This is the first video of a series about Shinra, a virtual company in a private red team lab. We will conduct a full pentest on Shinra and explore various topics along the way.
We are solving Previse, an easy linux machine on HackTheBox that involves a Command Injection & Path Hijacking.
We are solving Dynstr, a 30-point Linux machine on HackTheBox that involves a Dynamic DNS Service & a Command Injection.
This video is about Unobtainium, a 40-point Linux machine on HackTheBox. For user, we download an electron app and proxy it through burp to find some credentials, which we can then use on an API endpoint. Combining a command injection & prototype pollution will then lead to a first shell...
Solving Luanne on HackTheBox. This is an easy 20-point machine involving a simple command injection and some password cracking.
Solving Crossfit, a 50-point Linux machine on HackTheBox which involves a lot of cross-site scripting, a command-injection, and finally some light reversing.
Obscurity is a 30-point Linux machine on HackTheBox that involves exploiting a command injection in a custom webserver, breaking a simple cipher and abusing file system permissions to get root.
Bankrobber is a 50-point machine on hackthebox that involves exploiting a cross site scripting vulnerability to gain access to an admin account, using a command injection to get a user shell and exploiting a simple buffer overflow to become system.
Carrier is a nice, medium difficulty machine on hackthebox.eu featuring information retrieval via snmp, command injection and bgp hijacking. The bgp hijacking part was a nice learning experience as this is a technique you probably don't see every day.