HackTheBox - WhiteRabbit

The video walks viewers through the Hack The Box “WhiteRabbit” machine, beginning with a standard Nmap scan that reveals three open ports: SSH on 22, HTTP on 80 served by Caddy, and a secondary SSH on 2222 likely running inside a Docker container. After adding the virtual host entries to the local hosts file, the presenter examines the single‑page Vue.js front‑end, discovers a public status subdomain, and identifies an uptime‑kuma instance. By fuzzing subdomains with ffuf, a hidden status page (status.white‑rabbit.htb) is uncovered, exposing a dashboard that hints at further services such as GoFish and Wiki.js.

The core of the exploitation chain revolves around a GoFish webhook that validates incoming POST bodies with an HMAC signature. The presenter finds the signing secret leaked in the source code, allowing them to forge valid signatures. Using Burp Suite’s match‑and‑replace feature, they automate the signature regeneration for each request, then pivot to the webhook’s SQL query, which concatenates the supplied email field directly into a SELECT statement. This classic SQL injection vector is confirmed with a manual payload, and the presenter demonstrates how to pipe the traffic through a custom Python proxy to feed tools like sqlmap for automated data extraction.

Alongside the SQL injection, the video highlights two additional privilege‑escalation avenues: an insecure Restic backup service and a custom password generator that seeds its randomness poorly. The presenter briefly shows how to exploit the backup service to retrieve configuration files and how the weak seed can be brute‑forced to recover admin credentials. Throughout, the narrator emphasizes the importance of chaining multiple low‑level findings—subdomain enumeration, HMAC key leakage, and injection—to achieve full machine compromise.

The walkthrough underscores the value of methodical reconnaissance, tool integration (ffuf, Burp Suite, sqlmap, custom proxies), and the habit of inspecting third‑party integrations for credential leaks. For penetration testers, WhiteRabbit serves as a textbook example of how a seemingly innocuous webhook can become the linchpin for a full compromise when combined with classic web‑application flaws.