HackTheBox - Bookworm
IppSec
View ChannelAbout
Video Search: https://ippsec.rocks
Latest Posts
Video Description
00:00 - Introduction 00:50 - Start of nmap 04:30 - Discovering a potential XSS in the Notes field of an order. Content Security Policy (CSP) blocks us, because JS cannot be on the same page. Looking for a file upload functionality. 08:29 - Finding out we can upload anything we want to the avatar. This should allow us to bypass the CSP in the book edit field 11:55 - Confirmed XSS on the page, checking if there's an IDOR Vulnerability that allows us to add notes to other people's items by creating a second account 16:00 - Creating a Python Script that will automatically poison items in peoples basket (cart) 28:00 - Backet Poisoner script is completed 28:50 - Creating a JavaScript payload, explaining why I'm doing await, fetch, and helper functions. 40:15 - Having the XSS Payload fetch profile, look for orders, then perform a get on all orders to examine the order page. Then send us the HTML of that page 49:55 - Creating a Python Flask Server that will save all of the orders the XSS Payload sends us 56:00 - Examining orders, discovering there is a "Download Everything" URL. Didn't show it but there is no IDOR Vulnerability here, need to have the XSS Trigger it. Exfilling /etc/passwd 01:12:00 - Extracting database.js, which contains the database information. The password lets us onto the system as Frank 01:15:52 - EDIT: Examining the source code to show why downloading a single book was not vulnerable. Talking about setting ROOT on res.download of express 01:21:04 - Enumerating the box as Frank discovering a second web application listening on 3001 01:30:00 - Looking at the source code to the book converter. 01:36:20 - Exploiting a SSRF/File Disclosure vulnerability in the Book Converter, but it doesn't get us anything 01:42:18 - Finding Arbitrary File Write vulnerability in the Book Converter by abusing SymLinks to bypass an File Extension Check. 01:51:50 - Shell as Neil who can run the GenLabel binary with Sudo, examining it to discover a SQL + PostScript Injection 01:57:10 - Using the SQL Injection to Inject a FileWrite command in the PostScript file which then gives us Arbitrary File Write as root
Cybersecurity Essentials
AI-recommended products based on this video
BrosTrend Linux USB WiFi Adapter 1200Mbps Supports Ubuntu, Mint, Debian, Kubuntu, Mate, Zorin, PureOS, Raspberry Pi 2+, Windows 11/10, USB3.0 Wireless Dual Band Wi-Fi 5GHz/867Mbps + 2.4GHz/300Mbps
BrosTrend 1800Mbps WiFi 6 Linux WiFi Adapter for PC and Raspberry Pi 2+, Long Range USB WiFi Dongle Linux for Ubuntu, Mint, Debian, Kubuntu, Lubuntu, Zorin, Windows 11/10, Dual Band Wireless Antenna
MeLE Quieter DL Mini PC Windows 11 Home, N100 4GB 128GB, 2.5G Dual LAN,IoT Industrial Desktop Computer Support Windows 10 11 Linux Ubuntu Debian 4K Triple Display, Dual HDMI, All-in-One USB-C
Wireless Print Server for USB Printer (NOT Plug&Play), 2 Port USB Print Server, Convert Wired Printer to Wireless WiFi Ethernet Networking - Windows Mac Linux Compliant - CR202
