HackTheBox - Oouch

00:00 - Intro 01:24 - Start the box checking out nmap, seeing an FTP Server with a file hinting at OAUTH 06:30 - Poking at the login for the flask application (Port 5000) 11:15 - Playing with the Change Password fied, made a mistake which puts me down a rabbit hole 17:40 - Checking the Contact page, seeing we get banned with a XSS Attempt but someone will click URL's if we send them 24:30 - Creating an account on Authorization.oouch.htb 27:40 - Enumerating the /token/ an endpoint through error messages 30:20 - Using the webapp to give our authorization account access to our consumer account 38:45 - Going through the same workflow to give authorization access to consumer account, but tricking a different user into going to the last piece of the workflow 42:10 - We are now the QTC User! Going into the Documents shows some hints like a develop credential 45:50 - Reading the Django Docs to see how the oauth endpoints are setup, finding the application register endpoint and the develop creds to again access 51:00 - Looking at the oauth authorization workflow again in order to build a authorization link for our new application! 56:30 - Thanks to our application's redirect url we stole QTC's token which will eventually let us develop endpoints 1:00:20 - Used the token to authenticate and get our Bearer token, then playing with API endpoints and noticing get_user and get_userjaskldfj both go to the same route. Helpful when brute forcing 1:04:25 - TIL, I don't know how to use FFU eventually i switch to wfuzz to bruteforce the endpoint 1:08:46 - Got shell on the box, discover note.txt and it hints at DBUS 1:13:30 - Creating a bash script to ping/port scan in order to enumerate other containers 1:20:30 - Digging through the code in order to discover UWSGI and how the webapp sends, attempting to send the dbus message but getting access denied. 1:28:30 - Searching for a UWSGI Code execution route so we can switch to www-data, finding a script 1:38:30 - Reverse shell as www-dat