HackTheBox - DevOops

Name: HackTheBox - DevOops
Uploaded: 2018-10-13T14:58:16Z
Channel: IppSec
Description: 00:54 - Start of Recon 03:10 - Start of GoBuster 04:00 - Looking at /upload, testing with a normal XML File 06:15 - Valid XML File created, begin of loo...

IppSec · Beginner ·🛡️ AI Safety & Ethics ·7y ago

00:54 - Start of Recon 03:10 - Start of GoBuster 04:00 - Looking at /upload, testing with a normal XML File 06:15 - Valid XML File created, begin of looking for XML Entity Injection XXE 08:20 - XXE Returns a a local file off the server 09:30 - Grabbing the source code to the webserver to find newpost function. 11:35 - Discovery of vulnerability due to user data being passed to pickle 12:44 - Creating the script to exploit pickle 16:38 - Reverse shell returns! 19:55 - Poking around at Source Code 20:15 - Discover of an SSH Key within deployment stuff. 21:15 - Trying SSH Key for other users on t…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

0:54 Start of Recon

3:10 Start of GoBuster

4:00 Looking at /upload, testing with a normal XML File

6:15 Valid XML File created, begin of looking for XML Entity Injection XXE

8:20 XXE Returns a a local file off the server

9:30 Grabbing the source code to the webserver to find newpost function.

11:35 Discovery of vulnerability due to user data being passed to pickle

12:44 Creating the script to exploit pickle

16:38 Reverse shell returns!

19:55 Poking around at Source Code

20:15 Discover of an SSH Key within deployment stuff.

21:15 Trying SSH Key for other users on the box to see if it is valid

22:57 Hunting for git filers, the boxes name is "Gitter" and we have an SSH Key that

23:00 Discovery ~roosa/work is the same as ~roosa/deploy but there's a .git repo in

23:45 Examining Git Log to see the SSH Key has changed!

25:20 SSH'ing with the old key, to see it's root's key.

25:58 The webserver could read Roosa's SSH Key. Could bypass the entire pickle port

26:20 Start of "Extra Practice"

27:40 Creating a Python Script to automate the LFI With XXE

35:50 Script completed, lets improve it to try to download an exposed git repo

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - DevOops

Chapters (20)

Playlist

Lesson complete!