00:00 - Intro
01:10 - Start of nmap
02:40 - Adding spider.htb to our host file so we can access the domain name
03:30 - Playing with the registration of the website and examining the cookie
06:20 - Putting a bunch of bad characters for our username and discovering odd behaviors
10:05 - Dumping the configuration via SSTI, can't do a complex SSTI due to username limit
12:30 - We have the cookie secret, using Flask-Unsign to create malicious cookies and discover SQL Injection
16:25 - Sending our SQL Injection Payload to the server and confirming it is SQL Injectable
18:05 - Using the Eval Parameter of SQLMap to have SQLMap Sign the payloads it sends and dump the database
22:45 - Getting Chiv's password from SQLMap then logging into the web application
24:30 - Testing SSTI on the admin panel that we got to from Chiv and discovering a WAF (Web Application Firewall)
26:40 - Using wfuzz to enumerate the bad characters which trigger the WAF
29:00 - Playing with wfuzz encoders to URLEncode everything from our wordlist
33:50 - Obfuscating our SSTI Payload so the bad characters are not present and getting a reverse shell
37:10 - Reverse shell returned
41:10 - Using SSH to setup a port forward which allows us to hit 127.0.0.1:8080 on the remote host
43:00 - Examining the authentication cookie and discovering a XML within the cookie
44:00 - Testing for XML Entity Injection
45:50 - Using Payload All The Things to help us craft an XML Entity Injection payload to read files
48:30 - Grabbing the SSH Private Key via XML Entity Injection and logging in as root
Support the originator by clicking the read the rest link below.
