HackTheBox - Perspective

00:00 - Intro 01:00 - Start of nmap 02:25 - Looking at the website, looks like there's different behavior for extensions 05:10 - Registering and logging into an account 06:30 - An unintended way to login, IDOR within the Forgot Password logic, can change usernames 09:15 - Uploading a new product, test XSS, File Upload 12:00 - Using FFUF with a raw http request to test for potential extensions 18:10 - Using SHTML to test for Server Side Inclusion SSI and leaking web.config 21:15 - Going over the web.config, pulling out sensitive things 26:30 - Decrypting the .aspx Forms Ticket and forging a new one that states we are admin 36:50 - The Admin page allows us to generate PDF's, testing for XSS 38:20 - Attempting to redirect the save to pdf function with a meta tag 42:50 - Redirecting to localhost:8000 and discovering the swagger api for encrypt/decrypt 46:00 - Creating a webform to autosubmit data and allow us to decrypt a string. 51:00 - Creating a YSOSERIAL Gadget with our ViewState and ViewStateUserKey protecting it 1:02:00 - Reverse shell returned 1:04:00 - Discovering port 8009 is open, setting up a tunnel via SSH and discovering its a different version of the website 1:07:54 - The ViewState is protected by AutoGenerate for the key, we cannot do deserialization here 1:09:20 - Checking out the Password Reset feature and we can edit the token to reveal a Padding Oracle error message 1:12:15 - Showing the command injection if we can forge tokens 1:14:05 - Using padbuster to create a token that will allow us to perform command injection 1:24:00 - ALTERNATE PRIVESC: Using JuicyPotatoNG, attempting to run it says privileged process failed to communicate with COM Server. Need to run with -s to find a suitable port