HackTheBox - Headless

00:00 - Introduction
01:00 - Start of nmap
01:50 - Examining the cookie, measuring entropy with ent
04:30 - Testing the Contact Support form, putting HTML in the message triggers Hacking Attempt Detected
06:00 - Examining the /dashboard, playing with the cookie to see if we can view it
07:20 - Testing the Hacking Attempt Detected message for XSS
11:00 - Creating an XSS Payload to steal the cookie via fetch
14:40 - Replaying the cookie gets us into the Dashboard, finding command injection in the Generate Report
17:00 - Reverse shell returned
18:10 - Discovering DVIR can run Syscheck which is a bash script with a bash injection vulnerability and getting root
21:30 - Beyond root! Talking about how you can exfil HTTPONLY cookies if you find a page that replays the headers
23:50 - Start of creating a Javascript Payload to fetch a page and send it back to us
36:50 - Script finished, we can now control the users browser and send the page back to us
39:15 - Changing the Javascript payload to perform the injection on Generate Report for us so we get RCE on the webserver via XSS

Support the originator by clicking the read the rest link below.