Charon Video by IppSec

The two things I liked most about this video:

  • Union Injection, I think many people played with SQLMap for hours when if the response from the server was formatted as an email you could return data. Example:’ UNIoN select 1,2,3,concat(version(),‘’)-- -
  • Decrypting the password without RsaCtfTools.

Time Jumps: View on YouTube page for these to be links
1:30 - Rabbit Hole - Searching for SuperCMS
6:23 - Running enumeration in the background (GoBuster)
7:40 - Rabbit Hole - SQLMap Blog SinglePost.php
12:04 - Finding PHP Files in /cmsdata/ (GoBuster)
12:53 - Manual Identification of SQL Injection
15:50 - SQL Injection Explanation
17:20 - Rabbit Hole - Starting SQLMap in the Background
18:10 - SQL Union Injection Explanation
19:30 - Identifying “Bad/Filtered Words” in SQL Injection
21:02 - SQL Union Finding number of items returned
21:48 - Returning data from Union Injection
22:48 - SQL Concat Explanation
23:55 - Enumerating SQL Databases Explanation (Information_Schema)
25:46 - Returning Database, Table, Columns from Information_Schema
29:30 - Scripting to dump all columns
36:45 - Listing of columns in SuperCMS
37:15 - Dumping User Credentials
41:36 - Logging in and exploiting SuperCMS
47:00 - Return of reverse shell
48:40 - Transfering small files from shell to my machine
50:56 - Using RsaCtfTool to decrypt contents with weak public key
52:52 - Breaking weak RSA manually
1:01:20 - Begin PrivEsc to Root
1:02:40 - Transering large files with NC
1:03:50 - Analyzing SuperShell with BinaryNinja (Paid)
1:06:04 - Analyzing SuperShell with Radare2 (Free)
1:08:22 - Exploiting SuperShell
1:12:46 - Encore. Getting a Root Shell with SetUID Binary

Good Job bro i hope i can be like you in someday :slight_smile:

Nice job! Let me note that enclosing characters in double quotes preserves the literal value of all characters with the exception of $,`,, ! (thus the need for escaping), while enclosing characters in single quotes preserves the literal value of all characters (no need for escaping):

supershell '/bin/ls $(command)' 

Moreover, there is a much much simpler way to get root shell… Entering multiline mode:

supershell "/bin/ls
> bash"

Nice Job @ippsec

thanks ahmed


Great video. I learned so much from this! The way I found the username and password was by using the sequencer in Burp, using the offset as a payload position. It does take some time with the community edition of Burp, due to the throttling it does, but it took only 2 minutes to set up and start it. It is easy to see when you have hit a non test username, due to the length of the response. Of course there is a chance that the real username has the same length as for example test1, but you can export the results afterwards and search in them.