HackTheBox - Derailed

00:00 - Intro
01:00 - Start of nmap
02:50 - Looking at the HTTP Headers, discovering Cross Origin and rails
03:50 - Testing the Clip Notes functionality for SSTI/XSS
06:30 - Using FFUF to fuzz all Clip Notes to see if there's an IDOR Vulnerability
10:30 - Looking at how the site is build, discovering Web Assembly
13:00 - Sending a long string for the username and discovering the data overflows and goes into the Date field
15:50 - Using Pattern Create to find where our payload hits the date field
17:55 - Testing for XSS
21:20 - Seeing Cross Origin blocked us, adding the headers to get it loading javascript from our server
25:50 - Using XMLHttpRequest in our XSS to control the victim's browser and see what is on /administration
31:50 - Looking at the Administration page, discovering there is a File Disclosure
38:30 - Grabbing /etc/passwd and then getting some Ruby Source Code
48:00 - Discovering userinput is passed to open() in ruby, if we put a pipe as the first character it will execute instead of reading
49:45 - Getting a reverse shell
51:35 - Looking at the SQLite Database and cracking a password to switch to the openmediavault user
56:55 - Looking at the OpenMediaVault RPC Endpoints to see how we can interact with it
59:40 - Editing the OpenMediaVault Config to add a SSH Key for Root
1:09:20 - Another way for root, making a debian package then using the OMV RPC to install it

Support the originator by clicking the read the rest link below.