HackTheBox - TwoMillion

Name: HackTheBox - TwoMillion
Uploaded: 2023-06-07T12:21:14Z
Channel: IppSec
Description: 00:00 - Intro 00:18 - Start of nmap, scanning all ports with min-rate 02:35 - Browsing to the web page and taking a trip down memory lane with the HackT...

IppSec · Beginner ·🔐 Cybersecurity ·2y ago

00:00 - Intro 00:18 - Start of nmap, scanning all ports with min-rate 02:35 - Browsing to the web page and taking a trip down memory lane with the HackTheBox v1 page 04:00 - Attempting to enumerate usernames 05:10 - Solving the HackTheBox Invite Code Challenge 05:50 - Sending the code to JS-Beautify 06:45 - Sending a curl request to /api/v1/invite/how/to/generate to see how to generate an invite code 10:40 - Creating an account and logging into the platform then identifying what we can do 16:50 - Discovering hitting /api/v1/ provides a list of API Routes, going over them and identifying any da…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Intro

0:18 Start of nmap, scanning all ports with min-rate

2:35 Browsing to the web page and taking a trip down memory lane with the HackTheBo

4:00 Attempting to enumerate usernames

5:10 Solving the HackTheBox Invite Code Challenge

5:50 Sending the code to JS-Beautify

6:45 Sending a curl request to /api/v1/invite/how/to/generate to see how to generat

10:40 Creating an account and logging into the platform then identifying what we can

16:50 Discovering hitting /api/v1/ provides a list of API Routes, going over them an

17:50 Attempting a mass assignment vulnerability upon logging in now that we know th

22:30 Playing with the /api/v1/admin/settings/update route and discovering we can hi

24:30 Now that we are admin, playing with /api/v1/admin/vpn/generate and finding a c

26:15 Got a shell on the box, finding a password in an environment variable and atte

30:00 Re-using the database password to login as admin, discovering mail that hints

32:00 Searching for the OverlayFS Kernel Exploit

35:00 Finding a proof of concept for CVE-2023-0386, seems sketchy but GCC is on the

37:27 Running the exploit and getting Root, finding an extra challenge thank_you.jso

42:20 Looking deeper at the invite code challenge to see if it was vulnerable to Typ

43:30 Testing for command injection with a poisoned username

47:20 Didn't work, looking at the source code and discovering it had sanitized usern

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →