HackTheBox - Gofer
00:00 - Introduction
01:00 - Start of nmap
03:40 - Running gobuster to discover the proxy.gofer.htb subdomain
05:20 - Enumerating SMB to find a note which gives an email address to send a malicious document to and hints at HTTP Methods being filtered
08:45 - Discovering the proxy.gofer.htb domain responds differently to POST vs GET requests, then gobustering setting our method to POST
11:55 - Finding a SSRF in the proxy, then playing with protocols to discover it accepts GOPHER requests
16:40 - Showing we can get around the localhost/127.0.0.1 blacklist by encoding the IP Address in HEX, then showing why gopher requests are cool
21:30 - Sending a SMTP Request via gopher to send an email with a link to a malicious file
27:55 - Making a ODT Document with a macro that executes on-open and sends a shell
34:50 - shell as jhudson
36:30 - Going over LinPEAS, discovering TCPDump has capabilities to allow any user to capture packets
44:40 - Opening the capture in Wireshark and showing the TBuckley sent his password to the proxy, then SSH as him
46:57 - Executing the notes binary, looks like a traditional UAF Problem, playing with it blindly
50:30 - Opening the binary in Ghidra to show deleting the username only calls free, does not unset the pointer
53:19 - Running the binary in GDB, then setting breakpoints and showing USER and NOTES have different pointers when setting them one after another.
56:00 - Showing what happens when you create the user, free the memory, then create the note (Both USER and NOTE now point to the same point in memory
59:38 - Having an issue when doing it, turns out to be because we placed our shell in /dev/shm which is mounted NOSUID
Пікірлер: 28
This one was done very very well! Outstanding explanations !!
@ippsec
7 ай бұрын
Thanks, glad you liked it. The use after free explanation make sense?
@boogieman97
7 ай бұрын
@@ippsec I was already aware of it. But you did a great job explaining it.
Great video! Thanks for taking the time to explain your thought process in detail, learned a lot.
Two things I found interesting so far: When examining the documentation, it seems important to have a newline between the 'Subject' field and the message body (which I did and it worked). However, in the video, it worked without it: A blank line is needed between the 'Subject' field and the message body. I attempted to establish a reverse shell on port 22 since I found this port open during the initial scan. Unfortunately, I couldn't get a reverse shell. I then changed to some other random port, and it worked. Maybe it was a mistake on my end, so I will certainly try again :)
hey ipp, what keyboard r u using if i may ask?
Nice box
Common IppSec phrases: What's going on, KZread, this is IppSec, and we're doing X from Hack The Box As always we start with nmap so -sC for default scripts, -sV for enumerate version, -oA to output all formats This may take some time to run so I've already ran it Please subscribe Shoot I did not have Ipp relations with that woman There we go Hey, at least I'm not drinking, Brian Hope you guys enjoyed the video, take care, and I will see you all next time
@sl4x0
7 ай бұрын
Let's Seee! 😂
@72.849
7 ай бұрын
looking at the resulsts, we see x ports open, the first one being ssh on port 22, and we can see....@@sl4x0
@FMisi
7 ай бұрын
crap
Ippsec, do you plan on making HTB Battlegrounds content?
@ippsec
7 ай бұрын
If I ever went back to streaming too and became consistent, I may do some. But no plans on that.
@ominousSHELL
7 ай бұрын
@@ippsec Okay.
Push!
ok so why telnet smtp mail ??? i didn't get this :(
@ippsec
7 ай бұрын
When a program sends mail to SMTP, it is just opening a socket to the SMTP Port and writing the strings showed in this video. Since with Gopher we can write strings to a socket we can use it to send SMTP Commands which end up sending an email.
It will be good if you will teach us binary exploitation and RE
33 seconds after publishing 🙂
On Debian there by default is no sudo installed.
why don't you make a course that would me great
@ippsec
7 ай бұрын
There is, it's ippsec.rocks. There is no syllabus but IMO the most important part in this field is being able to identify what you need to search for and learn as you go.
@Heisenberg696
7 ай бұрын
@@ippsec i didn't get the 16:40 part if some can explain whole part
@ippsec
7 ай бұрын
@@Heisenberg696 go to Ippsec.rocks, type in “ip encode” and you’ll see the first time I explain it (holiday video). The first time I explain something I generally go into more detail
Fantastic video! I really appreciate your thorough explanation of your thought process. I gained a lot of valuable insights.