HackTheBox - RedPanda

00:00 - Introduction
00:55 - Start of nmap
01:58 - Poking at the web page, examining the request, playing with server headers
02:25 - Discovering an error message, googling it and finding out it is tied to Sping Boot
03:45 - Start of FFuf, using a raw request so we can ffuf like we can sqlmap
04:45 - Going over the results of FFUF
05:40 - Matching all error codes with FFUF which is very important, going over the special characters
08:15 - The curly braces return 500 in FFUF, big indication it is going to be SSTI
09:20 - Using HackTricks to get a Spring Framework SSTI payload and getting command execution
13:05 - Using curl to download a shell script and then execute it because we are having troubles getting a reverse shell
15:30 - Going back to just show the Match Regex feature of FFUF to search for banned characters
17:00 - Searching the file system for files owned by logs, discovering redpanda.log. Using a recursive grep to find out what uses this
19:50 - Examining the Credit Score java application and seeing what it does with the RedPanda.log file
22:00 - Discovering the Credit Score application gets the Artist variable via ExifData in an image
24:10 - With the Artist, the Credit Score application opens an XML File and writes. This is like an Second Order XXE Injection
25:50 - Downloading an image, so we can change the exif metadata
27:30 - Using Exiftool to modify the artist
29:30 - Building the malicious XML File
33:20 - Putting a malcious entry in the log, waiting for the cron to hit and then checking if we got root key
35:15 - Showing why our user had the group of logs. On boot the service was started with sudo and assigned us that group