00:00 - Intro
00:54 - Start of nmap
02:00 - Taking a look at the website
10:00 - Running gobuster against store.djewelry.htb and discovering a vendor directory that has phpunit
11:45- Exploiting phpunit to get a shell on the box
15:15 - Shell recieved on the box as www-data
17:20 - Looking for files owned by www-data on the box by using find to discover /var/backups/info
19:30 - Running strings against the /var/backups/info file and discovering a hex string that is a shell script. Using CyberChef to decode it and gain access to steven
25:00 - ssh in as steven, talking about the duplicate users as steven and steven1 have the said uid/gid
27:00 - Talking about timestamps, my favorite way to find tools left behind by hackers
28:15 - Using find -type f -printf "%T %p
"to show the full time stamp for files
30:45 - Using find to find files that were created 00:00:00, which is an indication of time stomping. Discovering a backdoored copy of sshd
33:40 - Running the backdoored binary in Ghidra and discovering a backdoor in the login function
36:15 - Extracting the backdoor password and using CyberChef to decode it
41:50 - We skipped a step, finding and examining a backdoored apache module
43:50 - The easy way of doing strings and decoding the bsae64 to discover what the backdoor did
45:15 - Having trouble analyzing this with Ghidra
48:00 - Switching to Cutter which handles this binary better
51:40 - Going back to Ghidra and seeing what we missed
Support the originator by clicking the read the rest link below.
