HackTheBox - Pollution

Name: HackTheBox - Pollution
Uploaded: 2023-07-01T15:00:34Z
Channel: IppSec
Description: 00:00 - Introduction 01:03 - Start of nmap 02:00 - Checking out the site, discovering an email (collect.htb) and setting up gobuster 06:00 - Discovering...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·2y ago

00:00 - Introduction 01:03 - Start of nmap 02:00 - Checking out the site, discovering an email (collect.htb) and setting up gobuster 06:00 - Discovering forum.collect.htb which is running MyBB, someone uploaded a Burp history file which contains API Information 09:30 - Manually examining the BurpSuite Backup File, and discovering it contains full HTTP Requests 12:12 - Sending a POST Request to /set/role/admin with the secret token 12:50 - The Admin Page has a separate registration forum, which sends an XML Request. Trying XXE and discovering Blind XXE 19:30 - Using my Blind XXE Script to make …

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Introduction

1:03 Start of nmap

2:00 Checking out the site, discovering an email (collect.htb) and setting up gobus

6:00 Discovering forum.collect.htb which is running MyBB, someone uploaded a Burp h

9:30 Manually examining the BurpSuite Backup File, and discovering it contains full

12:12 Sending a POST Request to /set/role/admin with the secret token

12:50 The Admin Page has a separate registration forum, which sends an XML Request.

19:30 Using my Blind XXE Script to make exfiltrating files quicker

23:20 Trying to extract the Apache Configuration, getting the developers.collect.htb

25:50 Logging into developers.collect.htb, cannot login, going back to the Blind XXE

28:50 Enumerating Redis, seeing PHP Sessions, and changing our cookie to say we are

36:50 Using the PHP Filter Chain to get code execution on this include() which leads

44:20 Looking at listening ports, seeing a few things on localhost. PHP FPM is liste

52:45 Grabbing the Pollution_API Source Code (listening on port 3000), then using Sn

55:30 Seeing where Lodash is used and talking about Prototype Pollution

59:30 Logging into the API

1:02:00 Our user is not an admin, logging into the MySQL Database and changing our rol

1:05:00 Testing our ability to send messages

1:06:09 Using Javscript Prototype pollution to set SHELL to a local file we created, w

1:07:00 Doing this exploit without the need to drop a file by setting SHELL to /proc/s

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →