HackTheBox – Faculty – SQL Injection on Update Statements and Inject Shellcode with GDB!

00:00 – Intro
01:01 – Start of nmap
02:10 – Testing login of the webapp, finding SQL Injection to bypass it
03:20 – Running gobuster with our cookie so it has access to any authenticated page
04:50 – Examining the course edit functionality and discovering how the page tells us if our update was a success
05:50 – Explaning the dangerous thing with update injections, we accidentally changed EVERY row.
08:45 – Extracting information from this Update Injection in MySQL by editing a second column
10:15 – Standard MySQL Injection to extract table information from Information_Schema, then dumping hashes
15:00 – Showing a second login form, which is also SQL Injectable
17:00 – Examining the Generate PDF Function
19:00 – Verifying we can put HTML in the PDF
21:40 – Going to GitHub Issues and finding issues with MPDF to find vulnerabilities in old versions
22:30 – Showing we do have SSRF but this doesn’t really give us anything
24:10 – Using Annotations to add loca files into the PDF
25:25 – Dumping source code of the webapp to find the configuration file, then getting the MySQL Password
29:40 – Testing the MySQL Password with SSH and logging in as gbyolo
31:20 – Exploiting Meta-Git to gain access to the developer user
36:40 – Shell as Developer and running LinPEAS
38:48 – Testing CVE-2022-2588 as a privesc on Ubuntu, it works! (unintended route)
42:30 – Finding GDB has cap_sys_ptrace permissions, which means we can debug processes running as root
43:20 – Using MSFVENOM to generate shellcode to perform a reverse shell, which we will inject into a process
45:00 – Creating a python script to format the shellcode in a way we can just paste it into gdb
46:25 – Explaining the modulo operator (%) which is how we will pad our payload
49:00 – Building our payload
53:00 – Payload has been built! Lets inject it into a process and get a shell

Comments are closed.