HackTheBox - WhiteRabbit

Описание: 00:00 - Introduction
01:00 - Start of nmap
05:10 - Playing with a JavaScript Client app (Vue) to get information to do recon and finding public /status/ page
12:00 - Looking at the N8N Workflow with GoPhish
14:30 - Looking at the JSON Schema File that leaks a secret key and shows possible SQL Injection
18:00 - Using CyberChef to test the HMAC Key and confirm we can sign payloads
21:50 - Switching to Caido to show we can create WorkFlows on the Replay (repeater) functionality
25:20 - Creating a convert workflow to HMAC Sign all our requests
35:40 - Using the MITM Python Library to quickly write a proxy that would sign our requests that makes it easier for tools to test this endpoint
45:20 - SQLMap found the injection, dumping tables discovering a restic password
48:50 - Using the restic CLI to download a backup, then cracking the 7z file. Cracking fails the first time due to a weird collision.
57:00 - On the box, we can run restic with sudo, use password-command to give us a root shell
1:05:50 - Finding the neo password generator, discovering it uses random insecurely to set the seed and generate password.
1:18:45 - Adding milliseconds to our timestamp and then bruteforcing the password to get root