HackTheBox - Forgot

00:00 - Introduction 01:03 - Start of nmap 02:00 - Talking about Varnish, then looking at the website 03:40 - Poking at the Forgot Password functionality and showing we can enumerate valid users 06:25 - Discovering a username in the HTML Source 07:10 - Start talking about Host Header Injection, showing the page will use the Host Header when building redirects 09:28 - Using host header injection in the password reset, in order to send the user a link that goes to our box 11:00 - Explaining host header injection password reset in depth 13:00 - Live Demo showing that Host Header Injection on Password Reset may not require user interaction, mail filters love clicking links. 14:10 - Sending an email to myself, then checked Burpsuite Collaborator and saw some bots clicked our link and sent us the token that was in the email! 16:43 - Showing what Robert can do in the web application and discovering some odd behavior on the /tickets/ page. Anything after the slash will return tickets and not 404! 21:10 - Identifying when Varnish decides to cache things by looking at the age header, and discovering whenever /static/ is in the URL it becomes cached and that the page doesn't check authorization before displaying cache 24:30 - Getting the administrator to click a link on /admin_tickets/static/Junk, which will cache /admin_tickets/ and allow anyone to view the admin_tickets page! 26:55 - Going in-depth with the Web Cache Deception attack and how Varnish works 27:50 - Showing the Varnish configuration 29:00 - Editing the Varnish configuration to add UserAgent as part of the caching logic to show it can have unique hashes per user. Then updating it to use Cookies instead 33:00 - Explaining the weird behavior with how the flask app does routing and allows the user to put /static/ in the URL and not have it go to the static directory 34:45 - Checking what Diego can run via sudo and discovering he can execute ml_security which appears to be some machine learning poc to look for XSS