HackTheBox - Spider

Name: HackTheBox - Spider
Uploaded: 2021-10-23T15:00:49Z
Channel: IppSec
Description: 00:00 - Intro 01:10 - Start of nmap 02:40 - Adding spider.htb to our host file so we can access the domain name 03:30 - Playing with the registration of...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 01:10 - Start of nmap 02:40 - Adding spider.htb to our host file so we can access the domain name 03:30 - Playing with the registration of the website and examining the cookie 06:20 - Putting a bunch of bad characters for our username and discovering odd behaviors 10:05 - Dumping the configuration via SSTI, can't do a complex SSTI due to username limit 12:30 - We have the cookie secret, using Flask-Unsign to create malicious cookies and discover SQL Injection 16:25 - Sending our SQL Injection Payload to the server and confirming it is SQL Injectable 18:05 - Using the Eval Paramet…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Intro

1:10 Start of nmap

2:40 Adding spider.htb to our host file so we can access the domain name

3:30 Playing with the registration of the website and examining the cookie

6:20 Putting a bunch of bad characters for our username and discovering odd behavio

10:05 Dumping the configuration via SSTI, can't do a complex SSTI due to username li

12:30 We have the cookie secret, using Flask-Unsign to create malicious cookies and

16:25 Sending our SQL Injection Payload to the server and confirming it is SQL Injec

18:05 Using the Eval Parameter of SQLMap to have SQLMap Sign the payloads it sends a

22:45 Getting Chiv's password from SQLMap then logging into the web application

24:30 Testing SSTI on the admin panel that we got to from Chiv and discovering a WAF

26:40 Using wfuzz to enumerate the bad characters which trigger the WAF

29:00 Playing with wfuzz encoders to URLEncode everything from our wordlist

33:50 Obfuscating our SSTI Payload so the bad characters are not present and getting

37:10 Reverse shell returned

41:10 Using SSH to setup a port forward which allows us to hit 127.0.0.1:8080 on the

43:00 Examining the authentication cookie and discovering a XML within the cookie

44:00 Testing for XML Entity Injection

45:50 Using Payload All The Things to help us craft an XML Entity Injection payload

48:30 Grabbing the SSH Private Key via XML Entity Injection and logging in as root

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →