HackTheBox - Vessel

00:00 - Introduction talking about how this box is about finding CVE's and building an exploit based upon exploit 00:50 - Start of nmap 03:00 - Running gobuster and showing the importance of using multiple wordlists. 05:00 - Attempting to register an account, which shows the endpoint /api/register but /api/ returns a 404 06:10 - Showing that raft-small-words wordlist won't discover .git but commons.txt will because commons has .git/HEAD 08:25 - Running Git-Dumper to extract the source then looking at the code 09:00 - Showing the vulnerable code and how secure the code appears at first glance without knowing specifics about the library 10:00 - Googling MySQLJS Sql Injection and showing how you would have found this exploit 11:30 - Showing how you could have found it blindly, passing an object into the SQL Query and doing SQL Injection on NodeJS with MySQL 19:00 - Logging in and finding OpenWebAnalytics version 1.7.3, finding a CVE and writeup for the vulnerability 22:30 - Showing the piece missing from the writeup that tells us how we can retrieve the cache file that can be used to reset a password 24:40 - Going over the code, and figuring out how the filename is generated. 28:30 - FIXED PART, sorry cut out a piece on how I traced the function back to how it generates the filname 31:29 - Resetting the admin account from the exposed cache file 35:39 - Exploiting the Mass Assignment Vulnerability to write to a configuration file, to increase log verbosity, file name of log, and then poisoning the log 46:09 - Reverse shell returned 48:39 - Downloading a custom password generator that appears to be a compiled python executable. 51:24 - Running Pyinsxtractor to extract the pyc files out of the exe and then using Docker to match the python version which will allow uncompyle to convert pyc to py files 56:19 - Starting the docker and copying our password generator into it 57:29 - Showing the vulnerable password generation function, it is just using millisecond as a seed 57:4