HackTheBox - Sea

Описание к видео HackTheBox - Sea

00:00 - Introduction
00:40 - Start of nmap
03:40 - Trying to identify what is running the webapp (WonderCMS), discovering a themes directory in source and burpsuite
04:36 - Taking a string that looks unique in the CSS and searching GitHub to discover where it exists in an open-source repo
05:45 - Showing several ways we could of dirbusted the themes directory to discover this file
08:45 - Discovering a public POC for the XSS Attack
14:07 - Showing the pathname is not being set correctly in the public poc, fixing it then getting a callback
18:50 - We see the webserver downloaded our shell but the poc didn't send it to us directly, manually triggering the callback
21:00 - Extracting the WonderCMS Password and cracking it
24:48 - Discovering a few ports listening on localhost, checking /etc to try and figure out the service listening on 8080
26:00 - Forwarding port 8080 back to our box, then discovering a webapp that has a command injection flaw
31:40 - Discovering our shell dies quickly, adding a nohup to our reverse shell to make it more stable
34:00 - Showing why our reverse shell is not stable, it hangs the webserver which causes it to restart
37:30 - Showing an alternate way to getting the shell, just editing sudoers file to add our user (we could also add a cron to send a reverse shell, ssh key, etc)
40:10 - Going over the XSS, showing the Reflective Injection and why it only triggers from admin
43:50 - Manually exploiting this XSS by writing our own javascript to install the theme
55:20 - Showing we could have just stolen PHPSESSID, then we can use our browser to install the module instead of performing a CSRF attack to do it

Комментарии

Информация по комментариям в разработке