Can You Hack It - Smasher - Hackthebox.eu скачать в хорошем качестве

Can You Hack It - Smasher - Hackthebox.eu

This weeks video is on Smasher, a Linux system from hackthebox.eu. This one was one of the tougher boxes I have done on this site. It starts out with a web server that has lack luster security and a buffer overflow. We start out trying to use a traditional buffer overflow with the payload on the stack then due to ASLR being on and the system being x64 we have to move on to a ret2libc style overflow instead. Once on the system we discover a service listening to a port which wants us to submit a payload encrypted with AES which when tested shows it is vulnerable to a padding oracle attack. Once complete we get the password for the user account, get the flag and move onto exploiting a binary that is used to get the root flag, this one has a buffer overflow which doesn't appear to be vulnerable so we have to move on to a race condition it has which allows us to swap a file for another file (using sym links in this case) between the time it checks and the time it uses, a.k.a a TOCTOU vulnerability. This one is a very long video so please feel free to use the links below to skip to sections that interest you. Learning material on padding oracle attacks:    • 7   6   CBC padding attacks 14 min      • Видео   0:00:00 - Video intro 0:00:10 - Overview of the box 0:01:35 - Start of box 0:01:50 - Nmap (shows port 1111 and 22 open) 0:03:55 - Start gofuzz enumeration (fails because web server very slow) 0:05:00 - Looking at tiny web server source code on Github 0:06:45 - Manual testing with Burp (discover directory traversal) 0:08:10 - Manual system exploration through browser 0:14:00 - Download web server binary 'tiny' from smasher 0:15:00 - Checking for buffer overflows in 'tiny' 0:17:10 - Checking 'tiny' binary for security features 0:20:00 - Modifying tiny.c to remove threading for easy debug 0:20:15 - Phase 1: Getting remote code execution through buffer overflow 0:29:20 - Phase 1: Finding offset to control instruction pointer 0:34:45 - Phase 1: Attempting to build a traditional overflow with code on stack (fails) 0:46:00 - Phase 1: Manually finding bad characters 0:57:30 - Phase 1: Generating shellcode with msfvenom excluding bad chars 1:05:45 - Phase 1: Building a payload using a ret2libc overflow (worked) 2:14:36 - Phase 1: Get ssh session as www user 2:18:20 - Phase 2: Enumeration 2:21:10 - Phase 2: Discovery of padding oracle attack 2:22:45 - Phase 2: Creating script to decrypt using padding oracle 2:30:00 - Phase 2: Decrypting using the padding oracle 2:31:00 - Phase 3: Logging in as user smasher / getting user flag 2:32:51 - Phase 3: Reversing 'checker' in Hopper 2:43:15 - Phase 3: Attempting to overflow 'checker' buffer (fail) 2:48:30 - Phase 3: Discovering TOCTOU in 'checker' 2:51:00 - Phase 3: Getting root flag by exploiting race condition in 'checker' (after some mistakes) 2:57:30 - Box complete