UHC - BackendTwo

00:00 - Intro 00:49 - Start of nmap 02:17 - Talking about why dirbusting an API is different. Bruteforce methods instead of extensions and 404 doesn't terminate recursion 03:10 - Installing the latest version of FeroxBuster 04:40 - Running FeroxBuster with Force Recursion and multiple HTTP methods to discover user endpoints 06:45 - Downloading all users, creating a single json file, then using JQ to enable us to filter users 10:08 - Registering an account via the Signup endpoint. Analyzing errors to identify how it wants data 11:55 - Logging into the application in order to get a bearer token 13:08 - Using BurpSuite to add the Bearer Token to our HTTP Request and accessing /docs/ 15:10 - Playing with the edit endpoint in the docs page 16:38 - Testing for Mass Assignment, by editing our profile but adding the is_superuser parameter 19:15 - Using the file endpoint to extract files from the application 20:45 - Creating a bash script to make extracting files easier for us 23:45 - Using the LFI to examine the /proc/ directory to get cmdline of pid and ppid, along with environment variables 26:35 - Examining the LFI Source Code to identify how the application works and JWT is created 30:50 - Trying to write files, discovering we need to edit our JWT 32:45 - Creating a bash script that will update the webserver code to include another endpoint to send a reverse shell 41:50 - Reverse shell returned, reviewing the logs to identify a password was entered as a username 44:00 - Trying to use Sudo and getting to PAM-Wordle 45:05 - Analyzing timestamps on the filesystem with find to identify a PAM Module that was manually placed on the file system (not put there by APT) 48:25 - Running strings on the PAM Module, discovering the wordlist used for wordle is in a user-readable directory 49:00 - Using the wordlist to cheat wordle and root the box 50:10 - Examining the source code of the box to identify why it is vulnerable to the Mass Assignment