HackTheBox - Extension

00:00 - Intro
01:00 - Start of nmap, then discovering a laravel app
05:00 - Laravel app uses Ziggy which exposes a list of all the routes
07:50 - Finding the /management/dump endpoint but we keep getting page expired (missing some headers)
12:50 - Using ffuf to brute-force the management/dump endpoint
15:55 - Dumping a list of users and then cracking them
21:30 - Enumerating virtualhosts, then looking at the roundcube version
27:50 - Discovering the first 32 characters of the password reset token does not change
32:40 - Attempting to bruteforce the password reset token for Charlie's password but discovering there's rate limiting in play
33:50 - Spamming the password reset link to generate multiple tokens, which will allow us to guess a token
35:14 - Edit, explaining the multiple password reset vulnerability more in depth
37:18 - End of edit, resetting charlie's password
41:00 - Logging into Gitea as Jean and discovering a browser extension. Installing it to see what it does
45:20 - Explaining the XSS Filter check on the extension
58:30 - Initial payload to prove we can execute javascript
1:13:45 - We have a base64 cradle to bypass the filter, creating a payload to interact with the gitea api to see what repo's the user has access to
1:24:04 - Getting information from the backups repo, then downloading the contents
1:29:00 - Extracting the tar from the git repo and getting an ssh key, finding passwords in the .git_credentials file
1:33:20 - Looking at the Laravel Source Code and discovering there is a command injection
1:38:00 - Looking at the email validation request, to show we need to create a valid checksum
1:42:30 - Explaining how the secret is generated from the source code, because the secret is at the beginning we can do a hash length extension
1:44:20 - Using Hash_Extender to generate a bunch of payloads in order to find the length of the secret
1:49:00 - Start of using python to submit the validation check
2:01:50 - Finding out the issue I'm running into, stupid formatting issue, having hash_extender output in a different format
2:10:50 - Getting a reverse shell on the container
2:17:00 - Finding there is a docker.sock file in our container, which enables us to interact with docker on the host
2:19:30 - Copying the Docker Executable to the container, which makes it much easier to interact with. Starting a container with the host file system mounted to get root
2:23:35 - Extra content, showing SSH can tunnel named pipes (socket files)

Support the originator by clicking the read the rest link below.