HackTheBox - OpenSource - Attacking a Python WebApp and Backdooring GIT Configurations

00:00 - Intro
01:18 - Start of nmap
02:50 - Identifying a Docker exists based upon the Python Version in NMAP + SSH Version [MasterRecon]
04:23 - Navigating to the website downloading the source code available, there is a git folder switching branches
08:00 - Discovering a vulnerability in the os.path.join command, if we prefix our path with a slash it will overwrite the entire path
11:25 - Attempting to upload a malicious cron, docker isn't running cron so it …

git hackthebox opensource python webapp