OffSec Proving Grounds - InsanityHosting

In this video, we take on InsanityHosting from OffSec Proving Grounds in preparation for the OSCP exam. This was a hard difficulty machine and it involved some great techniques. We do some web application enumeration to find a monitoring service that sends emails to a mail-server also hosted on the web application. We find that the monitoring service is vulnerable to second order SQLi and we utilize that vulnerability in order to gain credentials and initial access on the box. We then do some manual enumeration on the machine, and find that there is a FireFox browser with encrypted stored credentials that we transfer to our box using netcat and utilize a POC script to decrypt those encrypted credentials from with the encryption key from the key database and were able to SSH as root from there. If you guys enjoyed the video and want to see us go through more OSCP practice machines go ahead and subscribe!: https://www.youtube.com/channel/UCLbv08voDeZAbs0M16ar8vg?sub_confirmation=1 Timestamps: 0:00 Introduction 0:41 Start of Nmap scan 2:03 Enumeration anonymous FTP access 2:55 Start of the enumeration of the web application 3:55 Enumerating directories through FFUF to find a couple interesting things 5:52 Looking into the /news directory which gives us a little information on a potential user 8:02 Enumerating the /data directory which just gives us a version number of some type 9:00 Taking a look at the /webmail directory to see if there are any public exploits or default credentials 10:16 Explaining the plan of action and the weird behavior that the web application was producing when trying to enumerate valid credentials with burp 12:04 Start of the brute force using burp intruder in order to try and successfully login as otis 15:07 Logging into the monitoring service dashboard as otis with found password 15:34 Demoing the weird behavior involving session cookies and intruder, and showcasing the workaround 17:36 Start of the monitoring service enumeration, exploring the functionalities and possible vulnerabilities 20:25 Viewing the downtime reports produced by the monitoring service through the squirrel mail email client 23:14 Identifying that we have SQLi through a basic SQL query in the name parameter 24:57 Start of UNION SQLi in order to attempt to extract data from the backend server 27:13 Ran into some issues reliably retrieving information using a UNION query, start of the troubleshooting portion of the video 28:25 Identifying the databases available to us, enumerating the mysql database through google in order to view what tables and columns we can request information from 30:05 Harvesting user credentials from the mysql database using a user, password, authentication_string column query. 31:25 Cracking the hashed password using crackstation and logging into the box through SSH as elliot 32:50 Start of manual enumeration of the host 34:20 Taking a look at the backend of the web application to see if we can see how the monitoring service worked 37:02 Identifying Firefox being installed on the host, holding the possibility of stored credentials 37:55 Searching for a script that will decrypt user encypted credentials using the key.db and the logins.json files 39:41 Transferring the files from the host machine to the attacker machine through /dev/tcp and utilizing netcat with redirectors to recreate the files on the attacker machine. 41:14 Unencrypting the Firefox encrypted passwords to get roots' credentials and logging into the box as root. #capturetheflag #hackthebox #cybersecurity #offensivesecurity #oscp #provinggrounds #offsec #ethicalhacking #cybersec