HackTheBox - Interface
00:00 - Introduciton
00:50 - Start of nmap, navigating to the page and identifying the framework based upon 404
02:30 - Playing around looking at javascript source, not getting anything
04:30 - Playing around with ... I’m guessing file not found is the webserver, not actual code.
07:40 - Showing the difficulty of dirbusting API Servers
11:20 - Showing importance of updating FeroxBuster
15:00 - Playing with the HTML2PDF endpoint and discovering we need to send a POST with HTML as an argument
18:20 - The PDF Generated has dompdf in the exif data searching for exploits
20:40 - Researching how CVE-2022-28368 works, then manually exploiting the vulnerabiltiy
28:50 - The CSS/Font is created, running the exploit and finding where the Font (PHP File) gets uploaded to
34:30 - Reverse shell returned
38:15 - Uploading pspy to examine how the box cleans itself up
40:20 - Discovering and exploiting Bash Arithmetic Injection
3 months ago 00:00:00 1
5 months ago 00:04:06 1
5 months ago 00:32:44 18
5 months ago 00:34:38 2
5 months ago 01:27:34 5
5 months ago 00:37:18 6
5 months ago 00:41:25 5
5 months ago 01:46:13 2
5 months ago 01:12:42 3
5 months ago 00:26:29 1
5 months ago 02:06:46 2
5 months ago 00:54:43 11
5 months ago 02:05:30 1
6 months ago 00:33:44 1
6 months ago 00:27:16 1
6 months ago 00:30:39 1
7 months ago 11:21:04 1
8 months ago 05:30:24 3
8 months ago 01:02:06 16
8 months ago 00:16:21 18
8 months ago 02:09:39 14
9 months ago 00:29:19 2
10 months ago 00:39:17 7
10 months ago 00:42:37 10
