HackTheBox - Carpediem

Name: HackTheBox - Carpediem
Uploaded: 2022-12-03T15:01:15Z
Channel: IppSec
Description: 00:00 - Intro 00:55 - Nmap the box, examining server banners 02:20 - Checking out the website, doesn't seem like anything special 03:40 - Using Ffuf to...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 00:55 - Nmap the box, examining server banners 02:20 - Checking out the website, doesn't seem like anything special 03:40 - Using Ffuf to perform a virtual host scan to discover other subdomains and find portal 04:50 - Discover the Motorcycle Store Portal. Trying to play with a potential LFI but deciding it may be a rabbit hole 09:30 - Stop of examining rabbit hole. 10:00 - Registering an account and noticing it goes to an API. Lets test the API Out by fuzzing other functions 11:20 - Running a GoBuster on the classes directory to find more controllers for the API 12:20 - Fuzzi…

Watch on YouTube ↗ (saves to browser)

Chapters (24)

Intro

0:55 Nmap the box, examining server banners

2:20 Checking out the website, doesn't seem like anything special

3:40 Using Ffuf to perform a virtual host scan to discover other subdomains and fin

4:50 Discover the Motorcycle Store Portal. Trying to play with a potential LFI but

9:30 Stop of examining rabbit hole.

10:00 Registering an account and noticing it goes to an API. Lets test the API Out

11:20 Running a GoBuster on the classes directory to find more controllers for the A

12:20 Fuzzing the Users.php file for more functions and discovering Upload

13:00 Using OpenAI to generate an HTML Upload form, so we can see create an HTTP Upl

14:30 Pasting our upload request and uploading a webshell

17:30 Showing a SQL Injection in the Login Function that is vulnerable to Mass Assig

19:30 The intended route: Editing our profile to change our login_type, which is our

23:30 Shell on the Docker Container, looking for credentials in the web app

24:30 Discovering Truedesk.php which has an apikey, looking online to see how to use

28:30 Searching the Truedesk code for more endpoints, finding a stats endpoint which

31:30 Finding a voicemail password and instructions of connecting a soft phone. Down

33:25 Running Zoiper and connecting

37:50 Logging in as hflaccus

39:30 Setting up a proxy through SSH so we can connect to the DropCMS

41:00 Running TCPDump

42:20 Going over the wireshark, finding the HTTPS Connection is using an insecure SS

45:15 Downloading the SSL Certificates and then using wireshark to decrypt the data

49:00 Uploading a malicious DropCMS Module and getting a shell on this docker contai

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →