HackTheBox - Travel

00:00 - Intro
00:58 - Start of recon, discovering a bunch of hostnames in a cert
04:24 - Running wpscan against blog.travel.htb
06:10 - Running the raft-large-files.txt against blog-dev.travel.htb to discover the git repo
07:45 - Using git-dumper to download the git repo
10:28 - Examining the git project to discover what it is and where its installed on the webserver
14:20 - Discovering a debug file
16:30 - Hunting for where web app accepts user input
19:10 - Getting the server to make a request back to us
21:00 - Examining what debug.php is telling us (memcache)
26:15 - Hunting around wordpress/simplepie to see how it is using memcache
33:00 - Begin of trying to poison the memcache object, talking about bypass the ip filter via hex encoding the ip
36:00 - Bypassing the file:// filter by using gopher to smuggle in a request to memcache. Using gopherus
39:15 - Explaining what gopherus is doing
41:48 - Creating a php serialized object to drop a file to the webserver
44:24 - Having gopherus generate a malicious payload then dropping a web shell to the server
47:00 - Getting a reverse shell
50:50 - Examining the MySQL database
53:45 - Discovering the wordpress backup file with additional users
56:40 - Logging in with lynik-admin and cracked password from WP backup. Finding ldaprc and viminfo
58:45 - Downloading Apache Directory Studio so we have a gui to LDAP
59:45 - Using SSH to forwarding port 389 to our box, so our LDAP Gui can access the service
01:04:00- Using Apache Directory Studio to modify a users password
01:06:00 - Using Apache Directory Studio to add an SSH Key
01:09:10 - Using Apache Directory Studio to modify the user group to sudo, then we can sudo su to root

Видео HackTheBox - Travel канала IppSec