HackTheBox - Intuition

00:00 - Introduction 01:07 - Start of nmap 04:00 - Discovering the application is flask based upon 404 page, showing Werkzeug source to show where the error comes from 08:30 - Noticing the cookie is odd but since input is escaped, it doesn't look that insecure 10:40 - Discovering XSS in the Report Submission form and stealing cookies and get a moderator cookie 17:20 - In the Moderator Panel, set to high priority, xss again to get administrator 22:00 - Playing with the Report URL on the Create Report Page 31:50 - Discovering Python URLLib 3.11 has a URL Parsing vulnerability CVE-2023-24329 34:11 - Getting /etc/passwd, then grabbing the source to the application and discovering FTP Creds, use SSRF to interact with FTP 40:20 - Shell returned, grabbing the SQLite Database and getting a password 48:50 - Downloading the source to runner1 off the FTP Server 54:20 - Using hashcat bruteforce to crack the AUTH_KEY since we know all but the last 4 characters 56:30 - Discovering Suricata is running, looking at logs to get the credential lopez uses to login to ftp 1:04:30 - Playing with Runner2, figuring out the JSON it wants 1:09:40 - Exploiting the command injection because its using system() when installing a role 1:13:20 - Getting code execution another way! Using an ansible vulnerability CVE-2023-5115 1:22:20 - A completely unintended exploit, using the Selenium Grid container 1:24:20 - Escaping the Firefox process/Kiosk by having PDF's open Bash 1:26:20 - We are root on the container, low privilege on the host - In this scenario we can privesc on the host by sharing the disk from the container.