HackTheBox - Cereal
Вставка
- Опубліковано 19 жов 2024
- 01:17 - Start of nmap, showing having valid hostnames will give more information
03:54 - Error message on source.cereal.htb leaks a path
06:30 - Showing .git doesn't exist in DirectyList but does in Raft
08:02 - Using Git-Dumper to download the .git directory and view the source
09:30 - Looking at Git History shows where deserialization happens and a hard coded JWT
12:08 - Using the hard coded JWT To build our own token in dotnet.
21:00 - Trying to use our JWT to access authenticated pages
25:42 - Going through the React JavaScript to see the token is stored in our browsers local storage
29:40 - Our browser keeps clearing the storage lets just intercept a request in BurpSuite and do what we need
32:15 - Start of the Desrialization, BadWords Filter to prevent ySoSerial, but we can manually create our own deserialization payload
33:20 - Finding the name of our JSON Library then finding a blackhat talk on abusing it, to build our payload
40:11 - More examining javascript to find routes that leaks pages of the pplication
42:15 - Using npm audit to find an XSS Vulnerability on /admin due to an out of date plugin react-marked-markdown
46:10 - Testing the XSS Vulnerability with a simple payload
49:00 - Putting it all togather, writing notes on how we are going to build the exploit
51:15 - Start of exploit script making python requests not care about SSL, then building our JWT with pyJwt
57:00 - Testing out bad character evasion with Base64 by using a benign XSS Payload first
1:06:20 - Adding stage 1 to our script to send the deserialization payload
1:08:22 - Changing our payload to use XMLHttpRequest to force the browser to make a request to perform the deserialization which bypasses the RestrictIP Policy
1:13:08 - Our script did not work, troubleshooting it
1:17:57 - Script worked, lets now host a ASPX File for it to download
1:19:20 - Using our webshell to download the SQLite Database
1:22:45 - Our Powershell One-Liner to convert the database to b64 just fails. Lets copy the database to the web directory so we can download it without encoding it
1:25:00 - Showing IIS isn't allowing us to download files that end in .db
1:27:45 - Showing odd behavior with SSH not prompting us for password due to it treating PubKey as login attempts. Fix is tell SSH to not us pubkey
1:33:00 - Discovering port 8080, forwarding that port and discovering GraphQL. Installing GraphQL Playground
1:37:20 - Using GraphQL Playground to dump data out of the database, then use a mutation to trigger the SSRF
1:39:30 - Downloading GenericPotato so we can use this SSRF to steal the Token
1:44:20 - Running Generic Potato in HTTP Mode triggering the SSRF and getting a root shell
