00:00 - Intro
00:47 - Discovering a weird binary running in /tmp/ but it doesn't exist on disk
01:55 - Start of explaining dd copying things out of memory
02:30 - Reading maps to identify where the file is, showing how to covnert hex to decimal in bash
04:00 - File extracted from memory
05:15 - Copying the heap from memory and discovering it is mettle/meterpreter based upon strings
06:55 - Showing we don't need to use DD to extract the file, can just use the "exe" file in proc/pid/
09:15 - Opening the elf in Ghidra and examining its decompiled output
12:00 - Showing what the file looks like in Cutter, which has a different decompile view
13:40 - Reading the Metasploit source code to identify what it looked like, to confirm what our findings from reversing
16:00 - Using MSFVenom to generate our own stager in order to confirm this is indeed what we saw on the box and that we extracted it correctly
18:50 - Using GDB against the stager to just practice reversing
Support the originator by clicking the read the rest link below.
