HackTheBox - Perspective

Name: HackTheBox - Perspective
Uploaded: 2022-10-15T15:00:38Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap 02:25 - Looking at the website, looks like there's different behavior for extensions 05:10 - Registering and logging...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 01:00 - Start of nmap 02:25 - Looking at the website, looks like there's different behavior for extensions 05:10 - Registering and logging into an account 06:30 - An unintended way to login, IDOR within the Forgot Password logic, can change usernames 09:15 - Uploading a new product, test XSS, File Upload 12:00 - Using FFUF with a raw http request to test for potential extensions 18:10 - Using SHTML to test for Server Side Inclusion SSI and leaking web.config 21:15 - Going over the web.config, pulling out sensitive things 26:30 - Decrypting the .aspx Forms Ticket and forging a new…

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

1:00 Start of nmap

2:25 Looking at the website, looks like there's different behavior for extensions

5:10 Registering and logging into an account

6:30 An unintended way to login, IDOR within the Forgot Password logic, can change

9:15 Uploading a new product, test XSS, File Upload

12:00 Using FFUF with a raw http request to test for potential extensions

18:10 Using SHTML to test for Server Side Inclusion SSI and leaking web.config

21:15 Going over the web.config, pulling out sensitive things

26:30 Decrypting the .aspx Forms Ticket and forging a new one that states we are adm

36:50 The Admin page allows us to generate PDF's, testing for XSS

38:20 Attempting to redirect the save to pdf function with a meta tag

42:50 Redirecting to localhost:8000 and discovering the swagger api for encrypt/decr

46:00 Creating a webform to autosubmit data and allow us to decrypt a string.

51:00 Creating a YSOSERIAL Gadget with our ViewState and ViewStateUserKey protecting

1:02:00 Reverse shell returned

1:04:00 Discovering port 8009 is open, setting up a tunnel via SSH and discovering its

1:07:54 The ViewState is protected by AutoGenerate for the key, we cannot do deseriali

1:09:20 Checking out the Password Reset feature and we can edit the token to reveal a

1:12:15 Showing the command injection if we can forge tokens

1:14:05 Using padbuster to create a token that will allow us to perform command inject

1:24:00 ALTERNATE PRIVESC: Using JuicyPotatoNG, attempting to run it says privileged p

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →