HackTheBox - Drive
00:00 - Introduction
01:00 - Start of nmap
02:30 - [MasterRecon] Examining CSRF Cookie to discover it is likely Django
07:50 - Using FFUF to bruteforce ID's of uploaded files, can discover valid ID's but not view the ID itself
14:00 - Accidentally deleting something important when FUZZING, always be careful of what you are doing with tools
16:45 - Discovering the /block endpoint allows us to view any file, discovering a file with credentials which lets us log into the server
23:00 - Setting up a SSH Tunnel to access port 3000, which is Gitea. Discovering an old commit that has the password to decrypt backups
32:00 - Logging into the box as Tom, discovering the DoodleGrive Binary, opening it up in Ghidra
38:45 - Looking at the Sanitize_String command, to see what characters we cannot use
41:40 - Exploiting DoodleGrive via SQL Injection with the EDIT command, this is easy to exploit because SetUID's preserve environment variables
47:40 - Got root, our path is messed up which makes the shell hard to use, however fixing the path is easy
50:45 - Exploiting DoodleGrive via LOAD_EXTENSION, by dropping a library and using char() to avoid the sanitize string function
54:00 - Our SQL Extension C Code
1:02:36 - Failing to use WriteFile() guessing this is because of the size of our input, may incorrectly say buffer overflow here.
1:16:20 - Exploit DoodleGrive via Binary Exploitation! Explaining the Overflow and Format String Vulnerability we will use
1:19:30 - Creating a python script to find where the Canary exists in memory via the Format String Exploit (%i$lx)
1:23:30 - Proving this is the canary by stepping through the program in GDB use $fs_base to examing fs
1:25:30 - Finding where we can overwrite the canary with pattern create
1:27:55 - Creating a python script to exploit this binary
1:43:40 - Converting our pwntools script to use SSH so we can exploit the binary on the target
Watch video HackTheBox - Drive online, duration hours minute second in high quality that is uploaded to the channel IppSec 17 February 2024. Share the link to the video on social media so that your subscribers and friends will also watch this video. This video clip has been viewed 11,308 times and liked it 291 visitors.
