HackTheBox - Cereal

Name: HackTheBox - Cereal
Uploaded: 2021-05-29T16:02:56Z
Channel: IppSec
Description: 01:17 - Start of nmap, showing having valid hostnames will give more information 03:54 - Error message on source.cereal.htb leaks a path 06:30 - Showing...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

01:17 - Start of nmap, showing having valid hostnames will give more information 03:54 - Error message on source.cereal.htb leaks a path 06:30 - Showing .git doesn't exist in DirectyList but does in Raft 08:02 - Using Git-Dumper to download the .git directory and view the source 09:30 - Looking at Git History shows where deserialization happens and a hard coded JWT 12:08 - Using the hard coded JWT To build our own token in dotnet. 21:00 - Trying to use our JWT to access authenticated pages 25:42 - Going through the React JavaScript to see the token is stored in our browsers local storage 29:4…

Watch on YouTube ↗ (saves to browser)

Chapters (23)

1:17 Start of nmap, showing having valid hostnames will give more information

3:54 Error message on source.cereal.htb leaks a path

6:30 Showing .git doesn't exist in DirectyList but does in Raft

8:02 Using Git-Dumper to download the .git directory and view the source

9:30 Looking at Git History shows where deserialization happens and a hard coded JW

12:08 Using the hard coded JWT To build our own token in dotnet.

21:00 Trying to use our JWT to access authenticated pages

25:42 Going through the React JavaScript to see the token is stored in our browsers

29:40 Our browser keeps clearing the storage lets just intercept a request in BurpSu

32:15 Start of the Desrialization, BadWords Filter to prevent ySoSerial, but we can

33:20 Finding the name of our JSON Library then finding a blackhat talk on abusing i

40:11 More examining javascript to find routes that leaks pages of the pplication

42:15 Using npm audit to find an XSS Vulnerability on /admin due to an out of date p

46:10 Testing the XSS Vulnerability with a simple payload

49:00 Putting it all togather, writing notes on how we are going to build the exploi

51:15 Start of exploit script making python requests not care about SSL, then buildi

57:00 Testing out bad character evasion with Base64 by using a benign XSS Payload fi

1:06:20 Adding stage 1 to our script to send the deserialization payload

1:08:22 Changing our payload to use XMLHttpRequest to force the browser to make a requ

1:13:08 Our script did not work, troubleshooting it

1:17:57 Script worked, lets now host a ASPX File for it to download

1:19:20 Using our webshell to download the SQLite Database

1:22:45 Our Powershell One-Liner to convert the database to b64 just fails. Lets co

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →