HackTheBox - Bookworm

00:00 - Introduction 00:50 - Start of nmap 04:30 - Discovering a potential XSS in the Notes field of an order. Content Security Policy (CSP) blocks us, because JS cannot be on the same page. Looking for a file upload functionality. 08:29 - Finding out we can upload anything we want to the avatar. This should allow us to bypass the CSP in the book edit field 11:55 - Confirmed XSS on the page, checking if there's an IDOR Vulnerability that allows us to add notes to other people's items by creating a second account 16:00 - Creating a Python Script that will automatically poison items in peoples basket (cart) 28:00 - Backet Poisoner script is completed 28:50 - Creating a JavaScript payload, explaining why I'm doing await, fetch, and helper functions. 40:15 - Having the XSS Payload fetch profile, look for orders, then perform a get on all orders to examine the order page. Then send us the HTML of that page 49:55 - Creating a Python Flask Server that will save all of the orders the XSS Payload sends us 56:00 - Examining orders, discovering there is a "Download Everything" URL. Didn't show it but there is no IDOR Vulnerability here, need to have the XSS Trigger it. Exfilling /etc/passwd 01:12:00 - Extracting database.js, which contains the database information. The password lets us onto the system as Frank 01:15:52 - EDIT: Examining the source code to show why downloading a single book was not vulnerable. Talking about setting ROOT on res.download of express 01:21:04 - Enumerating the box as Frank discovering a second web application listening on 3001 01:30:00 - Looking at the source code to the book converter. 01:36:20 - Exploiting a SSRF/File Disclosure vulnerability in the Book Converter, but it doesn't get us anything 01:42:18 - Finding Arbitrary File Write vulnerability in the Book Converter by abusing SymLinks to bypass an File Extension Check. 01:51:50 - Shell as Neil who can run the GenLabel binary with Sudo, examining it to discover a SQL + PostScript Injection