HackTheBox - Oouch

Name: HackTheBox - Oouch
Uploaded: 2020-08-01T15:00:28Z
Channel: IppSec
Description: 00:00 - Intro 01:24 - Start the box checking out nmap, seeing an FTP Server with a file hinting at OAUTH 06:30 - Poking at the login for the flask appli...

IppSec · Intermediate ·🔐 Cybersecurity ·5y ago

00:00 - Intro 01:24 - Start the box checking out nmap, seeing an FTP Server with a file hinting at OAUTH 06:30 - Poking at the login for the flask application (Port 5000) 11:15 - Playing with the Change Password fied, made a mistake which puts me down a rabbit hole 17:40 - Checking the Contact page, seeing we get banned with a XSS Attempt but someone will click URL's if we send them 24:30 - Creating an account on Authorization.oouch.htb 27:40 - Enumerating the /token/ an endpoint through error messages 30:20 - Using the webapp to give our authorization account access to our consumer account 38…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Intro

1:24 Start the box checking out nmap, seeing an FTP Server with a file hinting at O

6:30 Poking at the login for the flask application (Port 5000)

11:15 Playing with the Change Password fied, made a mistake which puts me down a rab

17:40 Checking the Contact page, seeing we get banned with a XSS Attempt but someone

24:30 Creating an account on Authorization.oouch.htb

27:40 Enumerating the /token/ an endpoint through error messages

30:20 Using the webapp to give our authorization account access to our consumer acco

38:45 Going through the same workflow to give authorization access to consumer accou

42:10 We are now the QTC User! Going into the Documents shows some hints like a deve

45:50 Reading the Django Docs to see how the oauth endpoints are setup, finding the

51:00 Looking at the oauth authorization workflow again in order to build a authoriz

56:30 Thanks to our application's redirect url we stole QTC's token which will event

1:00:20 Used the token to authenticate and get our Bearer token, then playing with API

1:04:25 TIL, I don't know how to use FFU eventually i switch to wfuzz to bruteforce th

1:08:46 Got shell on the box, discover note.txt and it hints at DBUS

1:13:30 Creating a bash script to ping/port scan in order to enumerate other container

1:20:30 Digging through the code in order to discover UWSGI and how the webapp sends,

1:28:30 Searching for a UWSGI Code execution route so we can switch to www-data, findi

1:38:30 Reverse shell as www-dat

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →