HackTheBox - CyberMonday

00:00 - Introduction 00:55 - Start of nmap, playing with the webapp discovering it is Laravel PHP App 06:50 - Discovering /assets is a redirect to /assets/, indicator of the Nginx off by slash [MasterRecon] 11:50 - Using the Nginx off by slash to download .env and .git to get the source code to the app 14:00 - Start of code analysis 15:55 - Finding a Mass Assignment vulnerability in the update functionality 21:50 - Taking some time to explore if there are ways to find Mass Assignment without looking at the code or guessing 27:30 - Looking at the Webhooks-api-beta website, playing with the request and discovering we need to send it JSON 30:40 - Playing with the JWT, Discovering its a RS256 encoded, doing an Algorithm Confusion attack to sign the token with the RSA Public Key 41:50 - Playing with the Webhook and discovering a SSRF, which we can also do protocol smuggling since we can write to the HTTP Method 46:30 - Looking at the Redis Migrate functionality which confirms we can interact with Redis. Also stand up redis on our box with docker 52:28 - Inserting a poisoned laravel cookie into redis we created with phpggc, troubleshooting all the encoding issues we have. Browsing the page deserializes our cookie and gets RCE 1:17:50 - Reverse shell returned, examining the mysql database and redis keys 1:30:10 - Uploading a static nmap to scan the docker containers finding a docker registry, downloading the api container to get the source code 1:49:35 - Source code analysis on the webhook code, discovering a file disclosure and hardcoded API Key 2:02:50 - Dumping the environment variables, getting the DB Password which is also a user password, ssh as john 2:08:30 - John can run docker compose on a sanitized docker file, there are a few ways to bypass this check 2:12:10 - Showing we can pass in a raw device, which works without adding any special capabilities to the docker container but it is very very dangerous 2:30:30 - Showing we can also pass in a volume as RO and give