HackTheBox - Mentor

00:00 - Intro
01:00 - Start of Nmap
03:30 - Enumerating for virtual hosts with ffuf to find the api.mentorquotes.htb page
05:30 - Talking about FastAPI, attempting to utilize the endpoints but Authentication is required. Create an account
07:00 - Logging into the endpoint, discovering how to send authentication to the endpoints. Don't really gain anything
10:40 - Using ffuf to search for extra endpoints and discover /admin/ but can't do anything
14:00 - Running NMAP again with UDP to discover SNMP
17:10 - EDIT: Showing the minrate with nmap to scan UDP much quicker
18:30 - Using SNMP Walk
19:40 - Using SNMP-BRUTE to bruteforce other community strings
20:45 - EDIT: Showing Hydra and OneSixtyOne fail to enumerate the second community string
23:05 - Using SNMPBruteWalk to dump the SNMP Database, showing how much faster it is than SNMPWalk
25:00 - SNMP Shows running processes and arguments, there was a password passed via STDIN and we can get the password and login as James on FastAPI
28:15 - Accessing the Admin Endpoint, and figuring out what parameters it expects via error messages
30:50 - Discovering command injection in the backup endpoint
35:19 - Shell returned!
37:30 - Editing the User Endpoint in FastAPI to dump password hashes. Talking about Pydantic
40:45 - EDIT: Showing how we could background out reverse shell with nohup so we don't hang the webserver
47:15 - Cracking the hashes and getting svc's password and then logging into the server via SSH
53:00 - Doing some light forensics looking for files edited on the box shortly after linux was installed
56:45 - Finding a password in the snmpd password which gets us root
01:01:10 - Editing LinPEAS to add an extra regex to pull passwords out of SNMPd configuration
01:04:30 - Rebuilding the LinPEAS Shell script and then running LinPEAS to discover we now detect the password in SNMPD
01:06:40 - Forwarding PostGres to our server with chisel so we can dump the database
01:12:20 - Enumerating PostGres manually to dump users, then showing how to run code on postgres servers
01:16:30 - Setting up the FastAPI Environment on our local box, copying files from the docker
01:18:30 - Doing some light edits on the FastAPI Code, so we can run it within an IDE and set breakpoints
01:24:14 - Start of adding auth to the /user/ endpoint.
01:30:15 - Fixing our /auth/login endpoint to accept our new login request
01:37:20 - Getting the browser to accept our bearer token
01:45:30 - Fixing up the /user/ endpoint to work with our bearer token
01:50:20 - Getting the user decorator to return the User Object which makes it easy for our code to identify our group