HackTheBox - Writeup

GKq4cwBfH24/default.jpg

01:04 - Start of recon identifying a debian box based upon banners
02:30 - Taking a look at the website, has warnings about DOS type attacks.
03:17 - Discovering the /writeup/ directory in robots.txt
04:18 - Checking the HTML Source to see if there's any information about what generated this page. Discover CMS Made Simple
05:15 - CMS Made Simple is an opensource product. Search through the source code to discover a way to identify version information.
07:30 - Using SearchSploit to find an exploit
09:05 - Running the exploit script with a bad URL and triggering the servers anti-DOS protection
10:10 - Running the exploit script with correct URL and analyze the HTTP Requests it makes via Wireshark to see how the SQL Injection works
16:20 - Explaining how password salts work
19:00 - Using Hashcat to crack a salted md5sum
21:15 - Demonstrating the --username flag in hashcat, this allows you to associate cracked passwords to users
24:14 - Begin of low-priv shell, running LinEnum to discover we are a member of staff
27:58 - Using google to see what the Staff group can do (edit /usr/local/bin)
28:40 - Explaining path injection
29:40 - Using PSPY to display all the processes that start on linux, useful for finding crons or short-running processes
31:58 - Running PSPY to see run-parts is called without an absolute path upon user login
33:13 - Performing the path injection by creating the file /usr/local/bin/run-parts which will drop our SSH Key

GKq4cwBfH24/default.jpg
HackTheBox - Writeup HackTheBox - Writeup Reviewed by Unknown on October 12, 2019 Rating: 5