HackTheBox - Vessel

Name: HackTheBox - Vessel
Uploaded: 2023-03-25T20:35:57Z
Channel: IppSec
Description: 00:00 - Introduction talking about how this box is about finding CVE's and building an exploit based upon exploit 00:50 - Start of nmap 03:00 - Running ...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Introduction talking about how this box is about finding CVE's and building an exploit based upon exploit 00:50 - Start of nmap 03:00 - Running gobuster and showing the importance of using multiple wordlists. 05:00 - Attempting to register an account, which shows the endpoint /api/register but /api/ returns a 404 06:10 - Showing that raft-small-words wordlist won't discover .git but commons.txt will because commons has .git/HEAD 08:25 - Running Git-Dumper to extract the source then looking at the code 09:00 - Showing the vulnerable code and how secure the code appears at first glance w…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Introduction talking about how this box is about finding CVE's and building an

0:50 Start of nmap

3:00 Running gobuster and showing the importance of using multiple wordlists.

5:00 Attempting to register an account, which shows the endpoint /api/register but

6:10 Showing that raft-small-words wordlist won't discover .git but commons.txt wil

8:25 Running Git-Dumper to extract the source then looking at the code

9:00 Showing the vulnerable code and how secure the code appears at first glance wi

10:00 Googling MySQLJS Sql Injection and showing how you would have found this explo

11:30 Showing how you could have found it blindly, passing an object into the SQL Qu

19:00 Logging in and finding OpenWebAnalytics version 1.7.3, finding a CVE and write

22:30 Showing the piece missing from the writeup that tells us how we can retrieve t

24:40 Going over the code, and figuring out how the filename is generated.

28:30 FIXED PART, sorry cut out a piece on how I traced the function back to how it

31:29 Resetting the admin account from the exposed cache file

35:39 Exploiting the Mass Assignment Vulnerability to write to a configuration file,

46:09 Reverse shell returned

48:39 Downloading a custom password generator that appears to be a compiled python e

51:24 Running Pyinsxtractor to extract the pyc files out of the exe and then using D

56:19 Starting the docker and copying our password generator into it

57:29 Showing the vulnerable password generation function, it is just using millisec

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →