Sunday, June 22, 2025
Latest:
DNS Server linuxLinux serverNETWORK ADMINISTRATIONS

HackTheBox Attended

00:00 – Intro
01:15 – Showing a tmux keybinding to
03:06 – Setting up an IPTables rule to log new connections
05:00 – Using SWAKS to send an email
07:15 – Starting up a python SMTP Server so we can see the email coming back to us
12:23 – Finding a VIM RCE and verifying it works by using ping
16:25 – Testing a python2 web cradle within the VIM Exploit
20:00 – Explaining how our C2 is going to work and why what we are doing it uniquely
23:50 – Quick high level overview of the C2 Program we are creating
24:50 – Start coding the C2
34:20 – Demoing the C2 Keeping the HTTP Request alive until a command is sent
39:00 – Updating our Client/Implant to work with the new C2
41:45 – Updating the Web Cradle with our improved agent and getting a shell as Guly
44:10 – Discovering an SSH Config, updating it to put our web cradle in ProxyCommand to get shell as Freshness
59:15 – Start of analyzing the AuthKeys binary
1:09:10 – Installing OpenBSD
1:15:16 – Getting GEF on OpenBSD to help with reversing
1:17:30 – Back to analyzing the binary, examining the registers after Base64
1:22:10 – Using Pattern Create with a large string to crash the program and find out what registers we control
1:25:50 – Controlling RIP and dealing with an annoying python3 oddity that makes me use Python2
1:31:10 – Start of talking about ROP Chains and looking up the Execve Syscall information
1:32:39 – Comparing OpenBSD to Linux Syscall numbers and realizing why linux segfaulted (different codes!)
1:35:00 – Using Ropper to print gadgets
1:36:30 – Start of RAX Gadget, finding SHR and NOT
1:39:00 – Showing the start of base64 decode is hard coded at a memory address
1:40:52 – Explaining how to create any number with just the NOT and SHR instructions.
1:48:10 – Start of RDI Gadget (movss and cvtss1si)
1:54:40 – Start of creating our exploit program and prove we can set RAX
2:04:15 – Adding the ability to set RDI which requires putting some data on the stack
2:13:30 – Explaining our writing to the stack
2:29:00 – Explaining the SSH Public Key Format/Algorithm and adding the header
2:42:10 – Having trouble with our format, generating a large SSH Key to steal its structure
2:40:00 – Switching out our webshell for a reverse shell because its having weird issues…
3:02:00 – Crap… forgot to put a null byte on the reverse shell code got a reverse shell
3:03:30 – Testing against our target to get a reverse shell. The C2 Web Cradle did not work because Requests was not installed.

source

by IppSec

linux dns server

You May Also Like

DevOps & SysAdmins: Windows Server 2012R2 can't be pinged while copying big file (HP DL 380 G8)

Alice AUSTIN

REUNE LIBROS DE SETOS SAGRADOS Y ARENAS ARDIENTES

ESP32 Arduino HTTP web server: redirects

Leave a Reply

Your email address will not be published. Required fields are marked *