HackTheBox - Gofer

00:00 - Introduction
01:00 - Start of nmap
03:40 - Running gobuster to discover the proxy.gofer.htb subdomain
05:20 - Enumerating SMB to find a note which gives an email address to send a malicious document to and hints at HTTP Methods being filtered
08:45 - Discovering the proxy.gofer.htb domain responds differently to POST vs GET requests, then gobustering setting our method to POST
11:55 - Finding a SSRF in the proxy, then playing with protocols to discover it accepts GOPHER requests
16:40 - Showing we can get around the localhost/ blacklist by encoding the IP Address in HEX, then showing why gopher requests are cool
21:30 - Sending a SMTP Request via gopher to send an email with a link to a malicious file
27:55 - Making a ODT Document with a macro that executes on-open and sends a shell
34:50 - shell as jhudson
36:30 - Going over LinPEAS, discovering TCPDump has capabilities to allow any user to capture packets
44:40 - Opening the capture in Wireshark and showing the TBuckley sent his password to the proxy, then SSH as him
46:57 - Executing the notes binary, looks like a traditional UAF Problem, playing with it blindly
50:30 - Opening the binary in Ghidra to show deleting the username only calls free, does not unset the pointer
53:19 - Running the binary in GDB, then setting breakpoints and showing USER and NOTES have different pointers when setting them one after another.
56:00 - Showing what happens when you create the user, free the memory, then create the note (Both USER and NOTE now point to the same point in memory
59:38 - Having an issue when doing it, turns out to be because we placed our shell in /dev/shm which is mounted NOSUID

Support the originator by clicking the read the rest link below.