HackTheBox - Drive

00:00 - Introduction
01:00 - Start of nmap
02:30 - [MasterRecon] Examining CSRF Cookie to discover it is likely Django
07:50 - Using FFUF to bruteforce ID's of uploaded files, can discover valid ID's but not view the ID itself
14:00 - Accidentally deleting something important when FUZZING, always be careful of what you are doing with tools
16:45 - Discovering the /block endpoint allows us to view any file, discovering a file with credentials which lets us log into …

bruteforce can cookie csrf discover django doing drive ffuf files fuzzing hackthebox important introduction nmap start valid