HackTheBox - Trickster

Name: HackTheBox - Trickster
Uploaded: 2025-02-01T15:34:51Z
Channel: IppSec
Description: 00:00 - Introduction 01:00 - Start of nmap 03:00 - Showing the Shop Subdomain via ffuf 04:45 - Performing a gobuster attack, need to update the user age...

IppSec · Beginner ·🔐 Cybersecurity ·1y ago

00:00 - Introduction 01:00 - Start of nmap 03:00 - Showing the Shop Subdomain via ffuf 04:45 - Performing a gobuster attack, need to update the user agent because everything returns 403 at first (WAF) 07:30 - Discover .git, then running git-dumper to download the .git directory and discover the unique admin directory 09:47 - Discovering Prestashop 8.1.5 which is vulnerable to CVE-2024-34716, downloading and running the XSS/CSRF Exploit 16:00 - Finding the Prestashop configuration file, dumping password hashes, use information_schema table to identify tables that contain the column password 22:…

Watch on YouTube ↗ (saves to browser)

Chapters (12)

Introduction

1:00 Start of nmap

3:00 Showing the Shop Subdomain via ffuf

4:45 Performing a gobuster attack, need to update the user agent because everything

7:30 Discover .git, then running git-dumper to download the .git directory and disc

9:47 Discovering Prestashop 8.1.5 which is vulnerable to CVE-2024-34716, downloadin

16:00 Finding the Prestashop configuration file, dumping password hashes, use inform

22:30 Cracked James password, ssh into the box, forward a port and discover a new we

28:10 Building a SSTI Payload for CVE-2024-32651 in ChangeDetection to get a shell o

36:36 Discovering the Datastore directory in the docker container, it has backup fil

39:50 Discovering Adam's password, who can sudo with PrusaSlicer, finding a RCE in i

46:25 Changing the filename of PrusaSlicer, then getting a root shell

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →