HackTheBox – Bookworm

Channel Avatar
HackTheBox - Bookworm
HackTheBox – Bookworm
00:00 – Introduction
00:50 – Start of nmap
04:30 – Discovering a potential XSS in the Notes field of an order. Content Security Policy (CSP) blocks us, because JS cannot be on the same page. Looking for a file upload functionality.
08:29 – Finding out we can upload anything we want to the avatar. This should allow us to bypass the CSP in the book edit field
11:55 – Confirmed XSS on the page, checking if there’s an IDOR Vulnerability that allows us to add notes to other people’s items by creating a second account
16:00 – Creating a Python Script that will automatically poison items in peoples basket (cart)
28:00 – Backet Poisoner script is completed
28:50 – Creating a JavaScript payload, explaining why I’m doing await, fetch, and helper functions.
40:15 – Having the XSS Payload fetch profile, look for orders, then perform a get on all orders to examine the order page. Then send us the HTML of that page
49:55 – Creating a Python Flask Server that will save all of the orders the XSS Payload sends us
56:00 – Examining orders, discovering there is a /”Download Everything/” URL. Didn’t show it but there is no IDOR Vulnerability here, need to have the XSS Trigger it. Exfilling /etc/passwd
01:12:00 – Extracting database.js, which contains the database information. The password lets us onto the system as Frank
01:15:52 – EDIT: Examining the source code to show why downloading a single book was not vulnerable. Talking about setting ROOT on res.download of express
01:21:04 – Enumerating the box as Frank discovering a second web application listening on 3001
01:30:00 – Looking at the source code to the book converter.
01:36:20 – Exploiting a SSRF/File Disclosure vulnerability in the Book Converter, but it doesn’t get us anything
01:42:18 – Finding Arbitrary File Write vulnerability in the Book Converter by abusing SymLinks to bypass an File Extension Check.
01:51:50 – Shell as Neil who can run the GenLabel binary with Sudo, examining it to discover a SQL PostScript Injection
01:57:10 – Using the SQL Injection to Inject a FileWrite command in the PostScript file which then gives us Arbitrary File Write as root

Take the opportunity to connect and share this video with your friends and family if you find it useful.

Read Also

Leave a Reply

Your email address will not be published. Required fields are marked *