HackTheBox - LaCasaDePapel


01:05 - Start of nmap
02:50 - Attempting to execute an VSFTPD Backdoor via MSF
03:40 - Discovering the backdoor opened 6200, discovering a weird shell
04:50 - Lets figure out what just happened
06:50 - Triggering the backdoor without Metasploit
09:05 - Exploring the Psy PHP Shell opened up by the backdoor
10:20 - Several functions for executing bash aren't working, checking disable_functions
11:40 - Attempting to bypass disabled_functions (does not work)
12:50 - Using ScanDir() and File_Get_Contents(), to explore the filesystem
14:50 - Identifying we are probably running as the Dali User (Unintended Path)
17:00 - Downloading CA.KEY, which is a private key to a webserver
21:40 - Using the CA.KEY to generate client certificates to access the HTTPS Page
30:25 - Weird it didn't work, lets just verify all our certificates are good
32:28 - This time it worked! We connected to the server
33:20 - Failing to add the certificate to BurpSuite
33:50 - Discovering File Traversal by editing the PATH variable
36:38 - Discovering the LFI just puts the path as Base64 Encoded
37:15 - Using the LFI to download the SSH Private Key
38:45 - Testing SSH Key against users on the box to gain access!
39:13 - UNINTENDED: Skipping the HTTPS Certificate - Generating SSH Keys to upload via PHP Shell
40:30 - UNINTENDED: Using file_put_contents() to append our public key to authorized_keys
41:30 - UNINTENDED: Using SSH to tunnel through Dali (SOCKS Proxy)
42:30 - UNINTENDED: Scanning ports on Dali that are listening on LocalHost
43:08 - UNINTENDED: Port 8000 is open, and its one step after the Reverse_Proxy that performs SSL Authentication!
45:35 - Running PSPY and LinEnum
50:20 - Using PSPY to view FileSystem Events which will show the cron
52:30 - Taking control of ~/memcached.ini because we own the folder!
54:45 - Exploiting the cron that utilizes memcached.ini to get a root shell
-- Bonus
55:55 - Exploring how the SSL Authentication is working
60:00 - Exploring how the VSFTPD Backdoor was modified.

HackTheBox - LaCasaDePapel HackTheBox - LaCasaDePapel Reviewed by Anonymous on July 27, 2019 Rating: 5