HackTheBox - AppSanity

00:00 - Introduction 01:00 - Start of nmap, showing 5985 isn't in the top1000 so doing a full port scan 04:40 - Taking a look at the MedDigi website 07:07 - Taking a look at the Signup Request seeing AcctType 09:30 - Changing the AcctType to 2 and getting a different privilege 14:00 - VHost enumeration shows the portal.meddigi.htb domain, using our pre-existing session from the main page on this domain to bypass login 17:52 - Discovering SSRF in the Prescriptions page 19:40 - Discovering the File Upload requires a PDF but checks the magic bytes so we can make a PDF Header on our file and upload ASPX Web Shells 25:30 - Going back to the SSRF and discovering we can use time-based queries to identify ports listening on localhost 28:30 - Using FFUF to filter by duration to show us the requests that don't take a long time 38:22 - Discovering port 8080 shows our upload location, then navigating to it and getting a shell 42:22 - Finding DLL's the webserver uses, they are dotnet so copying them to a windows box so we can use dnspy and finding a password 45:40 - Using netexec to try the password against all users, then logging in as devdoc 53:00 - Looking at the ReportManagement.exe, opening it up in Ghidra 56:50 - Using chisel to forward port 100 to our box so we can access ReportManager 59:30 - Strings shows that externalupload.dll is right next to the Libraries string 1:00:15 - Looking at imports, see CreateProcessW, then going to where the binary calls that process 1:03:30 - Doing Dynamic Analysis with ProcMon, creating all the directories/files the program wants 1:18:50 - Eventually see it looking for files in the Libraries Directory when doing the upload command 1:21:45 - When externalupload.dll exists, we can see it doing a CreateProcess call, creating a DLL that sends a reverse shell 1:26:30 - When the DLL is in the libraries and we run upload, we get a shell