HackTheBox - Awkward

Video Description

00:00 - Introduction 01:00 - Start of nmap 02:00 - Taking a look at the web page, finding users on the site, and using FFUF to VHost Enumeration due to talking about a store 04:25 - Fingerprinting the websites, dev looks to be PHP and the main page appears to be Vue 07:55 - Exploring the vue app in Firefox Dev Tools, discovering some routes in the webpack which lead to an API 11:50 - An JWT error message is displayed when accessing some API Pages, removing the token and bypassing authentication 13:10 - Explaining why the web application skips authentication when a cookie is not present, and showing how similar it was to the OMIGod Vulnerability 15:40 - Extracting all users from the page and then using curl to save the hashes to a file. Use CrackStation to crack hashes and get a cred 21:20 - Logged in as Christopher.Jones, checking the Online Store Status link which is vulnerable to SSRF 23:45 - Using FFUF to fuzz for all possible ports and using a bash trick to create a wordlist based upon a range of numbers without creating a file 29:40 - Discovering some API Documentation on a page on port 3002 31:10 - The API all-leave page uses awk, and we can abuse this binary to perform a file disclosure vulnerability if we can poison user names. 33:40 - Using hashcat to crack our JWT 35:30 - Creating a python script to generate JWT's which allow us to exploit awk and exfil files off the server 42:00 - Python script completed, leaking some files and discovering a unique file in a users .bashrc 48:00 - Having trouble exporting the backup file, and modifying our script to write binary files which allow us to download the tar.gz backup 54:00 - Discovering bean's credentials in his xpad directory and logging in 56:20 - Running a process list on the box shows inotify is watching an interesting file that is only writable by www-data 59:40 - Looking for system() calls in the PHP app and discovering a sed command. We can exploit this like we did awk to get code execution without any bad characters. Having trouble getting this to work. 01:11:10 - Taking it slower, discovering our mistake and getting code execution 01:14:00 - Reverse shell as www-data. Modifying the file and trying to find out what happens 01:18:10 - Running PSPY, since it will be more thorough than our PS Commands and discover we can inject into the mail command 01:24:30 - Got our command execution working and shell returned as root 01:25:30 - Getting shell as www-data was unintended, showing the intended way of doing this which involves the leave-request page and symlinks 01:32:00 - Cannot poison our JWT and get code execution because of bad characters 01:38:30 - There were directories chmod'd to 777 that the application wrote to. We can use symlinks here to point to other files and have the webserver write to another file 01:40:50 - Showing why we need to create a new product to place our malicious payload 01:44:00 - Reverse shell returned the intended way, and then showed we definitely needed the ! which is a bad character 01:47:40 - Extra content! Showing a more in-depth look at why removing the cookie bypassed auth. By loading the code locally and running it in VS so we can properly debug and step through it 01:49:30 - Explaining and showing why the application should have had an authentication function so there was less duplicate code in each function, which makes it easier to patch