HackTheBox - Scavenger
01:30 - Begin of Recon 05:50 - Discovering an SQL Injection inside of the WhoIs Service 07:20 - Identifying we can perform DNS Zone Transfers with dig axfr (aquatone is the application i mention to take screenshots) 12:10 - Explaining the SQL Union Injection 16:30 - Dumping information out of Information_Schema via the SQL Union Injection 23:05 - Dumping hostnames out of the whois database via the SQL Union Injection 28:45 - Discovering the pwned website, discovering shell.php with GoBuster 31:45 - Using wget to get the date the webserver was defaced 33:00 - Using wfuzz to find the parameter (hidden) the attackers shell used, then we have code execution on the machine. 39:15 - Using find with newermt to identify what happened around the time the attacker pwned the box 46:00 - Discovering mail file that has some credentials for an FTP User 49:17 - Using grep/awk to find the hacker in an apache access logs 51:44 - Searching wireshark to pull the attackers post request to pull more credentials and the files the attacker uploaded to the server. 55:05 - Analyzing root.c kernel module 56:00 - Testing the kernel rootkit didn't work over HTTP, lets get a forward shell and try it there. 01:02:22 - Testing passwords to gain access to ib01c01, which has the compiled kernel root kit (root.ko) 01:05:20 - Analyzing root.ko in Ghidra to discover some slight changes to the root.c source code. 01:09:20 - Sending g3tPr1v to /dev/ttyR0 to activate the rootkit and switch to root 01:10:02 - Testing nc with a source port of 20 to verify our assumption only root can do this is true 01:11:50 - Creating a PHP Script to act as middleware between SQLMap and the WhoIs port and allow us to use SQLMap to dump the database 01:22:20 - Manually installing Zeek (formerly known as Bro) to analyze the pcap. 01:25:50 - Zeek has been installed, running it against the pcap with Cr to ignore checksum errors 01:26:42 - Showing how to manually analyze zeek logs with less -S and zeek-cut 01:31:50 - Installing zkg which is the zeek package manager then installing ja3 and http-post modules to extract SSL Signatures and HTTP Post Data 01:36:20 - Running Zeek again with the modules, identify the HTTP Attack used (Google: "prestashop mail proxycommand exploit" to find the exploit the attacker used)
01:30 - Begin of Recon 05:50 - Discovering an SQL Injection inside of the WhoIs Service 07:20 - Identifying we can perform DNS Zone Transfers with dig axfr (aquatone is the application i mention to take screenshots) 12:10 - Explaining the SQL Union Injection 16:30 - Dumping information out of Information_Schema via the SQL Union Injection 23:05 - Dumping hostnames out of the whois database via the SQL Union Injection 28:45 - Discovering the pwned website, discovering shell.php with GoBuster 31:45 - Using wget to get the date the webserver was defaced 33:00 - Using wfuzz to find the parameter (hidden) the attackers shell used, then we have code execution on the machine. 39:15 - Using find with newermt to identify what happened around the time the attacker pwned the box 46:00 - Discovering mail file that has some credentials for an FTP User 49:17 - Using grep/awk to find the hacker in an apache access logs 51:44 - Searching wireshark to pull the attackers post request to pull more credentials and the files the attacker uploaded to the server. 55:05 - Analyzing root.c kernel module 56:00 - Testing the kernel rootkit didn't work over HTTP, lets get a forward shell and try it there. 01:02:22 - Testing passwords to gain access to ib01c01, which has the compiled kernel root kit (root.ko) 01:05:20 - Analyzing root.ko in Ghidra to discover some slight changes to the root.c source code. 01:09:20 - Sending g3tPr1v to /dev/ttyR0 to activate the rootkit and switch to root 01:10:02 - Testing nc with a source port of 20 to verify our assumption only root can do this is true 01:11:50 - Creating a PHP Script to act as middleware between SQLMap and the WhoIs port and allow us to use SQLMap to dump the database 01:22:20 - Manually installing Zeek (formerly known as Bro) to analyze the pcap. 01:25:50 - Zeek has been installed, running it against the pcap with Cr to ignore checksum errors 01:26:42 - Showing how to manually analyze zeek logs with less -S and zeek-cut 01:31:50 - Installing zkg which is the zeek package manager then installing ja3 and http-post modules to extract SSL Signatures and HTTP Post Data 01:36:20 - Running Zeek again with the modules, identify the HTTP Attack used (Google: "prestashop mail proxycommand exploit" to find the exploit the attacker used)