HackTheBox - Download

00:00 - Introduction
01:00 - Start of nmap
05:30 - Playing with the download file functionality, discovering the UUID is the file on disk and not column in database by prepending a slash
09:00 - Finding a File Disclosure vulnerability, extracting application source code, getting source code of the app
13:15 - Start of signing our own cookies, examining the sig cookie to discover it is 40 bytes which is likely sha1
16:00 - Playing with Cyber Chef to discover how the cookie is signed
18:50 - Creating a python application to create and sign cookies so we can become other users
24:30 - Becoming other users and looking at all uploaded files
32:50 - Explaining the ORM Injection, looking at Prisma Documentation to discover how we can perform boolean injection
37:00 - Showing the proof of concept payload, and then making the script loop to extract the entire password field
44:00 - POC Script done, but it is slow. Adding concurrency/threading with asyncio/await to our script to speed it up
48:50 - Modifying the script to dump multiple users, and finding WESLEY's password
56:00 - Explaining how the Boolean Injeciton script works
59:50 - Looking at the running processes, discovering root is running su and a new pty is not being created, which makes this vulnerable to the tty pushback attack
1:02:45 - Explaining the TTY Pushback attack
1:10:20 - Gettinng the PostGresql credentials from the systemd file which lets us write to the postgres home directory, which enables us to perform the TTY Pushback attack against root

Support the originator by clicking the read the rest link below.