HackTheBox - Bighead
00:01:10 - Begin of Nmap
00:04:45 - Pulling important information from the website
00:06:00 - Discovering DNS Names, adding stuff to /etc/hosts
00:18:30 - Odd behavior with code.bighead.htb, redirects us to 127.0.0.1; change that with Burp
00:23:50 - Using wfuzz to dirbust, with the ability to see HTTP Codes (hunting for 418)
00:27:00 - Found BigHead Web Server on Github, pulling Zips and cracking
00:36:40 - Before reversing the binary, keep hunting for information about the OS
00:43:40 - Discovering PHPInfo within the PhpMyAdmin directory, has OS.
00:46:00 - Installing Immunity and Mona
00:47:30 - Grabbing MinGW so we can run the Bighead Webserver
00:55:40 - Crashing the webserver, seeing we have
01:00:00 - Sending a pattern to the box and examining the stack to see where our overwrites are
01:06:15 - Validating we know where all our overwrites are (EAX,EBX,EIP,ESP)
01:10:06 - Explanation of EggHunters
01:16:05 - Grabbing the shellcode we want, then adding it to our exploit script
01:24:50 - Validating our exploit is working as we intended by setting a break point on JMP ESP
01:27:00 - Our box complains about DEP, lets disable that on our OS and hope its disabled on target
01:30:00 - Running the exploit against the target and getting a shell back!
01:35:00 - Searching the registry (HKLM) for "password"
01:37:00 - Dumping information about services on the box (HKLM\System\CurrentControlSet\Services)
01:38:15 - Discovery of NGINX password, then looking at ports listening on localhost
01:41:08 - Found SSH Listening on 127.0.0.1:2020, Setting up a reverse tunnel with Chisel
01:45:10 - SSH into nginx@Bighead over port 2020, land in an extremely restricted shell
01:50:30 - Searching for vulnerable PHP Code, discovering testlink
02:02:55 - Exploiting an LFI Vulnerability
02:07:00 - Using Netcat to get a reverse shell
02:16:10 - Looking at the KeePass Configuration File to see where the KDBX and Key is
02:18:55 - A bunch of pain trying to get data off the Alternate Data Stream.
02:31:30 - Finally got the KDBX back to my box, then crack the KeePass file
Reviewed by Anonymous
on
May 04, 2019
Rating:
