HackTheBox - Sink

00:00 - Intro 01:00 - Start of nmap, finding version of gunicorn is from 2019 06:15 - Enumerating the Gitea version (the 404 error page shows it) 08:10 - Trying to find the Gitea version another way (HTTP Files) 09:30 - Downloading jquery.js, grabbing the md5, then using VirusTotal to get an idea when it was released 11:30 - Looking at the second website (Running on gunicorn) 13:20 - Testing for IDOR Vulnerabilities in the /notes/, can confirm a note exists but not read anything 14:40 - Start of explaining the HTTP Smuggling 17:30 - Adding non-ascii characters to Burpsuite Requests via Base64 Decoding 19:40 - Explaining HTTP Chunking 22:30 - Smuggling request created, re-explaining the attack and importance of Content-Length 26:55 - Sending the Smuggling request in BurpSuite then getting the cookie of another user 28:25 - Explaining why the attack is unreliable in BurpSuite then using Python to do it 40:15 - The administrator can read three new notes with some saved credentials. Logging into Gitea 44:40 - Looking at git history to find an SSH Key, then logging into the server 49:40 - Enumerating AWS using the CLI 50:40 - Enumerating AWS logs using the CLI to identify some secret rotation events 54:30 - Enumerating AWS SecretsManager using the CLI to get another users password 58:45 - Utilizing AWS KMS to Decrypt a file 1:09:20 - Extra Content, explaining some unique iptables routing that went into this box to make it stable