HackTheBox - Blurry

00:00 - Introduction 01:05 - Start of nmap, then gobuster to do a vhost scan 05:50 - Enumerating RocketChat version by looking at the version of Meteor it uses 10:30 - Registering for a RocketChat Account then reading the chat to get information about ClearML 11:50 - Logging into ClearML, looking at the project to see some scripts which are running 13:30 - Discovering ClearML Version in the footer of the settings page and finding public exploits 15:50 - Setting up the ClearML API on our box 18:30 - Building our script to upload a pickle artifact to ClearML And getting a shell 27:30 - Copying the SSH Key from the box and logging in 28:30 - We can run a bash script with sudo that runs a pytoch model, before doing so it uses Fickle to identify if it malicious 30:30 - Creating an exploit script to save a malicious pytorch file and getting a root shell 33:00 - BEYOND ROOT: Going into Fickling about how it works, changing our payload from os.system to subprocess.popen and seeing its detection gets less confident 38:00 - Showing you can import fickling in your project which hooks the unserialize function and refuses to unserialize anything thats not safe 40:00 - Disassembling the pytorch file to show what fickle looks at 43:00 - Start of dumping MongoDB - failing to find an IP Address because our netcat was doing a DNS Lookup 52:00 -- Downloading Mongo Database Tools so we can do a mongodump and view all the data