HackTheBox - Sorcery

00:00 - Introduciton 00:40 - Start of nmap 05:00 - Logging into the website, discovering some type of injection. Sending it to Claude in the background, while we look at it. 09:40 - Playing with a Neo4j/Cypher injection, found the query in the source code 20:30 - When we register as a seller, we can create products there is XSS here 27:20 - Using CSRF to have the user send us the page they are on, which is how we know the username 33:40 - Using Chrome to enroll in passkey (WebAuthn) login via a virtual passkey, looking at the HTTP Requests in BurpSuite 39:50 - Modifying our CSRF Script to start the enrollment of a PassKey and then send the challenge to our box, which lets us forge a response 46:25 - Start of creating our Flask App that uses the Soft-WebAuthN library to act as a virtual passkey, this lets us complete the challenge/response of passkeys 1:23:02 - Finally got the passkey registered via JS, now we need actually authenticate via the passkey so we can grab the cookie 1:39:00 - Showing the unintended that lets us skip the XSS and PassKey Step. Using a Cypher Query to save update the admin password then logging in as them 1:48:00 - Admin has the ability to send TCP Packets and specify data, showing this by making a request to a webserver 1:53:50 - Looking at the Rust Code, seeing it executes anything sent to the update topic of Kafka. Using Claude to build us the TCP Packet we can send to kafka and trigger RCE 2:02:30 - Uploading Chisel so we can easily pivot around, then downloading a certificate off the FTP Server 2:09:40 - Using pem2john to try and crack the RSA Certificate, finding out i needed to update pem2john to get it to work. 2:22:30 - Using OpenSSL so sign a key with the CA, 2:24:30 - Using MITMDump to forward all requests to gitea, and dump the traffic so we can phish the user, then update the DNS Container to include our hostname and swaks to email the user 2:33:00 - Got tom_summers credentials which gets us SSH Access, finding a xvfb dump, conv