HackTheBox - Networked

H3t3G70bakM/default.jpg

00:45 - Begin of recon
01:45 - Looking at the website, checking source, robots.txt, etc
02:30 - Using GoBuster with PHP Extensions as HTTP Header said it had PHP Enabled
03:50 - Writing a simple PHP Code Execution script and trying to upload it
05:30 - Discovery of backup.tar, examining timestamps between downloading with wget/firefox
07:40 - Searching php scripts for superglobals as that will show user-input
11:10 - Explaining what magic bytes are
14:30 - Using PHP interactive mode to demonstrate what is happening
16:15 - Showing error codes are different based upon where image validation failed
17:30 - Uploading a malicious PHP Shell
18:40 - Navigating to our php shell and getting a reverse shell
21:40 - Reverse shell returned
23:40 - Examining check_attack.php to discover vulnerability when doing exec() to escalate to guly
27:30 - Explaining the code execution vulnerability of creating a malicious file
28:30 - Creating the malicious file
31:57 - Shell returned as Guly, checking sudo list
33:09 - Examining the changename.sh script (guly can run it as root)
37:00 - Exploiting the script by inserting a command into a network configuration file
38:40 - Explaining why Apache executed PHP when files did not have the PHP Extension
39:08 - Checking php.conf to see it was user created
41:15 - Modifying php.conf to include "FilesMatch .php$", so it only executes php when the name ends in .php

H3t3G70bakM/default.jpg
HackTheBox - Networked HackTheBox - Networked Reviewed by Anonymous on November 16, 2019 Rating: 5