Рет қаралды 30,046
01:10 - Begin of recon
03:00 - Discovery of Wordpress and fixing broken links with burp
06:50 - Start of WPScan
07:14 - Start of poking at Monstra, (Rabbit Hole)
13:05 - Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits
16:30 - Reverse shell returned as www-data
18:08 - Confirming monstra was read-only
18:50 - Running LinEnum.sh to see www-data can run tar via sudo
20:30 - Use GTFOBins to find a way to execute code with Tar
22:00 - Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script
24:10 - Examining backuperer script
26:00 - Hunting for vulnerabilities in Backuperer
32:15 - Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false
34:20 - Begin of exploiting the backuperer service by exploiting intregrity check
36:40 - Creating our 32-bit setuid binary
39:16 - Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)
40:54 - Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root
42:30 - Exploiting the Backuperer Service via SetUID!
45:00 - Unintended Exploit: Using SymLinks to read files via backuperer service