HackTheBox - Traverxec

6_C9ShH9v2w/default.jpg

01:00 - Running nmap against the box, port 80 is running a unique webserver (nostromo)
03:00 - Lets check out the website before we throw any exploits
06:37 - Launching metasploit then exploting Nostromo but sending the exploit through burpsuite to see what it is doing
10:34 - Code Execution worked, for some reason the proxies command didn't work the first time
11:18 - Explaining why the script does a GET request before throughing an exploit (Exploit Verification)
13:40 - Editing the payload to send a Bash Reverse Shell
15:40 - Running LinPEAS
17:20 - Running LinEnum in Thorough mode
19:22 - Going over LinPEAS Output
22:16 - Going over LinEnum Output
23:00 - Discovering a HTPASSWD Password, then using hashcat to crack it
26:45 - Looking at the HTTP Configuration file to discover public_www directory in home directories
27:30 - Explaining Linux Permissions on Directories and why we can do a ls in /home/david/public_www but not /home/david/
29:50 - Discovering an encrypting SSH Key for David in public_www, downloading the file via netcat then cracking the key with sshng2john.py John
34:50 - SSH into the box as David
35:20 - Discovering David can sudo journalctl,
37:10 - Demonstrating that the pipe operator doesn't run as an elevated user when doing sudo
38:00 - Privesc by removing the pipe and then running !bash. Explaining why this works by tracing parent processes to see journalctl is just executing pager which is symlink'd to less
40:50 - Comparing the Directory traversal exploits (MSF and non-MSF) to see a weird bug adding %0d bypassed the /../ whitelist check
49:30 - Downloading the source code to nostromo (patched and unpatched versions) and analyzing the patch to see why %0d worked.
50:27 - Using find and grep to md5sum all the files to figure out what has changed.
53:26 - Using diff to compare two files

6_C9ShH9v2w/default.jpg
HackTheBox - Traverxec HackTheBox - Traverxec Reviewed by Anonymous on April 11, 2020 Rating: 5