HackTheBox - Fatty

00:00 - Intro 02:10 - Using wget to recursively download files off an annonymous FTP Server 06:00 - Attempting to execute the Java Thick Client, then switching to Java version 8 and trying again 08:00 - Seeing the Thick Client makes some DNS Requests, make the DNS Request resolve and attempt to intercept with Burp 11:00 - BurpSuite failed us, using SOCAT to forward the traffic and exploring the Thick Client features 15:20 - Using CFR to decompile a Java JAR File then VS Studio Code to analyze the source 20:40 - Downloading Eclipse and then configuring it to utilize Java 8 and creating a Hello World Java Application 25:30 - Importing a Java JAR File into our Java Project then calling Login 33:40 - Replicating the functionality to identify what Role we are, then other functions 37:45 - Calling the Invoker Class to execute methods on the server 42:50 - Attempting to call methods that the GUI prohibited us from 45:30 - Using ShowFiles to see we can list files in our parent directory, then using Open to download files 53:40 - Failing to download the fatty-server.jar file due to encoding issues 58:40 - Unsealing the JAR File so we can edit the Invoker Class Object to fix our encoding issue by creating a binaryOpen function 1:10:00 - Utilizing our new binaryOpen function to write to a file 1:14:45 - Debugging a null pointer error, our binaryOpen function returned nothing! 1:21:00 - Decompiling the downloaded fatty server and analyzing it to discover a SQL Injection and Deserialization vector 1:28:50 - Playing with SQL Injections in the username to get an admin session 1:40:00 - Modifying the ChangePW Function to allow us to send malicious payloads, then using ysoserial to generate a payload 1:48:30 - Using CommonsCollections5 to generate a malicious payload to send and getting a reverse shell 1:57:17 - Getting PsSpy on the box and discovering SCP is pulling files 1:59:50 - Explaining what our exploit path is, having a tar overwrite itself and point to authorized_keys then