HackTheBox - Jarvis

YHHWvXBfwQ8/default.jpg

01:00 - Begin of Recon
02:30 - Running Gobuster and examining the web page
05:10 - Room.php is the only page that accepts user input, basic testing for SQL Injection
05:40 - Using wfuzz to fuzz for special characters then getting our IP Banned :(
10:00 - Unbanned, running wfuzz again and examining unique responses
13:00 - Showing several ways to test for SQL Injection (subtraction and hex())
16:30 - Examining the MySQL Query Structure
17:30 - Explaining Union Injection
21:15 - Nested queries with union statements
23:20 - Extracting information out of Information_Schema to databases, tables, columns
24:08 - Using LIMIT to ensure only one row is returned
25:25 - Using GROUP_CONCAT to allow us to return multiple rows within union
32:20 - Extracting Mysql users/passwords then cracking MySQL (mode 300)
35:10 - Another way to get the password, LOAD_FILE() to view PHP Source Code
42:30 - PHPMyAdmin 4.8.0 RCE (LFI + Tainted PHP Cookie)
57:40 - Dropping a shell via the PHPMyAdmin exploit
59:30 - ALTERNATE Way to get Shell:Dropping a file from the SQL Injection
01:03:52 - Examining the PHP Cookie to see what happened with the PHPMyAdmin stuff
01:05:45 - Examing the Python Script we can execute as pepper with sudo
01:10:40 - We can execute code with $() but theres bad characters, so drop a bash script to disk
01:15:00 - Running find to look for setuid binaries, discover systemctl then check GTFO Bins
01:21:15 - Copying our Sysmctl Scripts out of /tmp then creating our malicious service

YHHWvXBfwQ8/default.jpg
HackTheBox - Jarvis HackTheBox - Jarvis Reviewed by Anonymous on November 09, 2019 Rating: 5