HackTheBox - Breadcrumbs

Name: HackTheBox - Breadcrumbs
Uploaded: 2021-07-17T15:00:18Z
Channel: IppSec
Description: 00:00 - Intro 00:45 - Start of nmap 03:50 - Poking at the website 05:20 - Quickly testing for SQL Injection and coming up with nothing 12:30 - Creating ...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 00:45 - Start of nmap 03:50 - Poking at the website 05:20 - Quickly testing for SQL Injection and coming up with nothing 12:30 - Creating an account and checking what regular users can do 14:15 - Using BurpSuite Sequencer to identify low entropy within login cookies 18:30 - Finding the 302 redirect still outputs the page, its just that the browser doesn't want to show it 21:10 - Creating a simple PHP File to be uploaded 23:00 - Finding the /books/ url and checking the book search page again to find LFI 28:00 - Building a quick python script to automate the LFI 38:00 - Windows is …

Watch on YouTube ↗ (saves to browser)

Chapters (26)

Intro

0:45 Start of nmap

3:50 Poking at the website

5:20 Quickly testing for SQL Injection and coming up with nothing

12:30 Creating an account and checking what regular users can do

14:15 Using BurpSuite Sequencer to identify low entropy within login cookies

18:30 Finding the 302 redirect still outputs the page, its just that the browser doe

21:10 Creating a simple PHP File to be uploaded

23:00 Finding the /books/ url and checking the book search page again to find LFI

28:00 Building a quick python script to automate the LFI

38:00 Windows is really weird with SSH, need to disable PubKeyAuth in order to login

39:50 Looking at the fileController php file to see who can upload files

43:00 Looking around the source code to examine how PHP Sessions are built, so we ca

46:35 Running makesession with all permutations so we can get Pauls login cookie

50:15 Logged in as Paul, now we need to modify the JWT token to say we are Paul

53:50 We can now upload php files! Some light AV Evasion and have a reverse shell w

59:50 Finding Juliette's password within the web application and SSH'ing into Window

1:02:20 Hunting for Microsoft Sticky Notes and finding the Developer Password

1:10:50 Logged in as Development, finding a linux app to reverse in ghidra

1:14:50 Mimicing the curl requests by the linux app to port localhost:1234, so using S

1:19:03 Our curl still isn't working, figuring out the master key to see if the linux

1:21:50 The localhost in our SSH Port Forward is causing weird issues, changing it to

1:23:10 The app works, testing for SQL Injection

1:25:10 Using information_schema to dump information about the database (databases, ta

1:28:40 Using cyberchef to decrypt the AES Blob from the database

1:30:45 PSExec isn't wo

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →