HackTheBox - Forgot
HTML-код
- Опубликовано: 1 авг 2024
- 00:00 - Introduction
01:03 - Start of nmap
02:00 - Talking about Varnish, then looking at the website
03:40 - Poking at the Forgot Password functionality and showing we can enumerate valid users
06:25 - Discovering a username in the HTML Source
07:10 - Start talking about Host Header Injection, showing the page will use the Host Header when building redirects
09:28 - Using host header injection in the password reset, in order to send the user a link that goes to our box
11:00 - Explaining host header injection password reset in depth
13:00 - Live Demo showing that Host Header Injection on Password Reset may not require user interaction, mail filters love clicking links.
14:10 - Sending an email to myself, then checked Burpsuite Collaborator and saw some bots clicked our link and sent us the token that was in the email!
16:43 - Showing what Robert can do in the web application and discovering some odd behavior on the /tickets/ page. Anything after the slash will return tickets and not 404!
21:10 - Identifying when Varnish decides to cache things by looking at the age header, and discovering whenever /static/ is in the URL it becomes cached and that the page doesn't check authorization before displaying cache
24:30 - Getting the administrator to click a link on /admin_tickets/static/Junk, which will cache /admin_tickets/ and allow anyone to view the admin_tickets page!
26:55 - Going in-depth with the Web Cache Deception attack and how Varnish works
27:50 - Showing the Varnish configuration
29:00 - Editing the Varnish configuration to add UserAgent as part of the caching logic to show it can have unique hashes per user. Then updating it to use Cookies instead
33:00 - Explaining the weird behavior with how the flask app does routing and allows the user to put /static/ in the URL and not have it go to the static directory
34:45 - Checking what Diego can run via sudo and discovering he can execute ml_security which appears to be some machine learning poc to look for XSS
40:10 - Getting the version of TensorFlow and looking for vulnerabilities in the library itself
41:30 - Exploiting TensorFlow 2.6.3 Save_Model_cli (CVE-2021-41228 and CVE-2022-29216)
Awesome! seriously this is the content you want on RUclips. You go into so much detail to give a good explanation on the different boxes and their vulnerabilities. Thank you
As a web dev, this is extremely informative! It makes a lot of sense but I would never think about it myself!
Really enjoying the new way of interspersing the beyond root sections within the walkthrough. Makes it a lot easier to see the flow.
What's going on RUclips this is ippsec and I forgot my password
not all of these unusual attacks are covered in the HackTheBox Academy and your videos are superhelpful in this case! keep doing this amazing job thank you so much!
Congratz on 200k subscribers ippsec! Well deserved :)
Great video ipp, thank you for explaining the logic behind :)
This is epic. Love you taking time to explain
Amazing box and awesome video, thank you
Damn! Awesome one. Never would have thought about checking for tensorflow exploits.
great video ippsec thanks for breaking these attacks down, very helpful
Amazing video keepem coming 🤘
Interesting video, thank you!
Dam that coincidence I just said the word "forgot" and got your notification 😂😜💕💞
Awesome job
Hey ippsec. How can I make my Firefox to execute any given data as a website first. Instead of default Google search. In htb boxes, while giving .htb it is taking me to Google search as default always, I have to give http at the beginning to make it think it as a website.
what such a class!!!!!! this is incredible, fuck my broken english
19:45 we can just click on action then say don't intercept for this host.
Thx boss
@20:40 was Varnish written by former Amiga owners?
Hey Ipp, did you know that you can actually do "-sCV" instead of "-sC -sV"?
Yup, I just like breaking it up more.
Is it common practice for developers to use such a method to define the email host? Never seen it before and it's really surprising. If it was an environment variable, would it be also possible to poison it?
Google the attack, it isn't the most common but if it was rare you wouldn't see it everywhere.
there's a vulnerable lab instance in portswigger labs for "password reset poisioning"
How did you know it was related to caching directly? You're so sure that yiu should look at age is 0 and why it is
That header is only there for caching things. Age is not a common HTTP Header.
Hi ippsec, I think you have missed the part of how to get to diego's shell.
The password for it was in a support ticket on the cached admin page
Hey ippsec! Great video and I had a doubt, that is, How did you know that u had to check for host header injection? I mean to ask how did it strike u that it could have a possible host header injection vulnerability? @ippsec
I think i showed the redirect using the host header which is an indication. That being said most sites offer a way to signup and use email (HTB doesn't because machines don't have internet). So I would say 4/5 times when you're on a test, this is something you can test for by having the website email you.
@@ippsec got it! Thanks for the explanation 🙂