HackTheBox - UpDown

00:00 - Intro
01:00 - Start of nmap
01:30 - Testing the webhook, examining the request the server makes
05:30 - Trying other URL Wrappers to see how the application behaves
08:10 - Finding the .git sub directory, running git-dumper to extract source code
10:55 - Finding and explaining the LFI Vulnerability
12:10 - Attempting to use the php filter to extract source code, does not work, turns out there's another website
14:00 - Discovering there is a special header requried to access the DEV Website
16:00 - Configuring BurpSuite to add the header for us
18:15 - Explaining the LFI And why we are going to use a phar file to get code execution
22:30 - Attempting to get a shell, when executing our file we get a ERROR 500. Simplify the payload to see it works.
26:00 - Examining phpinfo to see disabled functions, and discovering system() was blocked
27:00 - Converting the dfunc-bypasser script to PHP, so we can just upload it to the server and have it tell us what is available
29:15 - Showing off github co-pilot, turns out it didn't exactly give me what I wanted.
31:00 - Uploading our script to check dangerous functions and identifying we can use the proc_open() function
32:00 - Creating a script to send us a reverse shell, more github copilot finishing our code for us
35:20 - Exploring the developer home directory, finding a setuid python binary that uses input(), exploiting to get developer user
39:30 - We can run easy_install with sudo, getting root
40:30 - Explaining the Code Execution without dropping a file, by using gadgets with php filters to create text for us

Support the originator by clicking the read the rest link below.