HackTheBox - Feline

Name: HackTheBox - Feline
Uploaded: 2021-02-20T15:02:27Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap digging into Version numbers of applications 04:00 - Finding Tomcat is an old version 06:00 - Checking out the web p...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Intro 01:00 - Start of nmap digging into Version numbers of applications 04:00 - Finding Tomcat is an old version 06:00 - Checking out the web page 07:45 - Playing with the file upload, uploading an EICAR to test virus scanning 12:00 - Finding if we put a directory or nothing for filename we get an error message 14:00 - Looking at Tomcat exploits to see that we may be able to perform a deserialization attack by uploading a serialized object 17:00 - Using ysoserial to generate a CommonsCollection payload 18:15 - Showing a trick to copy binary content into BurpSuite 22:00 - Testing RCE …

Watch on YouTube ↗ (saves to browser)

Chapters (25)

Intro

1:00 Start of nmap digging into Version numbers of applications

4:00 Finding Tomcat is an old version

6:00 Checking out the web page

7:45 Playing with the file upload, uploading an EICAR to test virus scanning

12:00 Finding if we put a directory or nothing for filename we get an error message

14:00 Looking at Tomcat exploits to see that we may be able to perform a deserializa

17:00 Using ysoserial to generate a CommonsCollection payload

18:15 Showing a trick to copy binary content into BurpSuite

22:00 Testing RCE by making the application ping us

22:30 Failing to get a reverse shell, going through a lot of issues, attempting to e

29:20 Attempting to use a different one-liner to get a shell

32:30 Giving up using one liners, sometimes two payloads are better than one. Downlo

37:00 Discovering Docker is running on this box

40:35 Finding out SALT is running on this box, which did have an unauth RCE recently

44:40 Running chisel to forward SALT Ports which are listening on localhost (firewal

50:20 Downloading a different exploit as the one we had doesn't seem to be working

53:00 Getting a reverse shell with the SALTSTACK exploit and using script to log all

56:00 Reverse shell returned and we are in a Docker Container. This is weird.

57:55 Running LinPEAS and discovering it has docker.sock exposed in it, along with .

58:50 Exploring the Docker Web API, which we can access through the exposed docker s

1:03:25 Doing some redirection magic to allow the Web API Request to be sent to our bo

1:05:50 Creating a JSON File which we will use in our HTTP Request to create a new doc

1:07:30 Using CURL To make the request and send our JSON File

1:08:45 Fixing up our

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →