HackTheBox - Mailroom

00:00 - Introduction 01:00 - Start of nmap, discovering two different OS's 02:30 - Running Gobuster to bruteforce VHOST 03:30 - Discovering XSS but nothing we can really do with it 04:00 - Enumerating Gitea, discovering a repo with some source code 05:40 - Opening the code with VS Code and Snyk. Discovering a RCE Vulnerability but requires login 07:30 - Discovering an EAR (Execute After Read) Vulnerability on Authentication 09:10 - Start of building our Javascript payload to exploit NoSQL Injection, download the internal page 12:40 - Explaining the NoSQL Injection, then testing with a login bypass 16:30 - Discovering what happens on invalid logins 20:40 - Getting the length of the password 25:30 - Bruteforcing the password with boolean logic 30:00 - Logging in via ssh with the credentials we got from the nosql injection, looking at the local linux mail to get 2FA Link 33:20 - Logged into the dashboard, can hit the RCE Endpoint now to get a shell as www-data which gets us matthews creds 40:20 - Discovering a keepass file, running PS enough we can see KPCLI Runs 41:30 - Running STRACE against KPCLI to intercept syscalls 42:40 - Specifying we only want to see READS, and can intercept keys sent to KeePass and get the password 46:10 - Going into the Mongo docker container and running mongodump to dump all the users