HackTheBox - OnlyForYou

00:00 - Introduction 01:00 - Start of nmap 03:20 - Discovering 03:55 - Downloading the source, scanning with Snyk and discovering a File Disclosure vuln 05:15 - Demonstrating that in python will do unexpected things if a path begins with slash 07:30 - Failing to get /proc/self/environ, not sure why we failed here 09:20 - Grabbing the nginx configuration to discover where the websites are stored, using the File Disclosure Vuln to leak source of main website 11:15 - Discovering a vulnerability when sending mail 12:10 - Talking about how we will bypass the bad character check, the will only match the start, not entire string 16:10 - Getting code execution from the contact form 18:45 - Reverse shell returned, looking for databases, and discovering a few ports listening on localhost 22:30 - Uploading Chisel so we can access ports 3000 and 8001 25:40 - Start of Neo4j Injection, discovering we are in a contains statement 30:00 - Going to HackTricks and discovering we can use LOAD CSV to leak data out of band 32:25 - Leaking the labels, then grabbing users and hashes 38:30 - Logging in with John, discovering we can use sudo with pip to download a tar off GOGS 40:25 - Creating a malicious python package for us to download, then uploading to gogs 44:10 - Showing that the pip download command will execute and getting root