HackTheBox - Mailroom

00:00 - Introduction
01:00 - Start of nmap, discovering two different OS's
02:30 - Running Gobuster to bruteforce VHOST
03:30 - Discovering XSS but nothing we can really do with it
04:00 - Enumerating Gitea, discovering a repo with some source code
05:40 - Opening the code with VS Code and Snyk. Discovering a RCE Vulnerability but requires login
07:30 - Discovering an EAR (Execute After Read) Vulnerability on Authentication
09:10 - Start of building our Javascript payload to exploit NoSQL Injection, download the internal page
12:40 - Explaining the NoSQL Injection, then testing with a login bypass
16:30 - Discovering what happens on invalid logins
20:40 - Getting the length of the password
25:30 - Bruteforcing the password with boolean logic
30:00 - Logging in via ssh with the credentials we got from the nosql injection, looking at the local linux mail to get 2FA Link
33:20 - Logged into the dashboard, can hit the RCE Endpoint now to get a shell as www-data which gets us matthews creds
40:20 - Discovering a keepass file, running PS enough we can see KPCLI Runs
41:30 - Running STRACE against KPCLI to intercept syscalls
42:40 - Specifying we only want to see READS, and can intercept keys sent to KeePass and get the password
46:10 - Going into the Mongo docker container and running mongodump to dump all the users

Support the originator by clicking the read the rest link below.