HackTheBox - Crossfit

Name: HackTheBox - Crossfit
Uploaded: 2021-03-20T15:00:23Z
Channel: IppSec
Description: 00:00 - Intro 01:08 - Installing Obsidian which lets us take notes in Markdown format 03:10 - Running nmap to see FTP over SSL and it has certificates 0...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Intro 01:08 - Installing Obsidian which lets us take notes in Markdown format 03:10 - Running nmap to see FTP over SSL and it has certificates 05:20 - Using openssl to grab the SSL Certificate from FTP 06:50 - Going over the web page extracting emails, people, and user input locations 08:20 - Installing flameshot, which helps us take better screenshots 18:15 - Testing each contact form with XSS Cross Site Scripting 19:10 - XSS in blog-single.php Triggers an security error saying admins will be looking over our request, attempt to attack admins 23:10 - Putting XSS Payloads in the User A…

Watch on YouTube ↗ (saves to browser)

Chapters (23)

Intro

1:08 Installing Obsidian which lets us take notes in Markdown format

3:10 Running nmap to see FTP over SSL and it has certificates

5:20 Using openssl to grab the SSL Certificate from FTP

6:50 Going over the web page extracting emails, people, and user input locations

8:20 Installing flameshot, which helps us take better screenshots

18:15 Testing each contact form with XSS Cross Site Scripting

19:10 XSS in blog-single.php Triggers an security error saying admins will be lookin

23:10 Putting XSS Payloads in the User Agent

25:25 XSS Attempting to steal cookies with a basic payload, failing here. Document.

27:50 Using ffuf to bruteforce domains via the CORS Origin header to discover FTP

33:35 XSS Using XMLHttpRequest to use the victims browser like a proxy and return we

38:20 XSS Using XMLHttpRequest to grab a CSRF Token then send a post request to crea

46:50 Using lftp to login to the ftp and upload a webshell to development-test

57:50 Shell returned as www-data, finding a Hank's password in /etc/ansible/playbook

1:16:05 SSH as hank and examine the send_updates.php file to find command injection

1:24:40 Finding credentials for ftpadm which lets us create a file to trigger the comm

1:33:40 SSH as Isaac and doing some basic enumeration, explaining why we can't see pro

1:35:50 Using find to do a bunch of IR to find what is unique about hank

1:37:50 Using find to look for files modified between two dates and dbmsg stands out

1:42:10 The dbmsg stands out due to its timestamp having nanoseconds, it is the only f

1:51:00 Going over DBMSG in Ghidra, explaining the SRAND setting seed to current time

1:56:15 Attempting to name variables based upon what we think they are

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →