HackTheBox - AppSanity

Name: HackTheBox - AppSanity
Uploaded: 2024-03-09T15:03:01Z
Channel: IppSec
Description: 00:00 - Introduction 01:00 - Start of nmap, showing 5985 isn't in the top1000 so doing a full port scan 04:40 - Taking a look at the MedDigi website 07:...

IppSec · Beginner ·🛡️ AI Safety & Ethics ·2y ago

00:00 - Introduction 01:00 - Start of nmap, showing 5985 isn't in the top1000 so doing a full port scan 04:40 - Taking a look at the MedDigi website 07:07 - Taking a look at the Signup Request seeing AcctType 09:30 - Changing the AcctType to 2 and getting a different privilege 14:00 - VHost enumeration shows the portal.meddigi.htb domain, using our pre-existing session from the main page on this domain to bypass login 17:52 - Discovering SSRF in the Prescriptions page 19:40 - Discovering the File Upload requires a PDF but checks the magic bytes so we can make a PDF Header on our file and uploa…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Introduction

1:00 Start of nmap, showing 5985 isn't in the top1000 so doing a full port scan

4:40 Taking a look at the MedDigi website

7:07 Taking a look at the Signup Request seeing AcctType

9:30 Changing the AcctType to 2 and getting a different privilege

14:00 VHost enumeration shows the portal.meddigi.htb domain, using our pre-existing

17:52 Discovering SSRF in the Prescriptions page

19:40 Discovering the File Upload requires a PDF but checks the magic bytes so we ca

25:30 Going back to the SSRF and discovering we can use time-based queries to identi

28:30 Using FFUF to filter by duration to show us the requests that don't take a lon

38:22 Discovering port 8080 shows our upload location, then navigating to it and get

42:22 Finding DLL's the webserver uses, they are dotnet so copying them to a windows

45:40 Using netexec to try the password against all users, then logging in as devdoc

53:00 Looking at the ReportManagement.exe, opening it up in Ghidra

56:50 Using chisel to forward port 100 to our box so we can access ReportManager

59:30 Strings shows that externalupload.dll is right next to the Libraries string

1:00:15 Looking at imports, see CreateProcessW, then going to where the binary calls t

1:03:30 Doing Dynamic Analysis with ProcMon, creating all the directories/files the pr

1:18:50 Eventually see it looking for files in the Libraries Directory when doing the

1:21:45 When externalupload.dll exists, we can see it doing a CreateProcess call, crea

1:26:30 When the DLL is in the libraries and we run upload, we get a shell

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →