HackTheBox - Mango

Поділитися
Вставка
  • Опубліковано 6 гру 2024
  • 01:00 - Start of nmap and examining the HTTPS Certificate to get a potential hostname
    04:00 - Doing light testing on the HTTPS Site for SQL Injection, then sending to SQLMap. Using --force-ssl to make SQLMAP do HTTPS instead of HTTP
    06:26 - Playing with analytics.php and some light testing to see if we could do SSRF. Put it on the backburner and move on.
    07:42 - Testing the logon prompt on the HTTP Site, playing with SQL Injection and starting another SQLMap
    08:51 - Going over NoSQL Injection
    09:44 - Attempting to explain NoSQL Injection
    11:35 - Performing a NoSQL Injection test via x-www-form-encoded data
    12:44 - Doing Regular Expressions with NoSQL Injection to extract the password length
    14:00 - Explaining how you would have done NoSQL Injection on NodeJS (Sending objects in JSON)
    16:00 - Logging into the webserver via NoSQL Injection, running GoBuster with our cookie that is logged in
    18:50 - Going back to NoSQL Injection with RegularExpression and Boolean injection to extract the password
    19:20 - Going over doing Burp Intruder to extract data
    21:45 - Creating a Python Script to do this NoSQL Injection since Burp cost $$ and is slow.
    37:11 - Script mostly done extracting admin's password
    40:47 - Trying to extract Mango's password but there's a tricky character, troubleshooting
    44:00 - Screwed up a loop and didn't go through all the character space. Getting Mango's password using SSH to login to the box.
    46:00 - Running LinPEAS and seeing JJS is a SetUID Bin
    48:00 - Turns out we can't execute JJS as mango, only admin. Use "su" to switch to admin and run JJS
    50:11 - Using JJS to write a file and drop an SSH Key

КОМЕНТАРІ • 64