HackTheBox - Secret

Name: HackTheBox - Secret
Uploaded: 2022-03-26T15:26:47Z
Channel: IppSec
Description: 00:00 - Into 01:04 - Start of nmap talking about seeing two ports having the same HTTP Banner 03:20 - Checking out the webpage to discover source code a...

IppSec · Beginner ·🧠 Large Language Models ·4y ago

00:00 - Into 01:04 - Start of nmap talking about seeing two ports having the same HTTP Banner 03:20 - Checking out the webpage to discover source code and some docs 04:00 - Always RTFM, Playing with the API to Register a user, login, and check out privilege level. 05:50 - Renaming our burp repeater tab by just double clicking on the number 07:30 - Trying to login with a name instead of email 10:10 - Testing our login token to find out it uses JWT's in a non-standard way 10:50 - Analyzing the source code to see the token is used in a header called "auth-token" 12:40 - Looking at git commit hist…

Watch on YouTube ↗ (saves to browser)

Chapters (23)

Into

1:04 Start of nmap talking about seeing two ports having the same HTTP Banner

3:20 Checking out the webpage to discover source code and some docs

4:00 Always RTFM, Playing with the API to Register a user, login, and check out pri

5:50 Renaming our burp repeater tab by just double clicking on the number

7:30 Trying to login with a name instead of email

10:10 Testing our login token to find out it uses JWT's in a non-standard way

10:50 Analyzing the source code to see the token is used in a header called "auth-to

12:40 Looking at git commit history to see there is a hard coded secret in an older

13:40 Changing our tokens user, going back to the source code and seeing "theadmin"

14:30 Talking about the importance of rotating secrets in a web application

16:30 Analyzing the private.js which shows a logs endpoint that is vulnerable to RCE

17:50 Testing command injection and getting a reverse shell

22:00 Noticing we are a user on the box, seeing our shell is /bin/bash, dropping a S

23:40 Checking NGINX Configuration to see if there is any difference between the two

25:20 Running LinPEAS, discovering a custom SetUID Binary called count

30:00 Running the custom count binary against /etc/shadow, discovering it can read f

31:57 Examining the source code, to discover it allows for dump files to be created

33:15 Failing to kill the linux process with the correct signal

34:50 Pulling up the man page to kill and listing all signals, then killing the proc

36:40 Using apport-unpack to extract the crash report into readable files

37:23 Examining the coredump to discover the file read is there! Then doing the sam

40:00 Showing how file descriptors (/proc/pid/f

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Secret

Chapters (23)

Playlist

Lesson complete!