HackTheBox - AppSanity
00:00 - Introduction
01:00 - Start of nmap, showing 5985 isn’t in the top1000 so doing a full port scan
04:40 - Taking a look at the MedDigi website
07:07 - Taking a look at the Signup Request seeing AcctType
09:30 - Changing the AcctType to 2 and getting a different privilege
14:00 - VHost enumeration shows the domain, using our pre-existing session from the main page on this domain to bypass login
17:52 - Discovering SSRF in the Prescriptions page
19:40 - Discovering the File Upload requires a PDF but checks the magic bytes so we can make a PDF Header on our file and upload ASPX Web Shells
25:30 - Going back to the SSRF and discovering we can use time-based queries to identify ports listening on localhost
28:30 - Using FFUF to filter by duration to show us the requests that don’t take a long time
38:22 - Discovering port 8080 shows our upload location, then navigating to it and getting a shell
42:22 - Finding DLL’s the webserver uses, they are
3 months ago 00:00:00 1
4 months ago 00:04:06 1
5 months ago 00:32:44 18
5 months ago 00:34:38 2
5 months ago 01:27:34 5
5 months ago 00:37:18 6
5 months ago 00:41:25 5
5 months ago 01:46:13 2
5 months ago 01:12:42 3
5 months ago 00:26:29 1
5 months ago 02:06:46 2
5 months ago 00:54:43 11
5 months ago 02:05:30 1
5 months ago 00:33:44 1
6 months ago 00:27:16 1
6 months ago 00:30:39 1
7 months ago 11:21:04 1
8 months ago 05:30:24 3
8 months ago 01:02:06 16
8 months ago 00:16:21 18
8 months ago 02:09:39 14
9 months ago 00:29:19 2
9 months ago 00:39:17 7
9 months ago 00:42:37 10
