HackTheBox - Derailed

00:00 - Intro 01:00 - Start of nmap 02:50 - Looking at the HTTP Headers, discovering Cross Origin and rails 03:50 - Testing the Clip Notes functionality for SSTI/XSS 06:30 - Using FFUF to fuzz all Clip Notes to see if there's an IDOR Vulnerability 10:30 - Looking at how the site is build, discovering Web Assembly 13:00 - Sending a long string for the username and discovering the data overflows and goes into the Date field 15:50 - Using Pattern Create to find where our payload hits the date field 17:55 - Testing for XSS 21:20 - Seeing Cross Origin blocked us, adding the headers to get it loading javascript from our server 25:50 - Using XMLHttpRequest in our XSS to control the victim's browser and see what is on /administration 31:50 - Looking at the Administration page, discovering there is a File Disclosure 38:30 - Grabbing /etc/passwd and then getting some Ruby Source Code 48:00 - Discovering userinput is passed to open() in ruby, if we put a pipe as the first character it will execute instead of reading 49:45 - Getting a reverse shell 51:35 - Looking at the SQLite Database and cracking a password to switch to the openmediavault user 56:55 - Looking at the OpenMediaVault RPC Endpoints to see how we can interact with it 59:40 - Editing the OpenMediaVault Config to add a SSH Key for Root 1:09:20 - Another way for root, making a debian package then using the OMV RPC to install it