Word Cookies Exploit
00:00 – Intro
01:24 – Start the box checking out nmap, seeing an FTP Server with a file hinting at OAUTH
06:30 – Poking at the login for the flask application (Port 5000)
11:15 – Playing with the Change Password fied, made a mistake which puts me down a rabbit hole
17:40 – Checking the Contact page, seeing we get banned with a XSS Attempt but someone will click URL’s if we send them
24:30 – Creating an account on Authorization.oouch.htb
27:40 – Enumerating the /token/ an endpoint through error messages
30:20 – Using the webapp to give our authorization account access to our consumer account
38:45 – Going through the same workflow to give authorization access to consumer account, but tricking a different user into going to the last piece of the workflow
42:10 – We are now the QTC User! Going into the Documents shows some hints like a develop credential
45:50 – Reading the Django Docs to see how the oauth endpoints are setup, finding the application register endpoint and the develop creds to again access
51:00 – Looking at the oauth authorization workflow again in order to build a authorization link for our new application!
56:30 – Thanks to our application’s redirect url we stole QTC’s token which will eventually let us develop endpoints
1:00:20 – Used the token to authenticate and get our Bearer token, then playing with API endpoints and noticing get_user and get_userjaskldfj both go to the same route. Helpful when brute forcing
1:04:25 – TIL, I don’t know how to use FFU eventually i switch to wfuzz to bruteforce the endpoint
1:08:46 – Got shell on the box, discover note.txt and it hints at DBUS
1:13:30 – Creating a bash script to ping/port scan in order to enumerate other containers
1:20:30 – Digging through the code in order to discover UWSGI and how the webapp sends, attempting to send the dbus message but getting access denied.
1:28:30 – Searching for a UWSGI Code execution route so we can switch to www-data, finding a script
1:38:30 – Reverse shell as www-data returned, doing the DBUS Message again via python to get code execution
1:44:40 – ALTERNATE DBUS Method – Using the dbus commands (busctl/dbus-send) send the message without touching python
Video Rating: / 5
Check out Rediff XSS exploit found in cheatsforwordcookies.com/blog.rediff.com which is based on wordpress.
This Vulnerability was found by Subho Halder (@sunnyrockzzs), Aditya Gupta (@adi1391) and Dev Kar (@devkar25) from XY Security ( cheatsforwordcookies.com/xysec.com ).
Video Rating: / 5
Today I will share the secret underground forum where we chat and exchange information about hacking. Here you can learn new skills and listen to the best hackers in the world talk. You should signup too.
Link to secret forum: cheatsforwordcookies.com/twitter.com/
My account: cheatsforwordcookies.com/twitter.com/LiveOverflow
1337List (currently not available): cheatsforwordcookies.com/twitter.com/1337list
-=[ 🔴 Stuff I use ]=-
→ Microphone:* cheatsforwordcookies.com/geni.us/ntg3b
→ Graphics tablet:* cheatsforwordcookies.com/geni.us/wacom-intuos
→ Camera#1 for streaming:* cheatsforwordcookies.com/geni.us/sony-camera
→ Lens for streaming:* cheatsforwordcookies.com/geni.us/sony-lense
→ Connect Camera#1 to PC:* cheatsforwordcookies.com/geni.us/cam-link
→ Keyboard:* cheatsforwordcookies.com/geni.us/mech-keyboard
→ Old Microphone:* cheatsforwordcookies.com/geni.us/mic-at2020usb
US Store Front:* cheatsforwordcookies.com/www.amazon.com/shop/liveoverflow
-=[ ❤️ Support ]=-
→ per Video: cheatsforwordcookies.com/www.patreon.com/join/liveoverflow
→ per Month: cheatsforwordcookies.com/www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: cheatsforwordcookies.com/twitter.com/LiveOverflow/
→ Website: cheatsforwordcookies.com/liveoverflow.com/
→ Subreddit: cheatsforwordcookies.com/www.reddit.com/r/LiveOverflow/
→ Facebook: cheatsforwordcookies.com/www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with “*” are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
Video Rating: / 5