Appsanity starts with two websites that share a JWT secret, and thus I can get a cookie from one and use it on the other. On the first, I’ll register an account, and abuse a hidden input vulnerability to get evelated privilieges as a doctor role. Then I’ll use that cookie on the other site to get access, where I find a serverside request forgery, as well as a way to upload PDFs. I’ll bypass a filter to upload a webshell, and use the SSRF to reach the internal management page and trigger a reverse shell. From there, I’ll find the location of credentials in a .NET application, and extract a password from the registry to get another shell. Finally, I’ll reverse a C++ binary using ProcMon, Ghidra, and x64dbg to figure out a location where I could write a DLL and trigger it’s being loaded, giving shell as administrator.

0xdf hacks stuff

The post describes the author's findings while exploiting vulnerabilities in a web application. The author uncovers a hidden input vulnerability, abuse it to elevate privileges, bypass a filter to upload a webshell, trigger a DLL to be loaded, and reverse-engineer a .NET binary. They also explain how to extract an encryption key from the Windows registry.

HTB: Appsanity