builds, looking at old ones and discovering powershell credentials. Decrypting the Secure String to get e.black's password
1:08:00 - Running the bloodhound python collector in a Docker
1:17:40 - Writing a bloodhound query to show Organization Units in active directory, then using Get-ACL to see unique privileges to each OU
1:24:15 - Explaining the attack path, e.blake can manipulate ADCS, s.blade can add machines to a specific OU. We can create a vulnerable ADCS Template and exploit this with Certifried
1:31:30 - Creating and publishing the Vulnerable Certificate. Cloning computer, then modifying msPKI-Enrollment-Flag
1:53:30 - Doing an easier vulnerable template, to make this box vulnerable to ESC1. Set msPKI-Enrollment-Flag, msPKI-Certificate-Name-Flag,
07:50 - Analyzing the files we have
11:45 - Using Impacket to dump local creds
16:28 - Running MFTECmd to process MFT File and Chainsaw to process logs. These take a while
22:15 - Looking at the Prefetch files to see what programs have been run
29:00 - Looking at the Teamviewer log file
38:15 - Looking at the Firefox History to see when they downloaded TeamViewer
46:15 - Looking at the Chainsaw hunt output... Probably not ideal since some logs didn't copy well.
1:00:39 - Going over Sysmon logs with JQ to search and filter
1:03:50 - Showing a trick with jq so we can grep entire events to avoid writing a select filter
1:14:10 - Looking at powershell, discovering some encoded commands which is where the bitlocker question is
1:21:00 - Using EvtxECmd to try parsing the logs, discovering the log was empty...
1:27:50 - Looking at when the system time was changed based upon security log
1:45:00 - Having trouble finding the SID of the user, using registry hives to get this information
1:54:50 - Using date to help us convert date formats
01:30 - Talking about why I'm using Zeek and running it in a docker
05:20 - Showing a Corelight Zeek Cheat Sheet, which is tremendously helpful
08:00 - Showing Zeek-Cut on the x509 log, then looking at the SSL Log
11:50 - Looking for a single IP that sent multiple SSH Banners
13:20 - Creating an alias for zeek-grek (alias zeek-grep='grep -e "^#" -e'), which lets us easily filter logs
17:00 - Looking at the HTTP Log, discovering a wget downloading ransomware
21:10 - Looking at the FTP Log, and showing the passwords are hidden. Editing the Zeek Config to unmask the password
24:30 - Editing the FTP Logged commands to add PASS so we see failed logins too
34:10 - Using the DNS Log to see that our attacker was likely using Amazon EC2
36:15 - Looking at how many connections each IP made, discovering our attacker doing a port scan using date -d @epoch to convert to human readable time
42:30 - Editing our zeek config to also extract_files, then looking at the ransomware download
53:15 - Looking at the files downloaded over FTP
1:07:00 - Start answering the questions. Doing some Grep Fu to see all the open ports during initial recon
1:18:10 - Finding when the port knock happened
00:58 - Start of nmap
03:30 - Taking a look at the website
05:50 - Using NetExec to search for file shares and discovering the Development share is open. Using smbclient to download everything
08:00 - Exploring the Ansible Playbooks in the Development Share to discover encrypted passwords (ansible vault)
10:00 - Converting the Ansible Vault Hashes to John/Hashcat format so we can crack them
13:30 - Decrypting the values and getting some passwords, one of which lets us log into PWM (webapp)
19:50 - Adding a rogue ldap server into the PWM Config, then clicking test config will send us the password for the ldap account
27:00 - Running Certipy to find the server is vulnerable to ESC1, we just need to enroll a computer
28:00 - Using NetExec to show how the MachineAccoutnQuote, confirming we can enroll machines
29:00 - Using Impacket to add a rogue computer
30:00 - Using Certipy to perform the ESC1, it works but smart card login isn't enabled so we can't log in right away.
33:30 - Looking at the error message, finding we can PassTheCert to LDAP which then will let us get admin
37:15 - Using PassTheCert to add ourselves to the Domain Administrator group
39:25 - Showing PassTheSert to set_rbcd, which will enable our rogue computer the ability to sign krb, allowing us to impersonate the administrator
00:55 - Start of nmap, playing with the webapp discovering it is Laravel PHP App
06:50 - Discovering /assets is a redirect to /assets/, indicator of the Nginx off by slash [MasterRecon]
11:50 - Using the Nginx off by slash to download .env and .git to get the source code to the app
14:00 - Start of code analysis
15:55 - Finding a Mass Assignment vulnerability in the update functionality
21:50 - Taking some time to explore if there are ways to find Mass Assignment without looking at the code or guessing
27:30 - Looking at the Webhooks-api-beta website, playing with the request and discovering we need to send it JSON
30:40 - Playing with the JWT, Discovering its a RS256 encoded, doing an Algorithm Confusion attack to sign the token with the RSA Public Key
41:50 - Playing with the Webhook and discovering a SSRF, which we can also do protocol smuggling since we can write to the HTTP Method
46:30 - Looking at the Redis Migrate functionality which confirms we can interact with Redis. Also stand up redis on our box with docker
52:28 - Inserting a poisoned laravel cookie into redis we created with phpggc, troubleshooting all the encoding issues we have. Browsing the page deserializes our cookie and gets RCE
1:17:50 - Reverse shell returned, examining the mysql database and redis keys
1:30:10 - Uploading a static nmap to scan the docker containers finding a docker registry, downloading the api container to get the source code
1:49:35 - Source code analysis on the webhook code, discovering a file disclosure and hardcoded API Key
2:02:50 - Dumping the environment variables, getting the DB Password which is also a user password, ssh as john
2:08:30 - John can run docker compose on a sanitized docker file, there are a few ways to bypass this check
2:12:10 - Showing we can pass in a raw device, which works without adding any special capabilities to the docker container but it is very very dangerous
2:30:30 - Showing we can also pass in a volume as RO and give the capability and AppArmor policy to allow the container to remount this as RW
00:55 - Start of nmap
03:00 - Uploading an image file and trying to identify how the upload works
06:20 - Running Git-Dumper to download the exposed .git directory, taking a look at the source code
09:45 - Looking at the ImageMagick version (7.1.0-49) and seeing it is vulnerable to CVE-2022-44268
13:30 - Generating a malicious image and downloading the sqlite database
19:30 - Doing a PS and seeing inotifywait is being used to run a bash script when files created in web directory
21:35 - Showing why the bash script is not vulnerable
28:00 - Finding a binwalk exploit for version 2.3.2, which takes advantage of path traversal in PFS files
32:50 - Taking a look into the exploit to see how it works
35:30 - Showing the PFS File Format
01:00 - Start of nmap
03:10 - Finding their public key, then sending an encrypted message that contains a XSS Test payload
06:50 - Creating a PGP Key and sending our public key, so they can send an encrypted message back
08:40 - Decrypting the message they sent to us
09:50 - Signing a message, but not encrypting it for them to verify and see they give us the metadata back
12:40 - Testing a SSTI Payload in the username of the key, and seeing it will dump the config
15:25 - Finding a SSTI Payload with Jinja2 that gives code execution... First attempt fails
19:23 - Testing a different SSTI Payload and getting code execution
21:40 - Reverse shell returned, discovering we are in a jail, attempting to get chisel up and running and failing
26:55 - Finding admin.json which contains another credential and we can use this to SSH into the box
28:00 - Logging into MySQL and attempting to crack the hashes
31:00 - Identifying that a file in the cargo directory for atlas is being updated every 2 minutes. Running pspy to identify what is happening
35:55 - We can write to one of the libraries cargo using to build, putting a reverse shell in
43:50 - Identifying that Atlas can run Firejail as root, finding a exploit for Firejail and getting root
01:10 - Going over the questions
03:50 - Examing the forensic acquisition files
07:10 - Dumping the SAM Database to get hashes of the local accounts
12:25 - Running MFTECmd to convert the MFT (Master File Table) Dump to a JSON and CSV
15:35 - Analyzing the IIS Access Log
22:30 - Showing the files the attacker accessed in the Access Log
27:00 - Grabbing the Moveit metasploit script since the useragent hinted at metasploit being ran
36:10 - Using Chainsaw to convert the Security event log to JSON and hunt for suspicious events
42:30 - Analyzing the MFT JSON Output to discover when a file was written to disk
52:10 - Looking at the Powershell Console History to get what commands were ran
55:27 - Analyzing the Moveit MYSQL Dump file by copying it into a MySQL Server
1:02:30 - Going over the chainsaw hunt on security event log
1:11:40 - Looking at Security.json and using some jq-fu to show specific data
1:21:50 - Looking at the strings from the memory dump, to see commands ran and the actual webshell
1:26:30 - Showing the Defender log with Chainsaw
01:00 - Start of nmap
05:30 - Playing with the download file functionality, discovering the UUID is the file on disk and not column in database by prepending a slash
09:00 - Finding a File Disclosure vulnerability, extracting application source code, getting source code of the app
13:15 - Start of signing our own cookies, examining the sig cookie to discover it is 40 bytes which is likely sha1
16:00 - Playing with Cyber Chef to discover how the cookie is signed
18:50 - Creating a python application to create and sign cookies so we can become other users
24:30 - Becoming other users and looking at all uploaded files
32:50 - Explaining the ORM Injection, looking at Prisma Documentation to discover how we can perform boolean injection
37:00 - Showing the proof of concept payload, and then making the script loop to extract the entire password field
44:00 - POC Script done, but it is slow. Adding concurrency/threading with asyncio/await to our script to speed it up
48:50 - Modifying the script to dump multiple users, and finding WESLEY's password
56:00 - Explaining how the Boolean Injeciton script works
59:50 - Looking at the running processes, discovering root is running su and a new pty is not being created, which makes this vulnerable to the tty pushback attack
1:02:45 - Explaining the TTY Pushback attack
1:10:20 - Gettinng the PostGresql credentials from the systemd file which lets us write to the postgres home directory, which enables us to perform the TTY Pushback attack against root
01:00 - Start of nmap
01:45 - Logging into ActiveMQ with admin:admin and then failing to use the exploit from 2016
04:00 - Doing a full nmap scan, then running script scans on the open ports
07:50 - Finding a page that talks about CVE-2023-46604, the latest activemq exploit
11:00 - Pulling down an exploit payload for this exploit, it is golang
12:30 - Modifying the payload to execute a reverse shell, instead of downloading and executing an elf file. Need to HTML Entity Encode the payload
16:30 - Reverse shell returned, seeing we can run nginx as root
17:20 - Building an nginx config that runs as root and shares the entire filesystem
23:08 - Enabling the WebDav PUT so we can upload files to the server and uploading an SSH Key
27:05 - Showing we could upload a cron entry aswell to get code execution
01:00 - Start of nmap
02:30 - Discovering Discovering the LaTeX Equation Generator Page
04:10 - Attempting to get code execution, discovering a WAF. Building a wordlist and using FFUF to identify potentially dangerous commands that aren't blocked
07:45 - Discovering lstinputlisting is not blocked, which will let us read files
10:45 - Using FFUF to bruteforce subdomains, show the automatic calibration, so you don't need to manually specify filters
13:25 - Looking for the Apache Config for the Dev subdomain, as it likely has a htpasswd file we can get a password from
15:25 - Showing the alternate path to get RCE, Bypassing the filter by encoding characters in hex with ^^
18:50 - Talking about the catcode command and a failed path at evading a filter with this, but it pointed me towards superscript
21:40 - Looking at the wikibooks latex page and seeing ^ is superscript by default, so we don't need the catcode
22:20 - Testing the bypass with a valid command to make sure it works
24:00 - Writing a file
27:35 - I failed at typing my PHP Shell, standing up my own PHP Server so I can see the error
29:30 - PHP Script is written, getting a reverse shell grabbing the htpasswd and kracking
33:30 - Copying LinPeas and disabling FAST mode, so it looks for unique processes
36:30 - Discovering a cron that is running GNUPLOT
37:50 - Looking at GNUPLOT commands and discovering it has a SYSTEM Command
42:00 - We aren't getting a reverse shell, running the command ourself to see STDERR and discovering commands are case-sensitive
43:00 - Root shell returned, just playing with GNUPLOT to show we can write to a file
01:00 - Start of nmap
03:40 - Running gobuster to discover the proxy.gofer.htb subdomain
05:20 - Enumerating SMB to find a note which gives an email address to send a malicious document to and hints at HTTP Methods being filtered
08:45 - Discovering the proxy.gofer.htb domain responds differently to POST vs GET requests, then gobustering setting our method to POST
11:55 - Finding a SSRF in the proxy, then playing with protocols to discover it accepts GOPHER requests
16:40 - Showing we can get around the localhost/127.0.0.1 blacklist by encoding the IP Address in HEX, then showing why gopher requests are cool
21:30 - Sending a SMTP Request via gopher to send an email with a link to a malicious file
27:55 - Making a ODT Document with a macro that executes on-open and sends a shell
34:50 - shell as jhudson
36:30 - Going over LinPEAS, discovering TCPDump has capabilities to allow any user to capture packets
44:40 - Opening the capture in Wireshark and showing the TBuckley sent his password to the proxy, then SSH as him
46:57 - Executing the notes binary, looks like a traditional UAF Problem, playing with it blindly
50:30 - Opening the binary in Ghidra to show deleting the username only calls free, does not unset the pointer
53:19 - Running the binary in GDB, then setting breakpoints and showing USER and NOTES have different pointers when setting them one after another.
56:00 - Showing what happens when you create the user, free the memory, then create the note (Both USER and NOTE now point to the same point in memory
59:38 - Having an issue when doing it, turns out to be because we placed our shell in /dev/shm which is mounted NOSUID
00:00 - Talking about why I like SQL Boolean Injection
01:47 - Opening up the source code to the web app
02:00 - Snyk sponsor segment, talking about how it can find and fix vulnerabilities in your code in real time
04:30 - Demonstrating validating boolean injection with an or statement
07:00 - Showing a small python client I made for this video to play with the SQL Injection, then showing subqueries
09:20 - Showing how to enumerate columns in the database via brute-force guessing because we can't use information_schema
11:25 - Going over the LIMIT statement so we can control which row we are looking at, then showing LIMIT 2 offset 1 is the same as LIMIT 1,1
15:00 - Showing the SUBSTR command so we can guess individual characters in a column/row
17:05 - Talking about converting a string to number in mysql which makes it possible to guess bad characters
21:45 - Start of creating our script, talking about the 3 functions we need, then creating one to dump the number of rows in a column
29:40 - Automating getting the length of a column in our row
32:40 - Automating exfilling the actual data and implementing a binary search/divide and conquer algorithm to speed our request up
46:00 - Debugging our script
47:35 - Found the error, messed up the column name. Showing the algorithm we made to bruteforce characters with the BETWEEN
49:00 - Putting all the functions together to automate dumping all the data
54:50 - Showing SQLMap has troubles with this, especially because the function (GEOGRAPHY_AREA) it uses to fingerprint the app won't work because it contains a bad character (_)
57:10 - Cleaning up and explaining the code a little bit
03:40 - Using gobuster to enum
05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL
08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell
12:45 - Got a shell as the PostgreSQL user
15:08 - Got a SSH Shell as the PostgreSQL user, then finding port 8888 and enumerating that port
17:00 - Discovered a Jupityr Notebook, using find to discover what users are doing on the box and seeing Juno has network-simulation.yml
18:45 - Putting a shell on Network-Simulation.yml and getting a shell as juno
23:45 - Shell as Juno, looking for jupityr files and discovering the token, which enables us login to Jupityr notebooks and get a shell as
28:45 - Jovian can run sattrack as as root (via sudo), running strace to discover that it reads the config from /tmp
31:30 - Editing the sattrick config to download an authorized_keys file to root's .ssh directory
33:15 - Pretending /root/.ssh didn't exist, getting a shell through cron
01:00 - Start of nmap
02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header
08:10 - Playing with updating genre and viewing feed to discover an error
10:04 - Opening up SQL Fiddle to explain what I think is going on, its using FIND_IN_SET
14:20 - Discovering space is a bad character and when this happens using the -- comment is bad
17:48 - Manually dumping the database with union statements
25:18 - Using SQL Map showing this SQL Injection
30:54 - Going over our recon and discovering a v2 admin login endpoint which lets us login with the password hash
38:28 - Logged in as an admin (Steve)
42:10 - Talking about Exploiting PHP Object Instanatiations then exploiting ImageMagick
1:01:20 - Shell returned, downloading .git, looking at commits and finding Greg's password
1:07:05 - Talking about the Scanner Binary and showing how we can leak the file one byte at a time
1:10:07 - Creating a python program to run the scanner binary thousands of times to leak files one byte at a time
02:30 - Start talking about how the vulnerability works
04:00 - The POC String to identify if a box is vulnerable, it doesn't actually exploit but quickly identifies if a vulnerable glibc is installed
05:45 - Important parts I wanted to point out in the technical writeup.
09:00 - Downloading a good POC written in python, then glancing over the code to make sure there isn't anything malicious
13:37 - Analyzing the exit shellcode manually in Ghidra to see it just exits with 0x66
18:50 - Analyzing the main shellcode in Ghidra, showing it does a lot more
21:50 - Putting the Shellcode into an elf binary, so we can analyze it with gdb
29:50 - Logging into HTB's TwoMillion machine to run this exploit
31:45 - Showing how to get the magic numbers incase your target is not supported. Disable ASLR then running the exploit
34:50 - Looking at how Elastic got lucky and detected this exploit with their default ruleset
36:00 - Looking at how CrowdSec detects it
36:55 - Looking at the more recent Elastic rules to see the more thorough check for this exploit
40:40 - Showing all the segfaults in /var/log/kern.log
Highlighted Links:
- Qualsys Blog Post: blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so
- Qualsys Tech Details: qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
- Exploit POC Tweet: twitter.com/bl4sty/status/1710634253518582047
- Elastic Initial Detection Tweet: twitter.com/RFGroenewoud/status/1709866613292282101
- Crowdsec Detection Tweet: twitter.com/Crowd_Security/status/1709959368467157244
01:05 - Start of nmap
03:00 - Googling the port number, and reading more about gRPC
04:45 - Install GRPCurl so we can access the gRPC interface
06:30 - Enumerating the grpc interface
10:30 - Registering a user and logging in
13:45 - Using Verbose with GRPCurl to get extra information which includes an JWT
16:20 - Discovering an SQL Injection in the SimpleApp.GetInfo, enumerating the database to discover SQLite
19:45 - Enumerating the SQLite Database (similar to Information_schema with mysql)
21:45 - Using Group_Concat with a union injection to dump all users and passwords, then SSH into the box
24:45 - Discovering PyLoad is running on localhost, setting up an SSH Tunnel to access it
26:00 - Finding a public POC and running it to exploit PyLoad
01:57 - Showing the trick and explaining why its important to understand the methodology behind finding the technique and not just the technique itself
03:50 - Going over the Flask App
05:45 - Showing Snyk highlighting the SQL Injection, then talking a little bit about Snyk and why it is awesome.
08:00 - Running the webserver and explaining why DEBUG mode should always be disabled
09:30 - Running SQLMap to inject into the URL Parameter
11:00 - Manually discovering the SQL Injection through good enumeration, and showing a Burpsuite URL Encoding Quirk
12:50 - SQLMap showed nothing, Run SQLMap again but this time make sure it starts with a valid result to see it does find something
13:20 - Going into the code to show why exploitation is hard, I'm using Pydantic to do strict typing and input filtering
17:36 - Showing how SQLMap discovered there were 4 columns without using a comma, thanks to the ORDER BY method
18:55 - Enumerating for bad characters with FFUF by putting characters after the SQL Comment
21:30 - Showing SQLFiddle, which is a great way to play and test SQL Queries
24:05 - Eliminating comma's from the Union Injection with (select * from (select 1) as a join (select 2) as b)
26:00 - Testing the SQL Injection against our web application
28:55 - Securing the code and fixing the SQL Injection via prepared statement
31:30 - Showcasing Github Copilot Chat to help fix our code
35:00 - Fixing a XSS Issue, then rerunning Snyk to show all vulnerabilities are fixed
00:00 - Introduction
01:00 - Start of nmap
04:00 - Downloading source code from gitea
04:30 - Examining the website via browser to see what it does
07:30 - Making sense of how the sitebuilder works
14:20 - Examining the source code, discovering a file disclosure
24:00 - Creating a python script to automate the File Disclosure
48:00 - Script is done, downloading nginx configs. Then trying to find any directory we can write a PHP Script to
55:00 - Looking at how the site adds a pro license to users
58:50 - Explaining how we can do a protocol smuggling attack and access the REDIS socket to manipulate our user
1:05:19 - Showing that the plus is not being URL Decoded in the path of a URL but %20 is
1:08:48 - Uploading a PHP Script to get code execution
1:13:55 - Dumping the REDIS Database and getting cooper's password
1:17:10 - Looking at the License Python script cooper can execute with sudo and seeing a Python Format String vulnerability
00:56 - Start of nmap
04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 - Showing the exports of the DLL to confirm it is there, then hiding the ReverseShell export
12:30 - Testing our DLL from our windows computer
13:30 - Creating the malicious Windows Theme
17:20 - Setting up a SOCAT forward to send port 445 from our linux box to our Windows Box
19:20 - Updating the IP Address in our DLL and then getting a shell
22:10 - Downloading the PDF by converting it to base64 and then copy and pasting it to our box
23:45 - Researching CVE-2023-28252, which is a Windows Local Privesc in the Common Log File System (CLFS) and patched back in April 2023
26:30 - Opening the CLFS Exploit up in Visual Studio and placing a Powershell Web Cradle to send a reverse shell and getting Root
32:30 - Beyond root: Changing up the DLL we used for the foothold to just execute code upon DLL Attach and not export anything.
01:00 - Start of nmap, discovering ssh/dns/http
02:30 - Taking a look at the website
04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled
09:40 - Identifying the website is running with PHP Enabled, then running gobuster
13:00 - Attacking the file download and discovering File Disclosure
15:35 - We got lucky discovering the File Disclosure filter bypass, using FFUF which would be make catching this more consistent
19:30 - Automating the File Disclosure by creating a python script
24:30 - Looking at files on the target, discovering the DNS Configuration which has the RNDC Key to update DNS
30:40 - Looking at the NSUPDATE Man page and then adding a the DNS Record mail.snoopy.htb and pointing it to us
34:24 - Using python to run a SMTP Server and then having Mattermost's forgot password email us the password reset
39:50 - Using the Mattermost bot to provision a server via SSH which causes it to SSH back to us
42:30 - Backdooring PAM with pam_exec and a bash script to log passwords of users logging into our box, and grabbing CBROWN's password
50:40 - cbrown can run Git apply as sbrown, looking for exploits around it and discovering CVE-2023-23946.
1:08:50 - sbrown can run clamscan in debug mode as root
1:11:45 - Looking at CVE's in clamav and discovering an XXE in the DMG Parser (CVE-2023-20052)
1:23:30 - Downloading a DMG File (sublime), then modifying the XML to put an XXE in, scanning, then exfiltrating the root ssh key
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec to spray SSH with our password and getting a success with netadmin
09:15 - Running LinPeas to discover Reaver has the capability cap_net_raw
13:15 - Explaining why Reaver has this capability is interesting
14:40 - Running Reaver to attempt to brute force the WPS Pin and getting the WPA PSK which is also the root password
15:30 - Start of building a bash script to spray a single password across valid users with su
22:00 - Converting our script into a Bash Function so its easier to run without touching disk
24:55 - Talking about WPS and how this exploit worked
25:30 - The first vulnerability in the WPS Pin, the eighth digit is just a checksum
28:30 - The second flaw in WPS, the PIN is broken in half if the first four digits are wrong the responses tell you. Making the possibilities of hashes from 10^7 to 10^4 + 10^3.
30:00 - Showing the WSC Nack gets sent after Message 4 if the first four of the pin is wrong
31:15 - Changing the PIN and playing more with reaver to showcase how reaver works.
01:00 - Start of nmap
03:15 - Identifying all the technologies used in the box
10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-38155
12:15 - Pulling up API DOCS to see how to login to Keystone, then testing lockout
14:00 - Taking the Burpsuite Request, sending it to FFUF and using a trick to try each password multiple times
25:30 - Attempting to access Swift as a vendor to bypass auth, using GoBuster and discovering an Android directory with Pokatmon app in it
35:10 - Start of analyzing the Pokatmon App, examining DNS, setting up a MITM with Burpsuite and Socat
40:15 - Using Frida to disable TLS Certificate Pinning on Flutter
45:20 - Discovering the App Signs every request, grabbing the certificate out of the app, and signing our own request
49:20 - Performing an SQL Injection, getting an email address then looking for vulnerabilities in Forgot Password on the main website
58:48 - Discovering CVE-2021-43557 in APISIX, which gives us an idea to URLEncode Paths to bypass blacklists and gaining access to the /private/ directory which has a /forgot-password we can use to reset Roger's password
1:04:45 - Logging into the docs, gaining access to the API and finding an LFI
1:09:45 - Looking into CVE-2021-35368, which is a ModSecurity Bypass that allows us to abuse the LFI
1:18:10 - Using NGINX's temporary files with our PHP LFI to gain code execution
1:27:55 - Shell returned on Pokatdex-API, exporting Kubernetes secrets
1:34:20 - Discovering an APISIX admin key and exploiting this service by creating a route that executes code
1:59:20 - Shell returned on the APISIX box, discovering credentials we can SSH with
2:11:10 - Explioting the CRI-O with Kubernetes to set a kernel param to execute a script when a core dump is created (CVE-2022-0811)
01:02 - Start of nmap
01:50 - Discovering Cacti version and finding a vulnerability
03:50 - Sending the payload from the description, discovering we need to set the X-FORWARDED-FOR
05:00 - Incrementing Host_ID and Local_Data_Ids and discovering different output
06:15 - Discovering with local_data_ids set to 6 and host_id set to 1, we can get code execution
06:50 - Showing the python exploit and showing it blindly spray, looking at the Metasploit module for some more info
10:40 - Getting a reverse shell
11:30 - Using Script to set up our PTY since python is not installed
13:40 - Connecting to the MySQL Database and then cracking passwords
18:25 - SSH into the box with Marcus and discovering mail on the box
20:20 - Discovering Docker is old and vulnerable to CVE-2021-41091
21:55 - Looking at the docker overlayfs directories, discovering we can go in them, finding the web container
23:10 - Using CapSH to escalate privileges on our docker container so we can make Bash a SetUID Binary
24:50 - Executing bash -p to get root
01:00 - Start of nmap
03:20 - Discovering beta.only4you.htb
03:55 - Downloading the source, scanning with Snyk and discovering a File Disclosure vuln
05:15 - Demonstrating that os.path.join in python will do unexpected things if a path begins with slash
07:30 - Failing to get /proc/self/environ, not sure why we failed here
09:20 - Grabbing the nginx configuration to discover where the websites are stored, using the File Disclosure Vuln to leak source of main website
11:15 - Discovering a vulnerability when sending mail
12:10 - Talking about how we will bypass the bad character check, the Re.Match will only match the start, not entire string
16:10 - Getting code execution from the contact form
18:45 - Reverse shell returned, looking for databases, and discovering a few ports listening on localhost
22:30 - Uploading Chisel so we can access ports 3000 and 8001
25:40 - Start of Neo4j Injection, discovering we are in a contains statement
30:00 - Going to HackTricks and discovering we can use LOAD CSV to leak data out of band
32:25 - Leaking the labels, then grabbing users and hashes
38:30 - Logging in with John, discovering we can use sudo with pip to download a tar off GOGS
40:25 - Creating a malicious python package for us to download, then uploading to gogs
44:10 - Showing that the pip download command will execute setup.py and getting root
01:00 - Start of nmap, discovering two different OS's
02:30 - Running Gobuster to bruteforce VHOST
03:30 - Discovering XSS but nothing we can really do with it
04:00 - Enumerating Gitea, discovering a repo with some source code
05:40 - Opening the code with VS Code and Snyk. Discovering a RCE Vulnerability but requires login
07:30 - Discovering an EAR (Execute After Read) Vulnerability on Authentication
09:10 - Start of building our Javascript payload to exploit NoSQL Injection, download the internal page
12:40 - Explaining the NoSQL Injection, then testing with a login bypass
16:30 - Discovering what happens on invalid logins
20:40 - Getting the length of the password
25:30 - Bruteforcing the password with boolean logic
30:00 - Logging in via ssh with the credentials we got from the nosql injection, looking at the local linux mail to get 2FA Link
33:20 - Logged into the dashboard, can hit the RCE Endpoint now to get a shell as www-data which gets us matthews creds
40:20 - Discovering a keepass file, running PS enough we can see KPCLI Runs
41:30 - Running STRACE against KPCLI to intercept syscalls
42:40 - Specifying we only want to see READS, and can intercept keys sent to KeePass and get the password
46:10 - Going into the Mongo docker container and running mongodump to dump all the users
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing
08:20 - Discovering we can append to the string, then trying for executing code with print to test for eval statements
10:00 - Getting a reverse shell
15:00 - Reverse shell returned
17:00 - Looking at apache virtualhosts to discover a hidden vhost that is running gitea
19:00 - Finding creds in the .git folder which lets us run sudo
22:00 - Inspecting the docker containers to discover passwords in environment variables which lets us log into gitea as administrator and view the script we are running as sudo
25:30 - Discovering the system-checkup.py script is not using an absolute path, so we can execute a shell script in our CWD as root