HackTheBox - Bagel

Name: HackTheBox - Bagel
Uploaded: 2023-06-03T15:00:37Z
Channel: IppSec
Description: 00:00 - Introduction 01:00 - Start of nmap 02:50 - Taking a look at the web page 04:30 - Looking for LFI, then exploring /proc to find where the applica...

IppSec · Beginner ·🔐 Cybersecurity ·2y ago

00:00 - Introduction 01:00 - Start of nmap 02:50 - Taking a look at the web page 04:30 - Looking for LFI, then exploring /proc to find where the application is and extracting the source code 06:30 - Taking a look at the Python Source Code and discovering port 5000 is the dotnet application and uses websockets 07:55 - Using wscat to test the websocket 09:00 - Bruteforcing the /proc/{pid}/cmdline directory in order to see running processes and find the dotnet dll 13:45 - Reversing Bagel.dll and discovering a deserialization vulnerability in dotnet which allows us to read files 15:00 - Looking at…

Watch on YouTube ↗ (saves to browser)

Chapters (14)

Introduction

1:00 Start of nmap

2:50 Taking a look at the web page

4:30 Looking for LFI, then exploring /proc to find where the application is and ext

6:30 Taking a look at the Python Source Code and discovering port 5000 is the dotne

7:55 Using wscat to test the websocket

9:00 Bruteforcing the /proc/{pid}/cmdline directory in order to see running process

13:45 Reversing Bagel.dll and discovering a deserialization vulnerability in dotnet

15:00 Looking at what TypeNameHandling means in NewtonSoft's deserialize

20:00 Looking for a gadget to use with our deserialization

21:40 Building the deserialization payload

23:20 Dumping Phil's SSH Key, then logging in

25:00 The dotnet app, had developers password, switching to that user

25:50 Developer can run dotnet with sudo, using the FSI gtfobin to get a shell.

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →