HackTheBox – OnlyForYou

00:00 – Introduction
01:00 – Start of nmap
03:20 – Discovering beta.only4you.htb
03:55 – Downloading the source, scanning with Snyk and discovering a File Disclosure vuln
05:15 – Demonstrating that os.path.join in python will do unexpected things if a path begins with slash
07:30 – Failing to get /proc/self/environ, not sure why we failed here
09:20 – Grabbing the nginx configuration to discover where the websites are stored, using the File Disclosure Vuln to leak source of main website
11:15 – Discovering a vulnerability when sending mail
12:10 – Talking about how we will bypass the bad character check, the Re.Match will only match the start, not entire string
16:10 – Getting code execution from the contact form
18:45 – Reverse shell returned, looking for databases, and discovering a few ports listening on localhost
22:30 – Uploading Chisel so we can access ports 3000 and 8001
25:40 – Start of Neo4j Injection, discovering we are in a contains statement
30:00 – Going to HackTricks and discovering we can use LOAD CSV to leak data out of band
32:25 – Leaking the labels, then grabbing users and hashes
38:30 – Logging in with John, discovering we can use sudo with pip to download a tar off GOGS
40:25 – Creating a malicious python package for us to download, then uploading to gogs
44:10 – Showing that the pip download command will execute setup.py and getting root