Скачать или смотреть #5 [Hindi] Extension HTB Walkthrough (Part-1) | XSS To CSRF | IDOR | Security Misconfiguration

Hi Guys In this video I solved Extension hackthebox machine till user.
Little Overview about the machine : Extension has multiple really creative attack vectors with some unique features. I’ll start by leaking usernames and hashes, getting access to the site and to the email box for a few users. Abusing an IDOR vulnerability I’ll identify the user that I need to get access as next. I’ll enumerate the password reset functionality, and notice that only the last few characters of the token sent each time are changing. I’m not able to brute force a single token, but I can submit hundreds of resets set the odds such that I can guess a valid on in only a few guesses. With this access, I get creds for a Gitea instance, where I’ll find a custom Firefox extension. I’ll abuse that extension, bypassing the cross site scripting filters to hit the Gitea API and pull down a backup file from another user. That backup gives SSH access to the host, and some password reuse pivots to the next user. With this access, I’ll identify a hash extension vulnerability in the web application, and abuse that to access a command injection and get RCE in the website container. The Docker socket inside the container is writable, allowing for a simple container breakout.

Vision : My vision is to provide cybersecurity knowledge for free to the people of Republic of India. Because from my past experience I learnt that Institutes are fooling peoples to spend large money on their courses, in which they don't work on the thinking of the student they just focus to complete their courses.

If you have any doubt feel free to reach me out on various handles which I am providing below:

Discord: icoNic#0097
LinkedIn:   / neeraj-k-75bb1a130  
Mail: [email protected]