00:00 - Intro
00:50 - Start of nmap
03:30 - Discovering backup.toby.htb and discovering GOGS
07:40 - Discovering a backup project in toby-admin, which is wordpress
09:38 - Downloading and running php malicious file scanner and finding a backdoor in the web code
13:30 - Finding the backdoor in comment.php and finding out its packed a bunch of times. Using a loop to get it back to the original code.
19:00 - Analyzing the depacked malware, to see it will run a function on a specially crafted comment
22:40 - Placing the comment which should trigger the backdoor, then analyzing what happens
23:40 - Wireshark shows the box starts a request on port 20053, listening and discovering it sends us data encryped with our secret
28:20 - Changing the secret to be 00, so it doesn't xor anything making it a bit easier for us to analyze
29:25 - Sending it a command by XOR'ing it with the key the server sends back to us
32:00 - Creating a python script to automate this
40:22 - Reverse shell returned python isn't there so using script to get our regular TTY
42:15 - Looking at /proc to see network information since ifconfig and ip are not on the box
50:20 - Running chisel to setup a proxy back to us
58:00 - Connecting to the MySQL Database to crack wordpress accounts
1:01:10 - Logging into the GOGS instance as toby-admin, downloading personal-webapp source code
1:04:30 - Making the webapp talk initiate a MySQL Connection back to us
1:06:20 - Editing our mysql instance to allow a host, but first we have to reset our mysql root password
1:10:00 - Extracting the SALT + Password from wireshark of MySQL Trying to log into us, figuring out how to convert it so we can crack
1:16:38 - Converting the SALTS to hex, which is what hashcat needs, then trying to crack the mysql password but failing
1:18:35 - Discovering the password used the password generator which is using the epoch time as a seed for random
1:19:30 - Copying the PWGenerator code to create a new wordlist of all potential passwords
1:25:49 - MySQL Password has been cracked, this provides us ssh access to the MySQL Docker container
1:28:17 - Running pspy on the MySQL Container discover an SSH key gets temporarily written
1:30:36 - Writing a loop that runs cat against a file until it exists, then stops to get the SSH Key, which gets us on the host
1:33:20 - Decrypting the SQLite Database we had found earlier
1:39:50 - Hunting for a backdoor on the system by looking at full timestamps, since package managers chop simplify the time, which may make backdoors stick out
1:45:00 - Discovering the a pam library and /etc/.bd file
1:47:00 - Analyzing the pam library in ghidra to discover it allows a BD password to login, but also allows people to bruteforce the backdoor password 1 character at a time
1:53:20 - Explaining how we are going to bruteforce this password
1:56:30 - Creating a shell script to bruteforce the password
2:00:45 - Bruteforcing the password and getting root
Support the originator by clicking the read the rest link below.
