HackTheBox - Download

00:00 - Introduction 01:00 - Start of nmap 05:30 - Playing with the download file functionality, discovering the UUID is the file on disk and not column in database by prepending a slash 09:00 - Finding a File Disclosure vulnerability, extracting application source code, getting source code of the app 13:15 - Start of signing our own cookies, examining the sig cookie to discover it is 40 bytes which is likely sha1 16:00 - Playing with Cyber Chef to discover how the cookie is signed 18:50 - Creating a python application to create and sign cookies so we can become other users 24:30 - Becoming other users and looking at all uploaded files 32:50 - Explaining the ORM Injection, looking at Prisma Documentation to discover how we can perform boolean injection 37:00 - Showing the proof of concept payload, and then making the script loop to extract the entire password field 44:00 - POC Script done, but it is slow. Adding concurrency/threading with asyncio/await to our script to speed it up 48:50 - Modifying the script to dump multiple users, and finding WESLEY's password 56:00 - Explaining how the Boolean Injeciton script works 59:50 - Looking at the running processes, discovering root is running su and a new pty is not being created, which makes this vulnerable to the tty pushback attack 1:02:45 - Explaining the TTY Pushback attack 1:10:20 - Gettinng the PostGresql credentials from the systemd file which lets us write to the postgres home directory, which enables us to perform the TTY Pushback attack against root