HackTheBox - Backfire

Name: HackTheBox - Backfire
Uploaded: 2025-06-07T15:01:03Z
Channel: IppSec
Description: 00:00 - Introduction 00:48 - Start of nmap 02:00 - Showing Havoc adding the X-HAVOC true header on GET/POST requests on its HTTP Hosting Service 05:00 -...

IppSec · Beginner ·📄 Research Papers Explained ·9mo ago

00:00 - Introduction 00:48 - Start of nmap 02:00 - Showing Havoc adding the X-HAVOC true header on GET/POST requests on its HTTP Hosting Service 05:00 - Seraching CVEDetails finding CVE-2024-41570 which is a SSRF 06:25 - Some quick C2 talk before we dive into the SSRF 08:45 - Going over the Havoc SSRF Script 17:10 - Talking about a research article that looked at multiple open-source C2's and the vulnerabilities they had 21:30 - Allowing our SSRF to make a websocket connection, which lets us authenticate and perform the RCE in Havoc 35:00 - Getting a shell, explaining our attack chain again 38…

Watch on YouTube ↗ (saves to browser)

Chapters (12)

Introduction

0:48 Start of nmap

2:00 Showing Havoc adding the X-HAVOC true header on GET/POST requests on its HTTP

5:00 Seraching CVEDetails finding CVE-2024-41570 which is a SSRF

6:25 Some quick C2 talk before we dive into the SSRF

8:45 Going over the Havoc SSRF Script

17:10 Talking about a research article that looked at multiple open-source C2's and

21:30 Allowing our SSRF to make a websocket connection, which lets us authenticate a

35:00 Getting a shell, explaining our attack chain again

38:10 Discovering Hardhatc2, looking at google and seeing it has a static JWT Signin

41:00 Standing up HardHat c2 via docker to craft an authenticated cookie, then tunne

46:45 Our new user can run iptables/iptables-save with sudo. Using this combo to wri

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →