HackTheBox – Crossfit2
00:00 – Intro
01:10 – Start of nmap and poking at website. Browser Developer Window shows WebSockets + Hostname
06:50 – Setting up full portscan and gobuster while we poke at the box, to always have recon running
09:10 – Ussing ffuf to fuzz for emails (Forgot to set header here, we look at it later)
11:20 – Playing with the websockets in BurpSuite, discovering SQL Injection
21:40 – Creating a python program to aid our SQL Injection
29:15 – SQL Injection: Enumerating information_schema to pull out table information
35:45 – Going back to test our previous ffuf to find out i forgot the header flag
42:00 – Using ffuf to fuzz parameters for the passwordreset php script and trying the token from Sql Injection
44:00 – Enumerating our SQL Users permissions and then including files
49:20 – RelayD configuration shows a new domain crossfit-club.htb, failing to sign up with an account
57:40 – Using grep to extract /api/ endoings from javascript files
1:03:00 – Discover the signup endpoint, only administrators can create accounts.
1:06:20 – Grabbing unbound secret keys which will let us create DNS Entries on the box
1:10:08 – Creating a domain name with unbound and then editing the Host header in the password reset
1:13:00 – Explaining the DNS Rebind attack to get around the server examining our DNS Name
1:19:30 – Start of XSS to have the user register an account for us
1:26:40 – Hitting the start of our XSS to debug, explain bypassing CORS based upon not escaping the period in the URL
1:34:20 – Changing our unbound request to use a domain name that bypasses CORS
1:37:15 – Appending a slash to the host header to bypass a regex
1:39:05 – The final XSS Payload to have an administrator create an account for us. Checking out the chat applicaiton
1:47:20 – Start of creating XSS to steal Direct Messages from chat application
1:51:00 – Creating a second account, so we can examine how DM’s work in the chat application (use wireshark to do this)
1:54:50 – Finishing off the XSS Script to steal DM’s by hooking private_recv
2:01:10 – Finding a message that contains a password and SSHing into the box
2:03:50 – Using find to show files owned by a group
2:05:00 – Examining the Statbot NodeJS Script, then exploiting a library injection vulnerability
2:12:30 – Reverse shell returned, finding another binary to reverse
2:16:20 – Going over why i hate reversing BSD Binaries, comparing Ghidra and Cutter decompiler output
2:23:15 – Viewing backups on BSD and discovering root’s ssh key is being backed up to /var, so the log binary can read it!
2:25:00 – SSH is still asking for a password after using SSH Key, confirming it accepted our key, then viewing sshd/login config on BSD to see what its asking for
2:27:00 – Downloading YubiKey Secrets then failing to get it to generate a key for a bit
2:43:00 – Using YKPARSE to examine our key, then change the session and generate a valid MFA
by IppSec
windows server dns forwarder
