Hack The Box Overflow

Views: 4

00:00 Intro 01:00 Start of nmap 02:20 Taking a look at the website 03:10 Examining the AUTH Cookie and talking about why its unique 05:40 Running FeroxBuster, talking about why I started using it 08:15 Examining the length of the cookie with various usernames to discover the cookie length changes 11:30 Discovering the block size 12:30 Modifying the cookie and getting an Invalid Padding error message. Which indicates it may be vulnerable to Padding Oracle 14:20 Running padbuster to perform the Padding Oracle attack and decrypt the cookie. Then creating a new cookie changing our username 19:30 Changing our cookie to the forged one and logging into the application as Administrator 21:05 Finding an SQL Injection in the Logs endpoint, using SQLMap to dump everything 29:15 Going over the SQLMap history files to view previously dumped data, so we don t have to make more requests to the server