HackTheBox - Crossfit2

00:00 - Intro 01:10 - Start of nmap and poking at website. Browser Developer Window shows WebSockets + Hostname 06:50 - Setting up full portscan and gobuster while we poke at the box, to always have recon running 09:10 - Ussing ffuf to fuzz for emails (Forgot to set header here, we look at it later) 11:20 - Playing with the websockets in BurpSuite, discovering SQL Injection 21:40 - Creating a python program to aid our SQL Injection 29:15 - SQL Injection: Enumerating information_schema to pull out table information 35:45 - Going back to test our previous ffuf to find out i forgot the header flag 42:00 - Using ffuf to fuzz parameters for the passwordreset php script and trying the token from Sql Injection 44:00 - Enumerating our SQL Users permissions and then including files 49:20 - RelayD configuration shows a new domain crossfit-club.htb, failing to sign up with an account 57:40 - Using grep to extract /api/ endoings from javascript files 1:03:00 - Discover the signup endpoint, only administrators can create accounts. 1:06:20 - Grabbing unbound secret keys which will let us create DNS Entries on the box 1:10:08 - Creating a domain name with unbound and then editing the Host header in the password reset 1:13:00 - Explaining the DNS Rebind attack to get around the server examining our DNS Name 1:19:30 - Start of XSS to have the user register an account for us 1:26:40 - Hitting the start of our XSS to debug, explain bypassing CORS based upon not escaping the period in the URL 1:34:20 - Changing our unbound request to use a domain name that bypasses CORS 1:37:15 - Appending a slash to the host header to bypass a regex 1:39:05 - The final XSS Payload to have an administrator create an account for us. Checking out the chat applicaiton 1:47:20 - Start of creating XSS to steal Direct Messages from chat application 1:51:00 - Creating a second account, so we can examine how DM's work in the chat application (use wireshark to do this) 1:54:50 - Finishing off the XSS Script