HackTheBox - Mentor

00:00 - Intro 01:00 - Start of Nmap 03:30 - Enumerating for virtual hosts with ffuf to find the api.mentorquotes.htb page 05:30 - Talking about FastAPI, attempting to utilize the endpoints but Authentication is required. Create an account 07:00 - Logging into the endpoint, discovering how to send authentication to the endpoints. Don't really gain anything 10:40 - Using ffuf to search for extra endpoints and discover /admin/ but can't do anything 14:00 - Running NMAP again with UDP to discover SNMP 17:10 - EDIT: Showing the minrate with nmap to scan UDP much quicker 18:30 - Using SNMP Walk 19:40 - Using SNMP-BRUTE to bruteforce other community strings 20:45 - EDIT: Showing Hydra and OneSixtyOne fail to enumerate the second community string 23:05 - Using SNMPBruteWalk to dump the SNMP Database, showing how much faster it is than SNMPWalk 25:00 - SNMP Shows running processes and arguments, there was a password passed via STDIN and we can get the password and login as James on FastAPI 28:15 - Accessing the Admin Endpoint, and figuring out what parameters it expects via error messages 30:50 - Discovering command injection in the backup endpoint 35:19 - Shell returned! 37:30 - Editing the User Endpoint in FastAPI to dump password hashes. Talking about Pydantic 40:45 - EDIT: Showing how we could background out reverse shell with nohup so we don't hang the webserver 47:15 - Cracking the hashes and getting svc's password and then logging into the server via SSH 53:00 - Doing some light forensics looking for files edited on the box shortly after linux was installed 56:45 - Finding a password in the snmpd password which gets us root 01:01:10 - Editing LinPEAS to add an extra regex to pull passwords out of SNMPd configuration 01:04:30 - Rebuilding the LinPEAS Shell script and then running LinPEAS to discover we now detect the password in SNMPD 01:06:40 - Forwarding PostGres to our server with chisel so we can dump the database 01:12:20 - Enumerating PostGres manually to dump