HackTheBox - Mango
Вставка
- Опубліковано 6 гру 2024
- 01:00 - Start of nmap and examining the HTTPS Certificate to get a potential hostname
04:00 - Doing light testing on the HTTPS Site for SQL Injection, then sending to SQLMap. Using --force-ssl to make SQLMAP do HTTPS instead of HTTP
06:26 - Playing with analytics.php and some light testing to see if we could do SSRF. Put it on the backburner and move on.
07:42 - Testing the logon prompt on the HTTP Site, playing with SQL Injection and starting another SQLMap
08:51 - Going over NoSQL Injection
09:44 - Attempting to explain NoSQL Injection
11:35 - Performing a NoSQL Injection test via x-www-form-encoded data
12:44 - Doing Regular Expressions with NoSQL Injection to extract the password length
14:00 - Explaining how you would have done NoSQL Injection on NodeJS (Sending objects in JSON)
16:00 - Logging into the webserver via NoSQL Injection, running GoBuster with our cookie that is logged in
18:50 - Going back to NoSQL Injection with RegularExpression and Boolean injection to extract the password
19:20 - Going over doing Burp Intruder to extract data
21:45 - Creating a Python Script to do this NoSQL Injection since Burp cost $$ and is slow.
37:11 - Script mostly done extracting admin's password
40:47 - Trying to extract Mango's password but there's a tricky character, troubleshooting
44:00 - Screwed up a loop and didn't go through all the character space. Getting Mango's password using SSH to login to the box.
46:00 - Running LinPEAS and seeing JJS is a SetUID Bin
48:00 - Turns out we can't execute JJS as mango, only admin. Use "su" to switch to admin and run JJS
50:11 - Using JJS to write a file and drop an SSH Key