HackTheBox - Crossfit2

Name: HackTheBox - Crossfit2
Uploaded: 2021-08-14T15:00:22Z
Channel: IppSec
Description: 00:00 - Intro 01:10 - Start of nmap and poking at website. Browser Developer Window shows WebSockets + Hostname 06:50 - Setting up full portscan and go...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 01:10 - Start of nmap and poking at website. Browser Developer Window shows WebSockets + Hostname 06:50 - Setting up full portscan and gobuster while we poke at the box, to always have recon running 09:10 - Ussing ffuf to fuzz for emails (Forgot to set header here, we look at it later) 11:20 - Playing with the websockets in BurpSuite, discovering SQL Injection 21:40 - Creating a python program to aid our SQL Injection 29:15 - SQL Injection: Enumerating information_schema to pull out table information 35:45 - Going back to test our previous ffuf to find out i forgot the header fl…

Watch on YouTube ↗ (saves to browser)

Chapters (24)

Intro

1:10 Start of nmap and poking at website. Browser Developer Window shows WebSocket

6:50 Setting up full portscan and gobuster while we poke at the box, to always have

9:10 Ussing ffuf to fuzz for emails (Forgot to set header here, we look at it later

11:20 Playing with the websockets in BurpSuite, discovering SQL Injection

21:40 Creating a python program to aid our SQL Injection

29:15 SQL Injection: Enumerating information_schema to pull out table information

35:45 Going back to test our previous ffuf to find out i forgot the header flag

42:00 Using ffuf to fuzz parameters for the passwordreset php script and trying the

44:00 Enumerating our SQL Users permissions and then including files

49:20 RelayD configuration shows a new domain crossfit-club.htb, failing to sign up

57:40 Using grep to extract /api/ endoings from javascript files

1:03:00 Discover the signup endpoint, only administrators can create accounts.

1:06:20 Grabbing unbound secret keys which will let us create DNS Entries on the box

1:10:08 Creating a domain name with unbound and then editing the Host header in the pa

1:13:00 Explaining the DNS Rebind attack to get around the server examining our DNS Na

1:19:30 Start of XSS to have the user register an account for us

1:26:40 Hitting the start of our XSS to debug, explain bypassing CORS based upon not e

1:34:20 Changing our unbound request to use a domain name that bypasses CORS

1:37:15 Appending a slash to the host header to bypass a regex

1:39:05 The final XSS Payload to have an administrator create an account for us. Chec

1:47:20 Start of creating XSS to steal Direct Messages from chat application

1:51:00 Creating a second account, so we can examine how DM's work in the chat applic

1:54:50 Finishing off the XSS Script

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →