HackTheBox - Fingerprint

00:00 - Intro 00:54 - Start of nmap, checking websites seeing old copyrights 04:10 - Discovering the HTTP Redirect on /login is pretty big, so its likely an EAR Vulnerability 08:15 - Discovering a LFI that enables us to read source code, chaining it with the proc directory and using wfuzz to discover additional python files 10:50 - While our wfuzz runs testing against a login endpoint to discover an XSS in another webapp 14:30 - Going over the Python Source code 18:35 - Discovering Hibernate Query Injection (HQL) on the login page on port 8080 20:30 - Going over HQL (Hibernate) Injection Using boolean injection to login but need the browser fingerprint of the user 24:00 - Using our XSS to execute the fingerprint function and sending it to our server 27:50 - Logging into the application with our custom fingerprint and boolean injection, getting a JWT with a Serialized Base64 Encoded Java Object 34:00 - Examining the Backups Directory and finding Java Sourcecode to the app on port 8080 42:00 - Going over the javacode we have to discover we can probably craft a deserialization payload to gain code execution 51:20 - Opening up Eclipse and building our java project which we'll use to create a deserialization gadget 1:12:40 - We can now compile our java project, lets creating the first serialized object which tells the server we are an admin 1:16:20 - Creating the second part of the Java Payload which puts the malicious code into our username 1:24:40 - Our exploit didn't work right awy, going over it again and finding some mistakes 1:31:48 - Got our reverse shell, discovering a binary cmatch which lets is exfil files one byte at a time 1:36:40 - Creating a python script to use cmatch to bruteforce the file one byte at a time 1:49:30 - Downloading the Java App that runs on port 8080 to see the database credentials, which can decrypt the SSH Key retrieved from cmatch 1:58:50 - Discovering a flask backup that is a new version of the Webapp on port 80 that has improved authen