HackTheBox - Cat

00:00 - Introduction
01:00 - Start of nmap
03:00 - Taking a look at uploads at the website starting with upload functionality
05:40 - Discovering .git directory, using git-dumper to grab the source and examining the code behind upload to see it is likely not vulnerable
10:10 - Testing for XSS in username, getting admin cookie upon submitting a cat to the site
14:45 - Showing another way to do XSS Bypassing a filter via HTML Entity Encoding
26:30 - Analzying the code with Snyk and OpenGrep to find vulnerabilities and discovering SQL Injection
31:40 - Using SQLMap to dump the database via a boolean injection which is slow
39:20 - Showing we could manually exploit it quickly by dropping a file via sqlite injection
42:00 - Using SQLDump to dump hashes, then sending them to crackstation to get rosa's password
44:45 - Discovering the application does logins via GET which would put passwords in a log file, rosa is a member of ADM and can read logs.
46:20 - Logging in with Axel, discovering Gitea is running and setting up a port forward
48:00 - Exploiting an XSS In Gitea by performing CSRF to grab pages of a sensitive repository CVE-2024-6886
59:30 - Fixing up our exploit script then grabbing the repo to get root's password