HackTheBox - Backfire

00:00 - Introduction
00:48 - Start of nmap
02:00 - Showing Havoc adding the X-HAVOC true header on GET/POST requests on its HTTP Hosting Service
05:00 - Seraching CVEDetails finding CVE-2024-41570 which is a SSRF
06:25 - Some quick C2 talk before we dive into the SSRF
08:45 - Going over the Havoc SSRF Script
17:10 - Talking about a research article that looked at multiple open-source C2's and the vulnerabilities they had
21:30 - Allowing our SSRF to make a websocket connection, which lets us authenticate and perform the RCE in Havoc
35:00 - Getting a shell, explaining our attack chain again
38:10 - Discovering Hardhatc2, looking at google and seeing it has a static JWT Signing Key
41:00 - Standing up HardHat c2 via docker to craft an authenticated cookie, then tunneling to backfire and bypassing auth. Use terminal to get shell
46:45 - Our new user can run iptables/iptables-save with sudo. Using this combo to write to roots authorized_keys2 to get a shell, which is a bit safer than authorized_keys