HackTheBox - Scavenger


01:30 - Begin of Recon
05:50 - Discovering an SQL Injection inside of the WhoIs Service
07:20 - Identifying we can perform DNS Zone Transfers with dig axfr (aquatone is the application i mention to take screenshots)
12:10 - Explaining the SQL Union Injection
16:30 - Dumping information out of Information_Schema via the SQL Union Injection
23:05 - Dumping hostnames out of the whois database via the SQL Union Injection
28:45 - Discovering the pwned website, discovering shell.php with GoBuster
31:45 - Using wget to get the date the webserver was defaced
33:00 - Using wfuzz to find the parameter (hidden) the attackers shell used, then we have code execution on the machine.
39:15 - Using find with newermt to identify what happened around the time the attacker pwned the box
46:00 - Discovering mail file that has some credentials for an FTP User
49:17 - Using grep/awk to find the hacker in an apache access logs
51:44 - Searching wireshark to pull the attackers post request to pull more credentials and the files the attacker uploaded to the server.
55:05 - Analyzing root.c kernel module
56:00 - Testing the kernel rootkit didn't work over HTTP, lets get a forward shell and try it there.
01:02:22 - Testing passwords to gain access to ib01c01, which has the compiled kernel root kit (root.ko)
01:05:20 - Analyzing root.ko in Ghidra to discover some slight changes to the root.c source code.
01:09:20 - Sending g3tPr1v to /dev/ttyR0 to activate the rootkit and switch to root
01:10:02 - Testing nc with a source port of 20 to verify our assumption only root can do this is true
01:11:50 - Creating a PHP Script to act as middleware between SQLMap and the WhoIs port and allow us to use SQLMap to dump the database
01:22:20 - Manually installing Zeek (formerly known as Bro) to analyze the pcap.
01:25:50 - Zeek has been installed, running it against the pcap with Cr to ignore checksum errors
01:26:42 - Showing how to manually analyze zeek logs with less -S and zeek-cut
01:31:50 - Installing zkg which is the zeek package manager then installing ja3 and http-post modules to extract SSL Signatures and HTTP Post Data
01:36:20 - Running Zeek again with the modules, identify the HTTP Attack used (Google: "prestashop mail proxycommand exploit" to find the exploit the attacker used)

HackTheBox - Scavenger HackTheBox - Scavenger Reviewed by Anonymous on February 29, 2020 Rating: 5