00:00 - Intro
01:00 - Start of Nmap
03:30 - Enumerating for virtual hosts with ffuf to find the api.mentorquotes.htb page
05:30 - Talking about FastAPI, attempting to utilize the endpoints but Authentication is required. Create an account
07:00 - Logging into the endpoint, discovering how to send authentication to the endpoints. Don't really gain anything
10:40 - Using ffuf to search for extra endpoints and discover /admin/ but can't do anything
14:00 - Running NMAP again with UDP to discover SNMP
17:10 - EDIT: Showing the minrate with nmap to scan UDP much quicker
18:30 - Using SNMP Walk
19:40 - Using SNMP-BRUTE to bruteforce other community strings
20:45 - EDIT: Showing Hydra and OneSixtyOne fail to enumerate the second community string
23:05 - Using SNMPBruteWalk to dump the SNMP Database, showing how much faster it is than SNMPWalk
25:00 - SNMP Shows running processes and arguments, there was a password passed via STDIN and we can get the password and login as James on FastAPI
28:15 - Accessing the Admin Endpoint, and figuring out what parameters it expects via error messages
30:50 - Discovering command injection in the backup endpoint
35:19 - Shell returned!
37:30 - Editing the User Endpoint in FastAPI to dump password hashes. Talking about Pydantic
40:45 - EDIT: Showing how we could background out reverse shell with nohup so we don't hang the webserver
47:15 - Cracking the hashes and getting svc's password and then logging into the server via SSH
53:00 - Doing some light forensics looking for files edited on the box shortly after linux was installed
56:45 - Finding a password in the snmpd password which gets us root
01:01:10 - Editing LinPEAS to add an extra regex to pull passwords out of SNMPd configuration
01:04:30 - Rebuilding the LinPEAS Shell script and then running LinPEAS to discover we now detect the password in SNMPD
01:06:40 - Forwarding PostGres to our server with chisel so we can dump the database
01:12:20 - Enumerating PostGres manually to dump users, then showing how to run code on postgres servers
01:16:30 - Setting up the FastAPI Environment on our local box, copying files from the docker
01:18:30 - Doing some light edits on the FastAPI Code, so we can run it within an IDE and set breakpoints
01:24:14 - Start of adding auth to the /user/ endpoint.
01:30:15 - Fixing our /auth/login endpoint to accept our new login request
01:37:20 - Getting the browser to accept our bearer token
01:45:30 - Fixing up the /user/ endpoint to work with our bearer token
01:50:20 - Getting the user decorator to return the User Object which makes it easy for our code to identify our group
Support the originator by clicking the read the rest link below.
