HackTheBox - RedPanda

Name: HackTheBox - RedPanda
Uploaded: 2022-11-26T15:02:15Z
Channel: IppSec
Description: 00:00 - Introduction 00:55 - Start of nmap 01:58 - Poking at the web page, examining the request, playing with server headers 02:25 - Discovering an err...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Introduction 00:55 - Start of nmap 01:58 - Poking at the web page, examining the request, playing with server headers 02:25 - Discovering an error message, googling it and finding out it is tied to Sping Boot 03:45 - Start of FFuf, using a raw request so we can ffuf like we can sqlmap 04:45 - Going over the results of FFUF 05:40 - Matching all error codes with FFUF which is very important, going over the special characters 08:15 - The curly braces return 500 in FFUF, big indication it is going to be SSTI 09:20 - Using HackTricks to get a Spring Framework SSTI payload and getting comman…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Introduction

0:55 Start of nmap

1:58 Poking at the web page, examining the request, playing with server headers

2:25 Discovering an error message, googling it and finding out it is tied to Sping

3:45 Start of FFuf, using a raw request so we can ffuf like we can sqlmap

4:45 Going over the results of FFUF

5:40 Matching all error codes with FFUF which is very important, going over the spe

8:15 The curly braces return 500 in FFUF, big indication it is going to be SSTI

9:20 Using HackTricks to get a Spring Framework SSTI payload and getting command ex

13:05 Using curl to download a shell script and then execute it because we are havin

15:30 Going back to just show the Match Regex feature of FFUF to search for banned c

17:00 Searching the file system for files owned by logs, discovering redpanda.log.

19:50 Examining the Credit Score java application and seeing what it does with the R

22:00 Discovering the Credit Score application gets the Artist variable via ExifData

24:10 With the Artist, the Credit Score application opens an XML File and writes. Th

25:50 Downloading an image, so we can change the exif metadata

27:30 Using Exiftool to modify the artist

29:30 Building the malicious XML File

33:20 Putting a malcious entry in the log, waiting for the cron to hit and then chec

35:15 Showing why our user had the group of logs. On boot the service was started wi

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →