HackTheBox - Overflow

00:00 - Intro
01:00 - Start of nmap
02:20 - Taking a look at the website
03:10 - Examining the AUTH Cookie and talking about why its unique
05:40 - Running FeroxBuster, talking about why I started using it
08:15 - Examining the length of the cookie with various usernames to discover the cookie length changes
11:30 - Discovering the block size
12:30 - Modifying the cookie and getting an Invalid Padding error message. Which indicates it may be vulnerable to Padding Oracle
14:20 - Running padbuster to perform the Padding Oracle attack and decrypt the cookie. Then creating a new cookie changing our username
19:30 - Changing our cookie to the forged one and logging into the application as Administrator
21:05 - Finding an SQL Injection in the Logs endpoint, using SQLMap to dump everything
29:15 - Going over the SQLMap history files to view previously dumped data, so we don't have to make more requests to the server
33:00 - Cannot crack the MD5's in the database, downloading the CMS Made Simple source and doing some quick code review to find out all MD5's have a static salt
42:30 - Cracking the salted MD5 password of the editor user with hashcat
45:10 - Going to the devbuild-job.overflow.htb and discover there's an upload resume
49:00 - Uploading a jpeg results in the server giving us the ExifTool version, finding CVE-2021-22204 which is an exploit against ExifTool to run commands. Getting shell
54:00 - Reverse shell returned, getting developers password and using SSH to login as them
56:35 - Using find to list files owned by developer to find files owned by developer
59:20 - Hunting for files owned by tester and discovering commontask.sh, we can exploit this because we have write access over /etc/hosts
1:02:55 - Shell as tester
1:04:25 - Talking about extended attributes, using getfacl to show them
1:06:00 - Discovering a SetUID File, every time running it there is the same PIN Code it is prompting us for. Copy it to our local box and seeing if the pincode is the same
1:08:00 - Analyzing the binary in Ghidra, to discover there is no srand(), so the seed is always 1 for rand()
1:11:30 - Discovering the pin code by setting a break point on the check in gdb
1:14:30 - Discovering the buffer overflow within the decompiled source, then using pattern_create to find where we overwrite EIP
1:16:30 - Looking at functions to set EIP to via ROP. Finding the Encrypt Function
1:21:00 - Discovering a timing attack in the encrypt function which lets us read any file
1:24:30 - Trying to perform the timing attack replacing a file with a symlink
1:27:00 - Apparently we cannot just use /tmp/ for this exploit, we need to be in a directory. Performing the attack and getting root

Support the originator by clicking the read the rest link below.