HackTheBox - Bookworm
00:00 - Introduction
00:50 - Start of nmap
04:30 - Discovering a potential XSS in the Notes field of an order. Content Security Policy (CSP) blocks us, because JS cannot be on the same page. Looking for a file upload functionality.
08:29 - Finding out we can upload anything we want to the avatar. This should allow us to bypass the CSP in the book edit field
11:55 - Confirmed XSS on the page, checking if there's an IDOR Vulnerability that allows us to add notes to other people's items by creating a second account
16:00 - Creating a Python Script that will automatically poison items in peoples b…
Watch on YouTube ↗
(saves to browser)
Chapters (18)
Introduction
0:50
Start of nmap
4:30
Discovering a potential XSS in the Notes field of an order. Content Security P
8:29
Finding out we can upload anything we want to the avatar. This should allow us
11:55
Confirmed XSS on the page, checking if there's an IDOR Vulnerability that allo
16:00
Creating a Python Script that will automatically poison items in peoples baske
28:00
Backet Poisoner script is completed
28:50
Creating a JavaScript payload, explaining why I'm doing await, fetch, and help
40:15
Having the XSS Payload fetch profile, look for orders, then perform a get on a
49:55
Creating a Python Flask Server that will save all of the orders the XSS Payloa
56:00
Examining orders, discovering there is a "Download Everything" URL. Didn't sho
1:12:00
Extracting database.js, which contains the database information. The password
1:15:52
EDIT: Examining the source code to show why downloading a single book was not
1:21:04
Enumerating the box as Frank discovering a second web application listening on
1:30:00
Looking at the source code to the book converter.
1:36:20
Exploiting a SSRF/File Disclosure vulnerability in the Book Converter, but it
1:42:18
Finding Arbitrary File Write vulnerability in the Book Converter by abusing Sy
1:51:50
Shell as Neil who can run the GenLabel binary with Sudo, examining it to disco
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Dungeon
IppSec
HHC2016 - Terminal Speedrun
IppSec
HHC2016 - Ads
IppSec
HHC2016 - Debug
IppSec
HHC2016 - Exception
IppSec
HHC2016 - Analytics
IppSec
HHC2016 - Getting Coins
IppSec
HackTheBox - Popcorn
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Tenten
IppSec
HackTheBox - CronOS
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Beep
IppSec
HackTheBox - Bastard
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Haircut
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Apocalyst
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - SolidState
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Bashed
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
HackTheBox - Nibbles
IppSec
DeepCamp AI