HackTheBox - Busqueda

00:00 - Introduction
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing
08:20 - Discovering we can append to the string, then trying for executing code with print to test for eval statements
10:00 - Getting a reverse shell
15:00 - Reverse shell returned
17:00 - Looking at apache virtualhosts to discover a hidden vhost that is running gitea
19:00 - Finding creds in the .git folder which lets us run sudo
22:00 - Inspecting the docker containers to discover passwords in environment variables which lets us log into gitea as administrator and view the script we are running as sudo
25:30 - Discovering the system-checkup.py script is not using an absolute path, so we can execute a shell script in our CWD as root

Support the originator by clicking the read the rest link below.