HackTheBox - Craft

Name: HackTheBox - Craft
Uploaded: 2020-01-04T15:00:00Z
Channel: IppSec
Description: 01:20 - Begin of recon 03:18 - Checking out the HTTPS Certificate for potential hostnames 05:10 - Looking at api.craft.htb, appears to be some type of D...

IppSec · Intermediate ·🧠 Large Language Models ·6y ago

01:20 - Begin of recon 03:18 - Checking out the HTTPS Certificate for potential hostnames 05:10 - Looking at api.craft.htb, appears to be some type of Documentation for the REST API 06:40 - Looking at gogs.craft.htb, no known exploits but there is some source code! 09:20 - Checking out the Git Issues, seeing Dinesh put a JWT Token in a comment. Checking the token out 11:25 - Attempting to crack the JWT (fails) 13:30 - Going back to the issues to see there is an eval() on user input 16:25 - Installing Go and Pip3 on Kali 2019.4, so we can install GitLeaks and TruffleHog 18:57 - Running GitLeaks…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

1:20 Begin of recon

3:18 Checking out the HTTPS Certificate for potential hostnames

5:10 Looking at api.craft.htb, appears to be some type of Documentation for the RES

6:40 Looking at gogs.craft.htb, no known exploits but there is some source code!

9:20 Checking out the Git Issues, seeing Dinesh put a JWT Token in a comment. Check

11:25 Attempting to crack the JWT (fails)

13:30 Going back to the issues to see there is an eval() on user input

16:25 Installing Go and Pip3 on Kali 2019.4, so we can install GitLeaks and TruffleH

18:57 Running GitLeaks and TruffleHog (find nothing) then manually analyzing the git

21:20 Discovering Dinesh's credentials in an old git commit

25:05 Logging into GOGS with Dinesh, then showing adding an SSH Key for potential po

28:28 Testing Code Execution from the previous git issue, use the test.py script as

31:30 Getting a reverse shell with this exploit using exec(base64)

35:10 Reverse Shell Returned

36:15 Grabbing settings.py on the server to get a bunch of credentials

37:30 Fixing our terminal to have the correct rows/columns so we can use vi

40:18 Editing dbtest.py to dump all users from the database

42:00 Adding the JWT SECRET from settings.py to our hashcat wordlist to prove cracki

45:25 Manually crafting a JWT in Python to show what to do if you are successful at

49:10 Logging into GOGS with the credentials we got from dumping the database

50:20 Gilfoyle as a private repo, lets download it

53:30 Running truffleHog and GitLeaks against Gilfoyle's craft-infra repo

58:00 An SSH Key was found on Gilfoyle's repo, SSH in and run LinPEAS

1:00:00 Bunch of references to Vault in LinPEAS, looking into what this is.

1:02:20 The .vaulttoken file is saved creds, lets just use vault ssh to login to the b

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Craft

Chapters (25)

Playlist

Lesson complete!