HackTheBox - WhiteRabbit

00:00 - Introduction 01:00 - Start of nmap 05:10 - Playing with a JavaScript Client app (Vue) to get information to do recon and finding public /status/ page 12:00 - Looking at the N8N Workflow with GoPhish 14:30 - Looking at the JSON Schema File that leaks a secret key and shows possible SQL Injection 18:00 - Using CyberChef to test the HMAC Key and confirm we can sign payloads 21:50 - Switching to Caido to show we can create WorkFlows on the Replay (repeater) functionality 25:20 - Creating a convert workflow to HMAC Sign all our requests 35:40 - Using the MITM Python Library to quickly write a proxy that would sign our requests that makes it easier for tools to test this endpoint 45:20 - SQLMap found the injection, dumping tables discovering a restic password 48:50 - Using the restic CLI to download a backup, then cracking the 7z file. Cracking fails the first time due to a weird collision. 57:00 - On the box, we can run restic with sudo, use password-command to give us a root shell 1:05:50 - Finding the neo password generator, discovering it uses random insecurely to set the seed and generate password. 1:18:45 - Adding milliseconds to our timestamp and then bruteforcing the password to get root