HackTheBox – Busqueda

00:00 – Introduction
01:00 – Start of the nmap
04:20 – Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 – Just testing for SSTI
06:45 – Found two bad characters, putting a comment after a bad character to see where it is failing
08:20 – Discovering we can append to the string, then trying for executing code with print to test for eval statements
10:00 – Getting a reverse shell
15:00 – Reverse shell returned
17:00 – Looking at apache virtualhosts to discover a hidden vhost that is running gitea
19:00 – Finding creds in the .git folder which lets us run sudo
22:00 – Inspecting the docker containers to discover passwords in environment variables which lets us log into gitea as administrator and view the script we are running as sudo
25:30 – Discovering the system-checkup.py script is not using an absolute path, so we can execute a shell script in our CWD as root