HackTheBox - Overflow скачать в хорошем качестве

HackTheBox - Overflow

00:00 - Intro 01:00 - Start of nmap 02:20 - Taking a look at the website 03:10 - Examining the AUTH Cookie and talking about why its unique 05:40 - Running FeroxBuster, talking about why I started using it 08:15 - Examining the length of the cookie with various usernames to discover the cookie length changes 11:30 - Discovering the block size 12:30 - Modifying the cookie and getting an Invalid Padding error message. Which indicates it may be vulnerable to Padding Oracle 14:20 - Running padbuster to perform the Padding Oracle attack and decrypt the cookie. Then creating a new cookie changing our username 19:30 - Changing our cookie to the forged one and logging into the application as Administrator 21:05 - Finding an SQL Injection in the Logs endpoint, using SQLMap to dump everything 29:15 - Going over the SQLMap history files to view previously dumped data, so we don't have to make more requests to the server 33:00 - Cannot crack the MD5's in the database, downloading the CMS Made Simple source and doing some quick code review to find out all MD5's have a static salt 42:30 - Cracking the salted MD5 password of the editor user with hashcat 45:10 - Going to the devbuild-job.overflow.htb and discover there's an upload resume 49:00 - Uploading a jpeg results in the server giving us the ExifTool version, finding CVE-2021-22204 which is an exploit against ExifTool to run commands. Getting shell 54:00 - Reverse shell returned, getting developers password and using SSH to login as them 56:35 - Using find to list files owned by developer to find files owned by developer 59:20 - Hunting for files owned by tester and discovering commontask.sh, we can exploit this because we have write access over /etc/hosts 1:02:55 - Shell as tester 1:04:25 - Talking about extended attributes, using getfacl to show them 1:06:00 - Discovering a SetUID File, every time running it there is the same PIN Code it is prompting us for. Copy it to our local box and seeing if the pincode is the same 1:08:00 - Analyzing the binary in Ghidra, to discover there is no srand(), so the seed is always 1 for rand() 1:11:30 - Discovering the pin code by setting a break point on the check in gdb 1:14:30 - Discovering the buffer overflow within the decompiled source, then using pattern_create to find where we overwrite EIP 1:16:30 - Looking at functions to set EIP to via ROP. Finding the Encrypt Function 1:21:00 - Discovering a timing attack in the encrypt function which lets us read any file 1:24:30 - Trying to perform the timing attack replacing a file with a symlink 1:27:00 - Apparently we cannot just use /tmp/ for this exploit, we need to be in a directory. Performing the attack and getting root