Charon Video by IppSec

edited November 2017 in Video Tutorials

The two things I liked most about this video:

  • Union Injection, I think many people played with SQLMap for hours when if the response from the server was formatted as an email you could return data. Example: [email protected]' UNIoN select 1,2,3,concat(version(),'')-- -
  • Decrypting the password without RsaCtfTools.

Time Jumps: View on YouTube page for these to be links
1:30 - Rabbit Hole - Searching for SuperCMS
6:23 - Running enumeration in the background (GoBuster)
7:40 - Rabbit Hole - SQLMap Blog SinglePost.php
12:04 - Finding PHP Files in /cmsdata/ (GoBuster)
12:53 - Manual Identification of SQL Injection
15:50 - SQL Injection Explanation
17:20 - Rabbit Hole - Starting SQLMap in the Background
18:10 - SQL Union Injection Explanation
19:30 - Identifying "Bad/Filtered Words" in SQL Injection
21:02 - SQL Union Finding number of items returned
21:48 - Returning data from Union Injection
22:48 - SQL Concat Explanation
23:55 - Enumerating SQL Databases Explanation (Information_Schema)
25:46 - Returning Database, Table, Columns from Information_Schema
29:30 - Scripting to dump all columns
36:45 - Listing of columns in SuperCMS
37:15 - Dumping User Credentials
41:36 - Logging in and exploiting SuperCMS
47:00 - Return of reverse shell
48:40 - Transfering small files from shell to my machine
50:56 - Using RsaCtfTool to decrypt contents with weak public key
52:52 - Breaking weak RSA manually
1:01:20 - Begin PrivEsc to Root
1:02:40 - Transering large files with NC
1:03:50 - Analyzing SuperShell with BinaryNinja (Paid)
1:06:04 - Analyzing SuperShell with Radare2 (Free)
1:08:22 - Exploiting SuperShell
1:12:46 - Encore. Getting a Root Shell with SetUID Binary


  • Good Job bro i hope i can be like you in someday :)

  • Nice job! Let me note that enclosing characters in double quotes preserves the literal value of all characters with the exception of $,`,\, ! (thus the need for escaping), while enclosing characters in single quotes preserves the literal value of all characters (no need for escaping):

    supershell '/bin/ls $(command)' 

    Moreover, there is a much much simpler way to get root shell... Entering multiline mode:

    supershell "/bin/ls
    > bash"
  • edited November 2017

    Nice Job @ippsec ..


                      Twitter : @ahm3dsec
  • thanks ahmed


  • Great video. I learned so much from this! The way I found the username and password was by using the sequencer in Burp, using the offset as a payload position. It does take some time with the community edition of Burp, due to the throttling it does, but it took only 2 minutes to set up and start it. It is easy to see when you have hit a non test username, due to the length of the response. Of course there is a chance that the real username has the same length as for example test1, but you can export the results afterwards and search in them.

    Hack The Box

Sign In to comment.