Box will be uploaded to HackTheBox by January 5th.
00:00 - Intro
01:08 - Start of nmap
03:00 - Looking at the login, failing normal SQL Injection
04:45 - Start of talking about NoSQL/Mongo Injection
06:20 - Using the NE operator to create the NoSQL Injection where password is not equal to admin and bypassing login
07:00 - Showing the REGEX operator and talking about other ones to leak data
08:34 - Creating a python application to bruteforce passwords from the NoSQL Database one character at a time
21:00 - Script done, running it going over the code
24:40 - Examining the UPLOAD functionality of the site
26:10 - Testing for XXE
29:30 - Replacing our XXE POC to include a file. Then making the application error to get path of webapp, so we can extract source code
32:10 - Discoving the application utilizes Node-Serialize which is extremely vulnerable to unserialization/deserialization attacks
39:30 - Proving we have RCE after URL Encoding our entire payload and using double quotes instead of single
41:00 - Creating a reverse shell one liner that has minimal bad characters and getting a reverse shell
43:10 - Reverse shell returned, we already have the password for SUDO!
44:10 - ALTERNATE WAY TO GET PASSWORD: Mongodump
47:00 - Showing application is vulnerable to IDOR's
Support the originator by clicking the read the rest link below.
