HackTheBox - Lantern

Name: HackTheBox - Lantern
Uploaded: 2024-11-30T15:01:00Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap 06:40 - Discovering the Skipper Proxy header, discovering an SSRF CVE 08:40 - Using FFUF with this SSRF to scan loca...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·1y ago

00:00 - Intro 01:00 - Start of nmap 06:40 - Discovering the Skipper Proxy header, discovering an SSRF CVE 08:40 - Using FFUF with this SSRF to scan local ports, discover port 5000. Using BurpSuite to add the proxy as our header and discover an internal web service 13:40 - Discovering an SQLite Injection 17:10 - Dumping the SQLite Table Schema from our injection, then grabbing data to get the password 22:20 - Showing an alternate way to get the password, decompiling DLL to discover hardcoded credentials 28:00 - Looking at the Admin Dashboard, finding a File Disclosure vulnerability 32:00 - Mani…

Watch on YouTube ↗ (saves to browser)

Chapters (15)

Intro

1:00 Start of nmap

6:40 Discovering the Skipper Proxy header, discovering an SSRF CVE

8:40 Using FFUF with this SSRF to scan local ports, discover port 5000. Using BurpS

13:40 Discovering an SQLite Injection

17:10 Dumping the SQLite Table Schema from our injection, then grabbing data to get

22:20 Showing an alternate way to get the password, decompiling DLL to discover hard

28:00 Looking at the Admin Dashboard, finding a File Disclosure vulnerability

32:00 Manipulating a File Upload request, showing we can't just change the filename

38:40 Creating a malicious DLL, by copying the Logs.dll obtained from file disclosur

56:50 Reverse shell returned

1:03:25 We can run Procmon with sudo, there's a expect script running nano. Dumping th

1:15:10 Writing a python script to dump the SQL Database procmon creates so we can par

1:24:30 Something odd happened. Apparently, if you don't filter the write syscall then

1:33:30 Rewriting the python script in golang

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →