• IppSec
  • Күн бұрын
  • 12,298
  • 1

HackTheBox - Gofer

00:00 - Introduction
01:00 - Start of nmap
03:40 - Running gobuster to discover the proxy.gofer.htb subdomain
05:20 - Enumerating SMB to find a note which gives an email address to send a malicious document to and hints at HTTP Methods being filtered
08:45 - Discovering the proxy.gofer.htb domain responds differently to POST vs GET requests, then gobustering setting our method to POST
11:55 - Finding a SSRF in the proxy, then playing with protocols to discover it accepts GOPHER requests
16:40 - Showing we can get around the localhost/127.0.0.1 blacklist by encoding the IP Address in HEX, then showing why gopher requests are cool
21:30 - Sending a SMTP Request via gopher to send an email with a link to a malicious file
27:55 - Making a ODT Document with a macro that executes on-open and sends a shell
34:50 - shell as jhudson
36:30 - Going over LinPEAS, discovering TCPDump has capabilities to allow any user to capture packets
44:40 - Opening the capture in Wireshark and showing the TBuckley sent his password to the proxy, then SSH as him
46:57 - Executing the notes binary, looks like a traditional UAF Problem, playing with it blindly
50:30 - Opening the binary in Ghidra to show deleting the username only calls free, does not unset the pointer
53:19 - Running the binary in GDB, then setting breakpoints and showing USER and NOTES have different pointers when setting them one after another.
56:00 - Showing what happens when you create the user, free the memory, then create the note (Both USER and NOTE now point to the same point in memory
59:38 - Having an issue when doing it, turns out to be because we placed our shell in /dev/shm which is mounted NOSUID

Пікірлер: 28

  • @boogieman97
    @boogieman977 ай бұрын

    This one was done very very well! Outstanding explanations !!

  • @ippsec

    @ippsec

    7 ай бұрын

    Thanks, glad you liked it. The use after free explanation make sense?

  • @boogieman97

    @boogieman97

    7 ай бұрын

    @@ippsec I was already aware of it. But you did a great job explaining it.

  • @WatsonGT
    @WatsonGT7 ай бұрын

    Great video! Thanks for taking the time to explain your thought process in detail, learned a lot.

  • @nirzaaa
    @nirzaaa7 ай бұрын

    Two things I found interesting so far: When examining the documentation, it seems important to have a newline between the 'Subject' field and the message body (which I did and it worked). However, in the video, it worked without it: A blank line is needed between the 'Subject' field and the message body. I attempted to establish a reverse shell on port 22 since I found this port open during the initial scan. Unfortunately, I couldn't get a reverse shell. I then changed to some other random port, and it worked. Maybe it was a mistake on my end, so I will certainly try again :)

  • @extravenger9137
    @extravenger91377 ай бұрын

    hey ipp, what keyboard r u using if i may ask?

  • @yuyu-ce4fz
    @yuyu-ce4fz7 ай бұрын

    Nice box

  • @AUBCodeII
    @AUBCodeII7 ай бұрын

    Common IppSec phrases: What's going on, KZread, this is IppSec, and we're doing X from Hack The Box As always we start with nmap so -sC for default scripts, -sV for enumerate version, -oA to output all formats This may take some time to run so I've already ran it Please subscribe Shoot I did not have Ipp relations with that woman There we go Hey, at least I'm not drinking, Brian Hope you guys enjoyed the video, take care, and I will see you all next time

  • @sl4x0

    @sl4x0

    7 ай бұрын

    Let's Seee! 😂

  • @72.849

    @72.849

    7 ай бұрын

    looking at the resulsts, we see x ports open, the first one being ssh on port 22, and we can see....@@sl4x0

  • @FMisi

    @FMisi

    7 ай бұрын

    crap

  • @ominousSHELL
    @ominousSHELL7 ай бұрын

    Ippsec, do you plan on making HTB Battlegrounds content?

  • @ippsec

    @ippsec

    7 ай бұрын

    If I ever went back to streaming too and became consistent, I may do some. But no plans on that.

  • @ominousSHELL

    @ominousSHELL

    7 ай бұрын

    @@ippsec Okay.

  • @tg7943
    @tg79437 ай бұрын

    Push!

  • @heapbytes
    @heapbytes7 ай бұрын

    ok so why telnet smtp mail ??? i didn't get this :(

  • @ippsec

    @ippsec

    7 ай бұрын

    When a program sends mail to SMTP, it is just opening a socket to the SMTP Port and writing the strings showed in this video. Since with Gopher we can write strings to a socket we can use it to send SMTP Commands which end up sending an email.

  • @Hashghost21
    @Hashghost217 ай бұрын

    It will be good if you will teach us binary exploitation and RE

  • @teststudent5032
    @teststudent50327 ай бұрын

    33 seconds after publishing 🙂

  • @qgames18
    @qgames187 ай бұрын

    On Debian there by default is no sudo installed.

  • @Heisenberg696
    @Heisenberg6967 ай бұрын

    why don't you make a course that would me great

  • @ippsec

    @ippsec

    7 ай бұрын

    There is, it's ippsec.rocks. There is no syllabus but IMO the most important part in this field is being able to identify what you need to search for and learn as you go.

  • @Heisenberg696

    @Heisenberg696

    7 ай бұрын

    @@ippsec i didn't get the 16:40 part if some can explain whole part

  • @ippsec

    @ippsec

    7 ай бұрын

    @@Heisenberg696 go to Ippsec.rocks, type in “ip encode” and you’ll see the first time I explain it (holiday video). The first time I explain something I generally go into more detail

  • @Sudo_Y3L
    @Sudo_Y3L7 ай бұрын

    Fantastic video! I really appreciate your thorough explanation of your thought process. I gained a lot of valuable insights.