HackTheBox - Ellingson


01:12 - Begin of recon, examining website seeing the "Hackers" Theme
04:00 - Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015)
05:00 - Demoing how this is fixed now, with Werkzeug requiring a pin code
06:00 - Testing if we can connect back to our host with ping or curl (cannot)
08:00 - Dropping a SSH Key via python since we cannot reverse shell
13:00 - SSH into the box as the HAL User and clean up the authorized_key file
13:50 - Using xclip to copy and run LinEnum due to a firewall preventing us from curling it
21:00 - Discovering why the WERKZEUG PIN Code was disabled (Environment Variable)
22:27 - Checking out the Garbage SetUID Binary as HAL to discover he cannot run it
24:20 - Using Ghidra to verify we are not missing any functionality
27:30 - Using find to discover what files the adm group is an owner of
28:30 - Displaying exact modify times with ls using time-style argument, then checking logs to see what users changed their password after the shadow backup
31:30 - Cracking the Sha512Crypt (1800) hashes with Hashcat (Discovering Margo's password)
35:30 - Using Ghidra to discover the hardcoded password in the garbage binary
37:00 - Exploring the binary, using Ghidra to see if there are any hidden menu options
41:30 - Installing GDB Enhanced Features (GEF) and pwntools for python3
44:20 - Poorly explaining leaking memory addresses by creating a ROP Chain with puts
48:50 - Begin of Buffer Overflow ROP Chain - leak libc address, call main, overflow password with system(/bin/sh)
49:20 - Using pattern create and offset/search within gef to RSP Overwrite Location
51:30 - Using ropper to discover a pop rdi gadget
53:40 - Beging creating the pwntools skelton exploit, using objdump to get PLT/GOT location of PUTS and performing the memory leak.
01:06:30 - Using Readelf to get important locations in libc and strings to get location of /bin/sh. Then performing all the calculations based upon memory leak
01:15:41 - Putting it all togather to create a gadget chain to get a shell
01:20:00 - Replacing libc memory locations with the ones installed on ellingson
01:22:30 - Running the exploit, getting a root shell, then documenting the code

HackTheBox - Ellingson HackTheBox - Ellingson Reviewed by Unknown on October 19, 2019 Rating: 5