HackTheBox - Smasher2

ELiicja60jI/default.jpg

00:58 - Begin of Recon
02:30 - Using Wireshark to see why Nmap said HTTP 403
06:15 - Running GoBuster to identify /backup
07:05 - Performing a DNZ Zone Transfer with dig axfr
08:50 - Manually playing with the login form to hunt for SQL Injection
10:50 - Downloading files out of /backup, opening auth.py with vim and ses.so with ghidra
16:42 - Examining /auth endpoint
18:10 - Examining ses.so in Ghidra
20:31 - Renaming variables from Ghidra's decompiler to try to make sense of the code
30:00 - Examining get_internal_usr and pwd to discover the bug
33:20 - Using GDB to debug python and step through ses.so, which makes analyzing decompiled code easier
36:50 - First time attaching the debugger - Seg faults for some reason.
38:30 - Attaching the debugger again, this time it works. Explaining important registers
39:00 - Stepping through the code trying to make sense of registers. This part may not make sense.
51:50 - Logging in with Administrator:Administrator and then looking at auth.py to see how the /api works
54:25 - Getting command execution
55:50 - Trying to get a Reverse Shell, discovering a WAF, identifying the bad characters
56:50 - Configuring burp to have a hotkey to "Issue Repeater Request" so we don't have to click send
57:18 - Tips to avoid a web filter/WAF ex: {echo,test}|{ba''se64,-''-d}
1:01:00 - Getting a reverse shell, then upgrading to a SSH Terminal by dropping SSH Key
1:05:05 - Running LinPEAS to identify paths to privesc
1:09:10 - Downloading the custom Linux Kernel Module: DHID then examine in Ghidra
1:12:00 - Looking at Snowscans blog to test the dev_read function
1:14:15 - Looking at the dev_mmap call
1:15:20 - Looking at MWR LAbs paper on insecure MMAP use in kernel modules
1:16:30 - Explaining what we are going to do - Rewrite credentials in memory
1:19:20 - Going over the first MMAP Call to map memory
1:21:05 - Setting a SSH CONFIG to make it easier to ssh and SCP into Smasher2
1:26:00 - Searching for a credential structure in memory
1:31:20 - Running GetUID to see if the cred structure we modified is ours, if not set it back
1:34:00 - Setting capabilities and running bash upon getting root
1:36:10 - Showing what would of happened if we did not revert credentials back to original.

ELiicja60jI/default.jpg
HackTheBox - Smasher2 HackTheBox - Smasher2 Reviewed by Anonymous on December 28, 2019 Rating: 5