pollution | hack the box | HTB | Malayalam | XXE

Pollution is a hard linux box starts off burp history attached to a forum. Using token from the request we will be escalating to admin, and then to an endpoint vulnerable to XML external entity (XXE) injection. With that, we’ll read files, including the source code for the site to get access to redis, where we’ll modify the access at the database level. That site has a PHP local file include (LFI) that we can exploit with filter injection to get code execution. Then we will move to next user by exploiting PHP’s FastCGI Process Manager (PHP-FPM). Using prototpye pollution vulnerability we will exploit to gain root.

0:00 nmap
1:26 accessing website
1:56 discovering hostname
2:48 enumerating Vhost
4:02 Discovering Burp history
6:49 cyber chef
7:33 accessing set role admin
10:59 accessing admin page
12:57 Blind XXE
13:52 Attacking XXE
15:57 Leaking site files using XXE
20:09 cracking using john
20:55 Developers
21:38 source code for login.php
23:04 accessing redis using redis-cli
24:38 changing session access
27:00 LFI to RCE
31:40 as www-data
32:45 Rlwarp
35:45 FPM exploiting
39:23 Shell as Victor
43:04 Root
55:09 prototype pollution

Support my channel by subscribing to hack the box:
https://affiliate.hackthebox.com/29icft3zq24o

Disclaimer :

All video’s and tutorials are for informational and educational purposes only. The tutorials and videos provided there is only for those who are interested to learn about Cyber security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

1. Information provided on this Channel are for educational purposes only. This channel is no way responsible for any misuse of the information.
2. This Channel is all about ethical hacking.
3. This Channel is totally meant for providing information on “Computer Security”, “Computer Programming” and other related computer tricks and tweaks topics and is no way related towards the terms “CRACKING” or “HACKING” (Unethical).
4. I’ll include few blogs which may contain the information related to ‘Hacking Password’ or ‘Hacking email accounts’ or similar terms. You shall not misuse the information the information to gain unauthorised access. Also be aware, performing hack attempts without permission on computers that you do not own is illegal.
5. I’ll not be responsible for any direct or indirect damage caused due to the usage of the information provided on this site.
6. I reserve the right to modify the Disclaimer at any time without notice.

#parrotos
#kalilinux
#cybersecurity
#ethicalhackingmalayalam
#cybersecuritymalayalam
#xml
#XXE