HackTheBox - Extension

00:00 - Intro 01:00 - Start of nmap, then discovering a laravel app 05:00 - Laravel app uses Ziggy which exposes a list of all the routes 07:50 - Finding the /management/dump endpoint but we keep getting page expired (missing some headers) 12:50 - Using ffuf to brute-force the management/dump endpoint 15:55 - Dumping a list of users and then cracking them 21:30 - Enumerating virtualhosts, then looking at the roundcube version 27:50 - Discovering the first 32 characters of the password reset token does not change 32:40 - Attempting to bruteforce the password reset token for Charlie's password but discovering there's rate limiting in play 33:50 - Spamming the password reset link to generate multiple tokens, which will allow us to guess a token 35:14 - Edit, explaining the multiple password reset vulnerability more in depth 37:18 - End of edit, resetting charlie's password 41:00 - Logging into Gitea as Jean and discovering a browser extension. Installing it to see what it does 45:20 - Explaining the XSS Filter check on the extension 58:30 - Initial payload to prove we can execute javascript 1:13:45 - We have a base64 cradle to bypass the filter, creating a payload to interact with the gitea api to see what repo's the user has access to 1:24:04 - Getting information from the backups repo, then downloading the contents 1:29:00 - Extracting the tar from the git repo and getting an ssh key, finding passwords in the .git_credentials file 1:33:20 - Looking at the Laravel Source Code and discovering there is a command injection 1:38:00 - Looking at the email validation request, to show we need to create a valid checksum 1:42:30 - Explaining how the secret is generated from the source code, because the secret is at the beginning we can do a hash length extension 1:44:20 - Using Hash_Extender to generate a bunch of payloads in order to find the length of the secret 1:49:00 - Start of using python to submit the validation check 2:01:50 - Finding out the issue I'm running into, stupid formatting issue, having hash_extender output in a different format 2:10:50 - Getting a reverse shell on the container 2:17:00 - Finding there is a docker.sock file in our container, which enables us to interact with docker on the host 2:19:30 - Copying the Docker Executable to the container, which makes it much easier to interact with. Starting a container with the host file system mounted to get root 2:23:35 - Extra content, showing SSH can tunnel named pipes (socket files)