00:00 – Intro
01:00 – Start of nmap
01:50 – Talking about what the page parameter does and why its normally vulnerable to LFI
03:20 – Running gobuster to get a list of files on the webserver while we poke at the LFI
04:45 – Finding an LFI in combination with an EAR (Execute After Read) Vulnerability. Then examining the source code of index.php to see the vulnerability
06:50 – There was an sanitize string function that wasn’t recursive, explaining how we could exploit this.
10:00 – Discovering beta.html which is a license upload, grabbing the source code and vulnerable application
13:00 – Grabbing netstat like information, running processes, and memory maps with our LFI Vulnerability
16:25 – Playing with the activate_license executable and finding a buffer overflow
19:50 – Using GDB to examine the crash, need to use set follow-fork-mode child to follow the fork
22:55 – Crashing the program with a pattern and finding the offset to RSP
23:55 – Start of creating our exploit script
24:30 – Extracting where activate_license and libc exists within memory using the /proc/pid/maps file
22:55 – Using objdump to dump the location of system() within the libc version running on the target
27:57 – Using ropper to search for gadgets, pop rdi – pop rdx – and one to move values from rdx to rdi
30:20 – Using readelf to look for a writable space within memory for us to write our malicious command to
32:00 – Building the rop chain to write our command to memory, then call system
37:43 – Reverse shell returned running linpeas a
40:00 – Failing to run CVE-2022-0847, not sure why
43:50 – Discovering a timer that backs up the website as the dev user and its vulnerable to a symlink attack. Grabbing the home directory of dev which has an ssh key
46:20 – Examining the ememu directory in dev which is a C Program
47:30 – Talking about Binfms and how we will be able to create an interpreter for extensions that executes code as root
49:30 – Talking about the cap_dac_override permission
50:20 – Exploiting our ability to write to the binfmt_misc/register to get root
Link do Vídeo
Now that I see it, I realise I wasn't even close. I didn't stand a chance on that foothold😅
i have no idea what the hell he doing but I watch just to see the process.
Could you please explain why you put letter "a" at the beginning of LFI Payload 13:42
24:22 what’s your VIM config?
angle brackets 😎😎😎
I wonder why adding the character "a" doesnt result into an error in the webapp. I've tested it in my machine, readfile("a../etc/passwd") provokes a PHP error :
PHP Warning : readfile(a../etc/passwd): Failed to open stream: No such file or directory in php shell code on line 1
woah.. what a cool explanation as always.. will appreciate if upload your buffer overflow videos^_^
Nice to see another great walkthru. Thank you for a detailed write-up
Nice, the str_replace() bypass explanation was cool, even if sanitize_input() was never executed.
Awesome, just a quick question, did you know all that gdb/buffer overflow stuff and how to make that Python exploit off the top of your head? Or do you do some kind of prep before these walk-throughs? Where do you learn this stuff in the first place? Surely you can't just remember that stuff like that lol, that's insane.
This is awesome. I loved the BOF part but I think I need to dig a bit deeper into BOF because I did not get the Gadgets part yet
Quick tip: while playing around with it myself I was doing a similar thing as you were in 17:00, but I never got any "Connection reset by peer". Turns out only Ncat gives this message, not the normal netcat. I wonder if there is still some way to see this different with netcat, but it's always a bit weird with both programs having the same command
it would have made your life a lot easier if you realised that you can read any file if you put its absolute path, all the dot slash nonsense was not necessary (using burp repeater to not follow redirects)
Glad you are back. This is a great video. With nice skills to learn from. So thanks for this. Well worth every minute.
You can just type $ killall activate_license
Fking King bro
hell yeah!
pkill ist also cool 🙂
I was doing buffer ovrfle last weak , but after next day suffering feaver…
Dude. You are so cool
Sir, Can you please add 'OverGraph'
Thanks
hi ippsec please create a new video for bypass 2FA
and this video is very cool 😎 😎
hey Ippsec can you provide OverGraph machine
I literally was looking for answers and this video is posted. Amazing !
hello hackers are you retired or tired?
I have a couple questions. 1) what’s your terminal color and 2) what’s your $PS1
Overgraph??????
Ippsec is back. Good video as always.
Ippsec is back
Ippsec is back in action.. 👍
Sweeeeeet‼️🤩
Alles sehr schön. Aber zuerst zusammen die Nummern 10 und 1. Eine verwohn.online Brünette und eine andereh Blondine. Es wäre unfair, wenn ich 4 wählen würde
Overgraph?
Overflow was a nice part of the machine
First :)?