HackTheBox - Fingerprint

Name: HackTheBox - Fingerprint
Uploaded: 2022-05-14T15:00:13Z
Channel: IppSec
Description: 00:00 - Intro 00:54 - Start of nmap, checking websites seeing old copyrights 04:10 - Discovering the HTTP Redirect on /login is pretty big, so its likel...

IppSec · Intermediate ·🔐 Cybersecurity ·3y ago

00:00 - Intro 00:54 - Start of nmap, checking websites seeing old copyrights 04:10 - Discovering the HTTP Redirect on /login is pretty big, so its likely an EAR Vulnerability 08:15 - Discovering a LFI that enables us to read source code, chaining it with the proc directory and using wfuzz to discover additional python files 10:50 - While our wfuzz runs testing against a login endpoint to discover an XSS in another webapp 14:30 - Going over the Python Source code 18:35 - Discovering Hibernate Query Injection (HQL) on the login page on port 8080 20:30 - Going over HQL (Hibernate) Injection Using…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Intro

0:54 Start of nmap, checking websites seeing old copyrights

4:10 Discovering the HTTP Redirect on /login is pretty big, so its likely an EAR Vu

8:15 Discovering a LFI that enables us to read source code, chaining it with the pr

10:50 While our wfuzz runs testing against a login endpoint to discover an XSS in an

14:30 Going over the Python Source code

18:35 Discovering Hibernate Query Injection (HQL) on the login page on port 8080

20:30 Going over HQL (Hibernate) Injection Using boolean injection to login but need

24:00 Using our XSS to execute the fingerprint function and sending it to our server

27:50 Logging into the application with our custom fingerprint and boolean injection

34:00 Examining the Backups Directory and finding Java Sourcecode to the app on port

42:00 Going over the javacode we have to discover we can probably craft a deserializ

51:20 Opening up Eclipse and building our java project which we'll use to create a d

1:12:40 We can now compile our java project, lets creating the first serialized object

1:16:20 Creating the second part of the Java Payload which puts the malicious code int

1:24:40 Our exploit didn't work right awy, going over it again and finding some mistak

1:31:48 Got our reverse shell, discovering a binary cmatch which lets is exfil files o

1:36:40 Creating a python script to use cmatch to bruteforce the file one byte at a ti

1:49:30 Downloading the Java App that runs on port 8080 to see the database credential

1:58:50 Discovering a flask backup that is a new version of the Webapp on port 80 that

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →