HackTheBox – Health

00:00 – Intro
01:00 – Start of nmap
02:50 – Taking a look at the website
03:30 – Testing the webhook to see the app will send us information about a web page
04:20 – Trying to access port 3000, getting blocked by a filter trying to include 127.0.0.1 and 0x7f000001
06:20 – Playing with the webhook to see if it will send us the entire page
07:10 – Having our webserver redirect to localhost, to see if this bypasses the filter and getting the web page on port 3000
10:20 – The application on port 3000 is gogs 0.5.5 which is from 2014!
12:15 – Setting up a local instance of GOGS so we can build a payload to exploit this
15:40 – Playing with a union injection, then looking at the database to see number of columns in the user table
19:30 – Have a basic Union Injection payload, grabbing multiple fields from the SQLite Database
23:30 – Checking how the password is encoded by examining gogs source
26:10 – Testing out cracking our hash
30:05 – Passing our SQL Injection payload through SSRF to attack the target and get a user password
40:00 – Using Pspy to see a cron job running as root that uses artisan to execute a web function
44:00 – Exploring the web source to discover the webserver uses file_get_contents on monitored url
46:30 – Poisoning the MySQL Database to have the monitored URL retrieve and send a file

source