HackTheBox - Unicode

Name: HackTheBox - Unicode
Uploaded: 2022-05-07T15:00:02Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap 02:20 - Registering and logging in and examining what a regular user can do 03:30 - Playing with the file upload ca...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 01:00 - Start of nmap 02:20 - Registering and logging in and examining what a regular user can do 03:30 - Playing with the file upload capability 04:20 - Discovering there is a JWT in our HTTP Request, examining it to see it is RS256 and has a claim 07:55 - Explaining how we are going to exploit the Claim Misuse vulnerability in this JWT 09:45 - Creating a JWT Header that will have a modified URL for the claim, website says its an invalid key but doesn't reach out to us 12:20 - Using the redirect functionality on the web page to allow us to place the websites domain in our JKU C…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

Intro

1:00 Start of nmap

2:20 Registering and logging in and examining what a regular user can do

3:30 Playing with the file upload capability

4:20 Discovering there is a JWT in our HTTP Request, examining it to see it is RS25

7:55 Explaining how we are going to exploit the Claim Misuse vulnerability in this

9:45 Creating a JWT Header that will have a modified URL for the claim, website say

12:20 Using the redirect functionality on the web page to allow us to place the webs

15:10 Modifying the JWK File to place our own RSA Key and generating one with ssh-ke

18:00 Showing us pulling N and E out of the RSA Key

21:30 Converting the SSH Public key into a Certificate

24:24 Updating the JWT to change our name to admin and finding a LFI Vulnerability

27:27 Attempting to use WFUZZ to bypass the filter

33:40 Giving up fuzzing wtih wfuzz

35:10 Explaining why I'm going to try testing for unicode normalization and what it

37:10 Exploring /proc/self/ and hunting for the location of the webapp

39:02 Finding the python application by using the /proc/self/cwd directory, then gra

42:20 Discovering a TREPORT Binary, which is a compiled python file

43:45 Discovering the TREPORT Binary uses curl, which is weird

45:20 Discovering the TREPORT Binary will allow us to use the file wrapper if we byp

46:50 Bypassing the space filter in the TREPORT Binary using brace expansion in bash

49:00 Downloading a SSH Key and allowing us to login as root

50:00 Examining the Web Application to show the Unicode Normalization Vulnerability

56:30 Looking at the user table, to discover admin doesn't exist

57:58 Finding out the login form was supposed to display errors but didn't because o

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →