HackTheBox - Spider
00:00 - Intro
01:10 - Start of nmap
02:40 - Adding spider.htb to our host file so we can access the domain name
03:30 - Playing with the registration of the website and examining the cookie
06:20 - Putting a bunch of bad characters for our username and discovering odd behaviors
10:05 - Dumping the configuration via SSTI, can't do a complex SSTI due to username limit
12:30 - We have the cookie secret, using Flask-Unsign to create malicious cookies and discover SQL Injection
16:25 - Sending our SQL Injection Payload to the server and confirming it is SQL Injectable
18:05 - Using the Eval Parameter of SQLMap to have SQLMap Sign the payloads it sends and dump the database
22:45 - Getting Chiv's password from SQLMap then logging into the web application
24:30 - Testing SSTI on the admin panel that we got to from Chiv and discovering a WAF (Web Application Firewall)
26:40 - Using wfuzz to enumerate the bad characters which trigger the WAF
29:00 - Playing with wfuzz encoders to URLEncode everything from our wordlist
33:50 - Obfuscating our SSTI Payload so the bad characters are not present and getting a reverse shell
37:10 - Reverse shell returned
41:10 - Using SSH to setup a port forward which allows us to hit 127.0.0.1:8080 on the remote host
43:00 - Examining the authentication cookie and discovering a XML within the cookie
44:00 - Testing for XML Entity Injection
45:50 - Using Payload All The Things to help us craft an XML Entity Injection payload to read files
48:30 - Grabbing the SSH Private Key via XML Entity Injection and logging in as root
Watch video HackTheBox - Spider online without registration, duration hours minute second in high quality. This video was added by user IppSec 23 October 2021, don't forget to share it with your friends and acquaintances, it has been viewed on our site 43,471 once and liked it 929 people.