HackTheBox - MagicGardens

00:00 - Introduction 01:00 - Start of nmap 04:20 - Discovering the website is built with Django via Wappalyzer or the 404 page 07:40 - Looking at the Subscription Page, discovering we can change the hostname of the payment processor which is like a SSRF Vulnerability 11:30 - Making a request to the Payment Processor to see how it responds, building a flask app to mimic the behavior changing the denied message to approved 19:00 - Had some trouble on our first account, creating a second account to upgrade our subscription 21:30 - Manipulating the QR Code to add an XSS Payload to steal the cookie 32:10 - Getting Morty's password from the Django Admin panel and cracking it, then SSH into the box 35:50 - Looking at the Harvest Binary, opening it up in Ghidra, and dumping dangerous functions with a python script 40:10 - Cleaning up some functions in Ghidra 52:00 - Playing with the Buffer Overflow, doesn't seem to work with NC switching to python 1:02:30 - Writing an ssh key from the buffer overflow 1:06:40 - SSH as alex, looking at mail, cracking a zip and htpasswd file 1:12:10 - Using Docker Registry Grabber to download the docker file 1:16:30 - Looking at the Django source code, finding out it uses pickle serializer. Creating a malicious cookie 1:29:30 - Getting a shell by creating a malicious Django (version 4) cookie 1:34:00 - Abusing cap_sys_module in the docker container to load a kernel module as root and get a shell