HackTheBox - RedPanda

00:00 - Introduction 00:55 - Start of nmap 01:58 - Poking at the web page, examining the request, playing with server headers 02:25 - Discovering an error message, googling it and finding out it is tied to Sping Boot 03:45 - Start of FFuf, using a raw request so we can ffuf like we can sqlmap 04:45 - Going over the results of FFUF 05:40 - Matching all error codes with FFUF which is very important, going over the special characters 08:15 - The curly braces return 500 in FFUF, big indication it is going to be SSTI 09:20 - Using HackTricks to get a Spring Framework SSTI payload and getting command execution 13:05 - Using curl to download a shell script and then execute it because we are having troubles getting a reverse shell 15:30 - Going back to just show the Match Regex feature of FFUF to search for banned characters 17:00 - Searching the file system for files owned by logs, discovering redpanda.log. Using a recursive grep to find out what uses this 19:50 - Examining the Credit Score java application and seeing what it does with the RedPanda.log file 22:00 - Discovering the Credit Score application gets the Artist variable via ExifData in an image 24:10 - With the Artist, the Credit Score application opens an XML File and writes. This is like an Second Order XXE Injection 25:50 - Downloading an image, so we can change the exif metadata 27:30 - Using Exiftool to modify the artist 29:30 - Building the malicious XML File 33:20 - Putting a malcious entry in the log, waiting for the cron to hit and then checking if we got root key 35:15 - Showing why our user had the group of logs. On boot the service was started with sudo and assigned us that group