HackTheBox - Obscurity

veq3w_j0WZQ/default.jpg

00:00 - Intro
01:03 - Quick rant about Security through Obscurity and why it can be good
02:30 - Begin of nmap'ing the box
06:30 - Checking out the webpage, GoBuster giving weird errors, try WFUZZ
12:05 - Taking a deeper look at the website while we have some recon running
17:45 - Wfuzz found nothing hunting for /$directory/SuperSecureServer.py
18:00 - Doing some Directory Traversal attempts against the webserver, and seeing it looks like its vulnerable
20:50 - Extracting the source code to the webserver by specifying /../SuperSecureServer.py
23:30 - Installing VS Code so we can run this webserver and insert breakpoints
28:20 - Creating main.py then running the code in VSCode
36:00 - Exploiting the exec() statement in the WebServer
39:00 - Explaining that we can't use + for spaces in the url, have to do %20, then testing a reverse shell
45:00 - Reverse shell returned
46:50 - Turns out the intended way is to find the /develop/ directory. Looking into why wfuzz missed it
53:30 - Copying the SuperSecureCrypt files back to our local box, then reading the source
56:00 - Explaining modulus
59:45 - Explaining Known Plaintext Attack
01:03:35 - Having trouble deciphering arguments, typing out the arguments on decrypting the key
01:07:00 - Decrypting the PasswordReminder.txt
01:10:39 - Explaining Block Ciphers and how to protect against Known-PlainText
01:11:25 - Rant about Initialization Vectors (IV) and why repeating them is bad (WEP)
01:14:30 - Looking at the BetterSSH Source Code
01:17:10 - Explaining why we can overload the -u parameter of Sudo
01:20:30 - Setting up a watch command to copy all files in /tmp/SSH to /dev/shm so we can crack them later
01:21:10 - Root #1: Exploiting BetterSSH via overloading parameters
01:25:20 - Root #2: Cracking the password

veq3w_j0WZQ/default.jpg
HackTheBox - Obscurity HackTheBox - Obscurity Reviewed by Anonymous on May 09, 2020 Rating: 5