HackTheBox - Previse

00:00 - Intro 01:00 - Start of nmap 02:00 - Running GoBuster, discovering the redirects have filesizes 03:00 - Showing the Execute After Read vulnerability (EAR) by using BurpSuite to hit / and discovering the page 04:00 - Using grep to show us only what we want (oP) 06:30 - Using BurpSuite to intercept the response to the request so we can disable the redirect (EAR). Then using the webform to create an account (IDOR) 08:00 - Examining the website source, using grep to look for places with user input 11:30 - Testing the logs.php page for shell injection, then getting a reverse shell 13:30 - Going into the webconfig to get database creds, then dump and crack creds 19:50 - Testing local users with the passwords from the database to get m4lwhere's creds 20:25 - Checking sudo to see something is weird, the env_reset/secure_path is not there. (this is configured in /etc/sudoers) 22:10 - Explaining Path Injection, then taking advantage of a script in sudo not using absolute paths 25:30 - Going back to explain things, weird behavior of the webserver always hanging. Maybe it was trying to send me a webshell? idk 28:00 - Fuzzing parameters of accounts.php to create accounts. But first discovering how important the Content-Type header is! 30:50 - Using WFUZZ to fuzz the confirmation parameter 35:20 - Explaining how the EAR Vulnerability happened in the code and how to fix it