CyberSecLabs - Pipercoin - Linux [Walkthrough]

▶️ YouTube: https://www.youtube.com/c/PinkDraconian 🐦 Twitter: https://twitter.com/PinkDraconian 🎵 TikTok: https://www.tiktok.com/@pinkdraconian ℹ️ LinkedIn: https://www.linkedin.com/in/robbe-van-roey-365666195/ 📞 Discord: PinkDraconian#9907 📷 Instagram: https://www.instagram.com/robbevanroey/ 🕸️ Website: http://pinkdraconian.d4rkc0de.com/ 👨‍💻 HackTheBox: https://www.hackthebox.eu/home/users/profile/129531 🤖 Reddit: https://www.reddit.com/user/PinkDraconian ☁️ Steam: https://steamcommunity.com/id/PinkDraconian 🐈 GitHub: https://github.com/PinkDraconian

Platform: CyberSecLabs

Platform Link: https://www.cyberseclabs.co.uk/

Category: Machine

OS: Linux

Challenge name: Casino

Difficulty: 8/10

00:00 Introduction 00:10 Nmap scan 00:30 Checking out port 80 00:40 Directory traversal with wfuzz 02:05 Finding and checking out source code of the website - Flask 02:40 Finding potential secret key for signing flask session tokens 04:40 Using flask unsign to see if the secret key is valid 08:30 Recovering builtins in python exec 11:40 Getting past the waf (Chars that aren't allowed) by using hex characters 14:30 Explaining why there's a lot of backslashes 16:50 Getting output from our command through setting a session value 19:20 System isn't returning anything, using popen.read() instead 19:45 Our payload is too long, shortening it 23:40 We are root in a docker container (.dockerenv) 24:10 Finding a sqlite3 db, checking it out 25:50 Bruteforcing ssh with Hydra 27:00 Finding SUID binary which we can read, running as root 28:10 Reverse engineering the cryptoKeys binary with ghidra 30:00 Checking the security on the binary with checksec 32:00 Using cyclic strings to get the offset to the instruction pointer 34:20 Checking if ASLR is enabled on the box 35:40 Using gdb to get stack address on the box 37:00 Using pwntools shellcraft to create a nop sled and generate shellcode 39:30 Running the payload and getting root RCE ... https://www.youtube.com/watch?v=DetWc55UOZw