HackTheBox - Craft

01:20 - Begin of recon
03:18 - Checking out the HTTPS Certificate for potential hostnames
05:10 - Looking at api.craft.htb, appears to be some type of Documentation for the REST API
06:40 - Looking at gogs.craft.htb, no known exploits but there is some source code!
09:20 - Checking out the Git Issues, seeing Dinesh put a JWT Token in a comment. Checking the token out
11:25 - Attempting to crack the JWT (fails)
13:30 - Going back to the issues to see there is an eval() on user input
16:25 - Installing Go and Pip3 on Kali 2019.4, so we can install GitLeaks and TruffleHog
18:57 - Running GitLeaks and TruffleHog (find nothing) then manually analyzing the git commits
21:20 - Discovering Dinesh's credentials in an old git commit
25:05 - Logging into GOGS with Dinesh, then showing adding an SSH Key for potential port forwarding
28:28 - Testing Code Execution from the previous git issue, use the test.py script as a skeleton.
31:30 - Getting a reverse shell with this exploit using exec(base64)
35:10 - Reverse Shell Returned
36:15 - Grabbing settings.py on the server to get a bunch of credentials
37:30 - Fixing our terminal to have the correct rows/columns so we can use vi
40:18 - Editing dbtest.py to dump all users from the database
42:00 - Adding the JWT SECRET from settings.py to our hashcat wordlist to prove cracking would have worked if there was a weak secret
45:25 - Manually crafting a JWT in Python to show what to do if you are successful at cracking... Then trying to create a JWT that is not signed
49:10 - Logging into GOGS with the credentials we got from dumping the database
50:20 - Gilfoyle as a private repo, lets download it
53:30 - Running truffleHog and GitLeaks against Gilfoyle's craft-infra repo
58:00 - An SSH Key was found on Gilfoyle's repo, SSH in and run LinPEAS
01:00:00 - Bunch of references to Vault in LinPEAS, looking into what this is.
01:02:20 - The .vaulttoken file is saved creds, lets just use vault ssh to login to the box