#hackthebox

#htb
#hacking
HackTheBox - Encoding
00:00 - Introduction
00:57 - Start of nmap
02:45 - Checking out the API Documentation
04:00 - Interacting with the API Server
05:15 - Showing the file_url, parameter and showing we can access local files
06:36 - Building a webserver in Flask to make some middleware to exploit this SSRF, allowing us to easily download files from the webserver
09:50 - Our middleware works! Can download files off the server.
11:15 - Downloading the apache2 configuration to find where all the webserver files are hosted
14:30 - Using gobuster against our middleware to discover any hidden webfiles, have to edit our middleware to return 404 if it didn't return a file
16:45 - Running gobuster against our code now that it gives 404... Its going slow, switching to a different wordlist and finding a .git repository
17:50 - Git-Dumper fails because our middleware isn't setting content-type correctly. Have to fix that
19:50 - Opening the source code from the .git repo up in Visual Studio code and Snyk shows us there is an LFI
21:00 - Getting Unacceptable URL when trying to exploit this. Removing http:// fixes that showing parse_url in php fails to return the hostname when there is no wrapper
22:30 - Getting RCE on a include() statement without poisoning a file on the server with PHP Gadgets
26:58 - EDIT: Showing there is also a URL Parsing bug on handler.php and we can change the domain that script goes to by inserting an "@"
31:52 - With a shell on the box, discover we can use git with sudo. Inserting a POST-COMMIT hook
35:00 - Generating a ed25519 ssh key, because the public key is extremely small... It's also more secure than RSA
38:10 - Cannot make a git commit because we can't write to the directory. But since we can write to .git we can add files outside of the working directory and commit
45:15 - Shell as SVC, discovering we can write to systemd, creating a malicious service to get root https://www.youtube.com/watch?v=iyGvnmkx1es