HackTheBox - Extension

Name: HackTheBox - Extension
Uploaded: 2023-03-18T15:00:38Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap, then discovering a laravel app 05:00 - Laravel app uses Ziggy which exposes a list of all the routes 07:50 - Findin...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 01:00 - Start of nmap, then discovering a laravel app 05:00 - Laravel app uses Ziggy which exposes a list of all the routes 07:50 - Finding the /management/dump endpoint but we keep getting page expired (missing some headers) 12:50 - Using ffuf to brute-force the management/dump endpoint 15:55 - Dumping a list of users and then cracking them 21:30 - Enumerating virtualhosts, then looking at the roundcube version 27:50 - Discovering the first 32 characters of the password reset token does not change 32:40 - Attempting to bruteforce the password reset token for Charlie's password b…

Watch on YouTube ↗ (saves to browser)

Chapters (24)

Intro

1:00 Start of nmap, then discovering a laravel app

5:00 Laravel app uses Ziggy which exposes a list of all the routes

7:50 Finding the /management/dump endpoint but we keep getting page expired (missin

12:50 Using ffuf to brute-force the management/dump endpoint

15:55 Dumping a list of users and then cracking them

21:30 Enumerating virtualhosts, then looking at the roundcube version

27:50 Discovering the first 32 characters of the password reset token does not chang

32:40 Attempting to bruteforce the password reset token for Charlie's password but d

33:50 Spamming the password reset link to generate multiple tokens, which will allow

35:14 Edit, explaining the multiple password reset vulnerability more in depth

37:18 End of edit, resetting charlie's password

41:00 Logging into Gitea as Jean and discovering a browser extension. Installing it

45:20 Explaining the XSS Filter check on the extension

58:30 Initial payload to prove we can execute javascript

1:13:45 We have a base64 cradle to bypass the filter, creating a payload to interact w

1:24:04 Getting information from the backups repo, then downloading the contents

1:29:00 Extracting the tar from the git repo and getting an ssh key, finding passwords

1:33:20 Looking at the Laravel Source Code and discovering there is a command injectio

1:38:00 Looking at the email validation request, to show we need to create a valid che

1:42:30 Explaining how the secret is generated from the source code, because the secre

1:44:20 Using Hash_Extender to generate a bunch of payloads in order to find the lengt

1:49:00 Start of using python to submit the validation check

2:01:50 Finding out the issue I'm running into, s

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →