HackTheBox - Horizontall

00:00 - Intro 00:57 - Start of nmap, examining the page discovering its all static with no user input 05:20 - Examining the source code of the website 06:20 - Running the javascript through a beutifier so we can easily read this, and finding another web endpoint 08:57 - Going to api-prod.horizontall.htb, running gobuster and examining the endpoints 12:00 - Navigating to /admin brings us to a STRAPI login, searching for exploits and finding an RCE 13:50 - Lightly reading the exploit script, we will go more in depth at the end of this video 15:15 - Getting a reverse shell 17:30 - Reverse shell returned, looking for how the webapp talks to the database 18:50 - Explaining why this nginx server uses proxy_pass and has a node app listening on port 1337 21:20 - Dropping an SSH Key and using SSH to access this box, no privilege escalation yet just wanted a better shell 25:20 - Having a lot of trouble with getting data out of the MySQL Database, not exactly sure what went wrong here. 32:20 - Going over the LinPEAS Output and discovering port 8000 running laravel 33:50 - Going over why we cant see processes from other users 35:30 - Using SSH to tunnel port 8000 to our box, allowing us to access laravel, finding out laravel is in debug mode 37:52 - Finding an exploit and executing code as laravel. 41:08 - First script didn't work, looking to see if there are others. This one didn't require absolute paths, which allows it to work! Getting root 42:30 - Looks like there's some bad characters with our reverse shell, switching to a web cradle and getting root 46:00 - Explaining why this box isn't the box I wanted to show off FeroxBuster (Recursive Searching on API wouldn't work) 48:40 - Looking at the STRAPI Exploit and showing how the patch worked 56:50 - Comparing PHP Exploits