Рет қаралды 11,564
00:00 - Intro Hacking a Command and Control Server
01:07 - Running nmap and discovering two different SSH Instances, guessing one is Docker
03:30 - Looking at robots.txt which includes a link to the implant, looking at the error message and discovering its a cpp binary
05:30 - Using Wireshark to discover it makes a DNS Request to Spooktrol.htb, then walking through the C2's handshake
08:45 - Using BurpSuite and socat to proxy the connection of our binary
12:10 - Using BurpSuites find and replace to edit the Task that is getting to our C2
13:00 - Opening up the binary in Ghidra
14:15 - Looking at the decompiled output for the main function, which calls Spooky. Setting a break point on the XOR Function and discovering the first flag
16:45 - Discovering the Case Statement and analyzing Task number 1 (Exec)
19:50 - Stepping through each other task to discover what each function does
22:00 - The Perform Upload function builds a curl command
24:45 - Breaking after the curl string is assembled to show the full command it runs (Using BurpSuite to get to this part of the code)
27:50 - Accessing Task 3 a different way, breaking at the switch statement and editing the JMP.
32:45 - Editing the filename in the PUT Command to perform directory traversal and upload an SSH Key
34:30 - Logging into the C2, and inspecting the database to discover another beacon is running, which is on the Host Operating System
37:00 - Inserting a task into the database to ask the rogue beacon to execute a reverse shell for us
39:25 - Extra Content: Exploiting the box with no reverse engineering! Using an LFI to dump the source code to the application
41:40 - The server.py file has been leaked, grabbing all the other python scripts
43:20 - The application is now running on our box! Can identify the file upload functionality and how to exploit it.
51:45 - Extra Content: Going over the CPP code which shows how the implant works.