HackTheBox - AdmirerToo

Name: HackTheBox - AdmirerToo
Uploaded: 2022-05-28T15:58:13Z
Channel: IppSec
Description: 00:00 - Intro 01:08 - Start of nmap, discovering a webserver and filtered port 04:15 - Discovering a hostname in the 404 not found message in the mailto...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·3y ago

00:00 - Intro 01:08 - Start of nmap, discovering a webserver and filtered port 04:15 - Discovering a hostname in the 404 not found message in the mailto section 05:25 - Gobuster VHOST Discoery finds the subdomain db.admirer-gallery.htb which is adminer. Playing with the application and raw SQL Commands 07:25 - Trying to write files with INTO OUTFILE, also testing the secure file priv default directory for MySQL which is the most reliable 09:30 - Going to google and finding this version of adminer is vulnerable to a SSRF, but having trouble with this because the login for adminer is different 1…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Intro

1:08 Start of nmap, discovering a webserver and filtered port

4:15 Discovering a hostname in the 404 not found message in the mailto section

5:25 Gobuster VHOST Discoery finds the subdomain db.admirer-gallery.htb which is ad

7:25 Trying to write files with INTO OUTFILE, also testing the secure file priv def

9:30 Going to google and finding this version of adminer is vulnerable to a SSRF, b

11:45 Intercepting the login request, finding a hardcoded password that doesn't real

13:00 Installing adminer in a docker container, so we can play with the application

15:30 Finding a python3 http server redirect example to use for our SSRF

17:00 Performing the SSRF Vulnerability failing to extract local files

18:10 The CSRF is annoying, configuring burpsuite to replace variables in our post a

20:00 Having the SSRF access localhost:4242 (the filtered port from nmap), we see th

21:15 Exploit fails, it complains about an invalid metric. Googling to find OpenTSDB

24:30 Updating the exploit to use the http.stats.web.hits metric and getting RCE

29:10 Reverse shell returned

33:40 Finding database credentials in server.php, which also are jennifers credentia

36:00 Enumerating Apache configuration files, discovering one webserver runs as deve

39:20 Discovering a PHP Object Injection vulnerability in a OpenCats which is a webs

42:30 Discovering devel can write to /usr/local/etc/ and fail2ban is installed, whic

45:00 Running strace on wh

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →