HackTheBox - Unicode

00:00 - Intro 01:00 - Start of nmap 02:20 - Registering and logging in and examining what a regular user can do 03:30 - Playing with the file upload capability 04:20 - Discovering there is a JWT in our HTTP Request, examining it to see it is RS256 and has a claim 07:55 - Explaining how we are going to exploit the Claim Misuse vulnerability in this JWT 09:45 - Creating a JWT Header that will have a modified URL for the claim, website says its an invalid key but doesn't reach out to us 12:20 - Using the redirect functionality on the web page to allow us to place the websites domain in our JKU Claim 15:10 - Modifying the JWK File to place our own RSA Key and generating one with ssh-keygen and openssl 18:00 - Showing us pulling N and E out of the RSA Key 21:30 - Converting the SSH Public key into a Certificate 24:24 - Updating the JWT to change our name to admin and finding a LFI Vulnerability 27:27 - Attempting to use WFUZZ to bypass the filter 33:40 - Giving up fuzzing wtih wfuzz 35:10 - Explaining why I'm going to try testing for unicode normalization and what it is, grabbing a payload from HackTricks 37:10 - Exploring /proc/self/ and hunting for the location of the webapp 39:02 - Finding the python application by using the /proc/self/cwd directory, then grabbing db.yaml and getting SSH Credentials 42:20 - Discovering a TREPORT Binary, which is a compiled python file 43:45 - Discovering the TREPORT Binary uses curl, which is weird 45:20 - Discovering the TREPORT Binary will allow us to use the file wrapper if we bypass the filter 46:50 - Bypassing the space filter in the TREPORT Binary using brace expansion in bash and having curl write the flag to /tmp 49:00 - Downloading a SSH Key and allowing us to login as root 50:00 - Examining the Web Application to show the Unicode Normalization Vulnerability 56:30 - Looking at the user table, to discover admin doesn't exist 57:58 - Finding out the login form was supposed to display errors but didn't because of a lacking some Jinja2 Templating Code 1:01:20 - Flailing around fixing the template to display error messages