HackTheBox - Forge

Name: HackTheBox - Forge
Uploaded: 2022-01-22T15:21:07Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Running nmap finding a filtered port with some open ones 03:30 - Running GoBuster to always have something running in the backgrou...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 01:00 - Running nmap finding a filtered port with some open ones 03:30 - Running GoBuster to always have something running in the background 05:00 - Playing with the Upload Form 07:20 - Playing with the Upload from URL to see what library connects back to us (SSRF) 09:30 - The Upload From URL has a blacklisted address, playing with it to discover what is blacklisted 10:55 - Bypassing the URL Blacklist in the SSRF by changing the case of words 11:45 - Running a virtualhost bruteforce within gobuster to discover vhost 13:10 - Bypassing the URL Blacklist in the SSRF by creating a we…

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

1:00 Running nmap finding a filtered port with some open ones

3:30 Running GoBuster to always have something running in the background

5:00 Playing with the Upload Form

7:20 Playing with the Upload from URL to see what library connects back to us (SSRF

9:30 The Upload From URL has a blacklisted address, playing with it to discover wha

10:55 Bypassing the URL Blacklist in the SSRF by changing the case of words

11:45 Running a virtualhost bruteforce within gobuster to discover vhost

13:10 Bypassing the URL Blacklist in the SSRF by creating a webserver that will send

16:50 Using the SSRF to download admin.forge.htb and discovering ftp creds and anoth

18:20 Using the SSRF to use FTP

19:20 Encoding the IP Address as hex to bypass a blacklist

22:10 When specifying a directory in the FTP with SSRF need a trailing slash explain

23:10 Downloading id_rsa and then logging into the machine

24:10 The user can sudo run a python script, which stands up a debugger on a random

26:13 Doing a nested tmux so we can run the python script and then use netcat to con

28:50 Getting root

30:55 Explaining how to harden the blacklist to prevent the easy bypassing

34:30 Looking at how admin.forge.htb added FTP Support

36:50 Thinking there's an RCE but there isn't, shlex is a good filter

44:30 Getting frusterated, lets break this down and see whats stopping our RCE

45:40 Playing with Shlex to discover it is what prevents the RCE

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →