HackTheBox - Guardian

Name: HackTheBox - Guardian
Uploaded: 2026-02-28T15:00:27Z
Channel: IppSec
Description: 00:00 - Introduction 00:52 - Start of nmap 03:00 - Discovering the portal.guardian.htb sub domain, there is a PDF here that shows the default password. ...

IppSec · Beginner ·🔐 Cybersecurity ·4w ago

00:00 - Introduction 00:52 - Start of nmap 03:00 - Discovering the portal.guardian.htb sub domain, there is a PDF here that shows the default password. Failing to enumerate valid accounts. 06:00 - Using FFUF to Bruteforce all accounts with the default password of GU1234 10:25 - Logging into the application, doing some quick notes of what functionality is exposed 14:25 - Identifying the Chat Functionality, attempting to see if there are broken access controls letting us read other users messages with ffuf 17:30 - Looking at the chats to admin, discovering a Gitea Password then finding the Gitea…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Introduction

0:52 Start of nmap

3:00 Discovering the portal.guardian.htb sub domain, there is a PDF here that shows

6:00 Using FFUF to Bruteforce all accounts with the default password of GU1234

10:25 Logging into the application, doing some quick notes of what functionality is

14:25 Identifying the Chat Functionality, attempting to see if there are broken acce

17:30 Looking at the chats to admin, discovering a Gitea Password then finding the G

22:00 Doing some light enumeration against Gitea showing the Public API will let us

24:45 Logging in as Jamil and then downloading the portal source code and running it

28:00 Looking into the PHP Spreadsheet XSS Vulnerability and creating a python scrip

35:20 Stole the teachers cookie, switching our cookie and finding an CSRF Vulnerabil

38:15 Creating a quick CSRF Payload to add users

48:40 Logged in as our newly created admin, exploiting the LFI Vulnerability with th

55:15 Got a shell on the box, dumping the database

58:30 Identifying the hash, failing to crack it, realize its salted, finding the sal

1:06:10 Logged in as Jamil, we can run a python script as Mark. We have write permissi

1:08:45 Mark can run SafeApache2CTL which is a custom wrapper, creating an apache modu

1:17:40 Playing around with the binary, opening it up in Ghidra to show what it does a

1:23:30 Showing that using the Apache Include directive with a SymLink we can leak the

1:25:10 Showing copying the existing apache config and modifying it to just serve file

1:34:30 Showing a minimal apache config that

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →