HackTheBox - BlockBlock

00:00 - Introduction 01:00 - Start of nmap 02:15 - Registering an account and discovering the chat, examining source and seeing a database solidity contract 04:45 - Testing for XSS, discovering it within the username 06:00 - The /api/info page exposes the JWT, which lets us exfiltrate it even if HTTPONLY is set 07:10 - Using FeroxBuster to enumerate the API with different methods 10:00 - Discovering XSS in the Report feature, and get a hit from the admin, create a JS Payload to exfiltrate the admin token 16:00 - We are now the admin, which has access to a new endpoint that interacts with the blockchain via the json-rpc API playing with endpoints 19:00 - Playing with eth_getAccount 19:30 - Playing with eth_getBlockByNumber, then viewing information on the chain. Enumerating all blocks will start revealing credentials 25:30 - Shell on the box as Keira, can run forge as paul which we can exploit two ways 26:15 - Exploiting forge with path injection since the sudo has no env_reset set 29:10 - Exploiting forge with the build flag that has command injection 31:00 - Paul can run pacman as root, which we can exploit a few ways. First we create a hook on any package operation that runs a command 35:40 - We could also just build a package that drops a new file, creating a malicious cron 40:30 - Creating a package that just runs a command