HackTheBox - Gofer
ฝัง
- เผยแพร่เมื่อ 29 มิ.ย. 2024
- 00:00 - Introduction
01:00 - Start of nmap
03:40 - Running gobuster to discover the proxy.gofer.htb subdomain
05:20 - Enumerating SMB to find a note which gives an email address to send a malicious document to and hints at HTTP Methods being filtered
08:45 - Discovering the proxy.gofer.htb domain responds differently to POST vs GET requests, then gobustering setting our method to POST
11:55 - Finding a SSRF in the proxy, then playing with protocols to discover it accepts GOPHER requests
16:40 - Showing we can get around the localhost/127.0.0.1 blacklist by encoding the IP Address in HEX, then showing why gopher requests are cool
21:30 - Sending a SMTP Request via gopher to send an email with a link to a malicious file
27:55 - Making a ODT Document with a macro that executes on-open and sends a shell
34:50 - shell as jhudson
36:30 - Going over LinPEAS, discovering TCPDump has capabilities to allow any user to capture packets
44:40 - Opening the capture in Wireshark and showing the TBuckley sent his password to the proxy, then SSH as him
46:57 - Executing the notes binary, looks like a traditional UAF Problem, playing with it blindly
50:30 - Opening the binary in Ghidra to show deleting the username only calls free, does not unset the pointer
53:19 - Running the binary in GDB, then setting breakpoints and showing USER and NOTES have different pointers when setting them one after another.
56:00 - Showing what happens when you create the user, free the memory, then create the note (Both USER and NOTE now point to the same point in memory
59:38 - Having an issue when doing it, turns out to be because we placed our shell in /dev/shm which is mounted NOSUID
Great video! Thanks for taking the time to explain your thought process in detail, learned a lot.
This one was done very very well! Outstanding explanations !!
Thanks, glad you liked it. The use after free explanation make sense?
@@ippsec I was already aware of it. But you did a great job explaining it.
Two things I found interesting so far:
When examining the documentation, it seems important to have a newline between the 'Subject' field and the message body (which I did and it worked). However, in the video, it worked without it:
A blank line is needed between the 'Subject' field and the message body.
I attempted to establish a reverse shell on port 22 since I found this port open during the initial scan. Unfortunately, I couldn't get a reverse shell. I then changed to some other random port, and it worked. Maybe it was a mistake on my end, so I will certainly try again :)
Nice box
Common IppSec phrases:
What's going on, TH-cam, this is IppSec, and we're doing X from Hack The Box
As always we start with nmap so -sC for default scripts, -sV for enumerate version, -oA to output all formats
This may take some time to run so I've already ran it
Please subscribe
Shoot
I did not have Ipp relations with that woman
There we go
Hey, at least I'm not drinking, Brian
Hope you guys enjoyed the video, take care, and I will see you all next time
Let's Seee!
😂
looking at the resulsts, we see x ports open, the first one being ssh on port 22, and we can see....@@sl4x0
crap
hey ipp, what keyboard r u using if i may ask?
Push!
It will be good if you will teach us binary exploitation and RE
33 seconds after publishing 🙂
On Debian there by default is no sudo installed.
Ippsec, do you plan on making HTB Battlegrounds content?
If I ever went back to streaming too and became consistent, I may do some. But no plans on that.
@@ippsec Okay.
ok so why telnet smtp mail ??? i didn't get this :(
When a program sends mail to SMTP, it is just opening a socket to the SMTP Port and writing the strings showed in this video. Since with Gopher we can write strings to a socket we can use it to send SMTP Commands which end up sending an email.
why don't you make a course that would me great
There is, it's ippsec.rocks. There is no syllabus but IMO the most important part in this field is being able to identify what you need to search for and learn as you go.
@@ippsec i didn't get the 16:40 part if some can explain whole part
@@Heisenberg696 go to Ippsec.rocks, type in “ip encode” and you’ll see the first time I explain it (holiday video). The first time I explain something I generally go into more detail
Fantastic video! I really appreciate your thorough explanation of your thought process. I gained a lot of valuable insights.