HackTheBox - Caption

** See Pinned Comment for Root Shell. 00:00 - Introduction 01:00 - Start of nmap 03:40 - If you want to learn more about Varnish check out Forgot 04:00 - Looking at the Git Repo, discovering the Infra stack HAProxy, Varnish, Flask 08:45 - Discovering Margo's password in an old commit 10:00 - Testing if we can put a line break in the URL to bypass HAProxy's ACL (like in Skyfall) 12:04 - Using H2CSmuggler to use an HTTP2 upgrade to bypass the HAproxy ACL 16:50 - Poisoning the cache and placing an XSS Payload in the UTM_Source Tracker 23:30 - Got an Admin Cookie, using it to access the logs page via h2csmuggler 27:45 - Looking at the logs, showing there's an ecdsa key that margo uses 29:45 - Googling the URL we downloaded the logs from discovering its copyparty which has a file disclosure exploit 33:00 - Having a hard time enumerating what user is running copyparty, guessing each user and finding an SSH Key 36:00 - Looking at the custom LogService binary which is an Apache Thrift service 40:30 - Creating a go program to make an Apache Thrift Request 46:50 - Creating our payload that will perform the command injection. See pinned comment if you have problems here.