HackTheBox - Awkward

00:00 - Introduction 01:00 - Start of nmap 02:00 - Taking a look at the web page, finding users on the site, and using FFUF to VHost Enumeration due to talking about a store 04:25 - Fingerprinting the websites, dev looks to be PHP and the main page appears to be Vue 07:55 - Exploring the vue app in Firefox Dev Tools, discovering some routes in the webpack which lead to an API 11:50 - An JWT error message is displayed when accessing some API Pages, removing the token and bypassing authentication 13:10 - Explaining why the web application skips authentication when a cookie is not present, and showing how similar it was to the OMIGod Vulnerability 15:40 - Extracting all users from the page and then using curl to save the hashes to a file. Use CrackStation to crack hashes and get a cred 21:20 - Logged in as Christopher.Jones, checking the Online Store Status link which is vulnerable to SSRF 23:45 - Using FFUF to fuzz for all possible ports and using a bash trick to create a wordlist based upon a range of numbers without creating a file 29:40 - Discovering some API Documentation on a page on port 3002 31:10 - The API all-leave page uses awk, and we can abuse this binary to perform a file disclosure vulnerability if we can poison user names. 33:40 - Using hashcat to crack our JWT 35:30 - Creating a python script to generate JWT's which allow us to exploit awk and exfil files off the server 42:00 - Python script completed, leaking some files and discovering a unique file in a users .bashrc 48:00 - Having trouble exporting the backup file, and modifying our script to write binary files which allow us to download the tar.gz backup 54:00 - Discovering bean's credentials in his xpad directory and logging in 56:20 - Running a process list on the box shows inotify is watching an interesting file that is only writable by www-data 59:40 - Looking for system() calls in the PHP app and discovering a sed command. We can exploit this like we did awk to get code execution without an