HackTheBox - Feline

00:00 - Intro 01:00 - Start of nmap digging into Version numbers of applications 04:00 - Finding Tomcat is an old version 06:00 - Checking out the web page 07:45 - Playing with the file upload, uploading an EICAR to test virus scanning 12:00 - Finding if we put a directory or nothing for filename we get an error message 14:00 - Looking at Tomcat exploits to see that we may be able to perform a deserialization attack by uploading a serialized object 17:00 - Using ysoserial to generate a CommonsCollection payload 18:15 - Showing a trick to copy binary content into BurpSuite 22:00 - Testing RCE by making the application ping us 22:30 - Failing to get a reverse shell, going through a lot of issues, attempting to encode our command to avoid bad characters 29:20 - Attempting to use a different one-liner to get a shell 32:30 - Giving up using one liners, sometimes two payloads are better than one. Downloading a script and then executing it. 37:00 - Discovering Docker is running on this box 40:35 - Finding out SALT is running on this box, which did have an unauth RCE recently (Salt Stack) 44:40 - Running chisel to forward SALT Ports which are listening on localhost (firewall bypass) 50:20 - Downloading a different exploit as the one we had doesn't seem to be working 53:00 - Getting a reverse shell with the SALTSTACK exploit and using script to log all the output of our reverse shell 56:00 - Reverse shell returned and we are in a Docker Container. This is weird. 57:55 - Running LinPEAS and discovering it has docker.sock exposed in it, along with .bash_history works. 58:50 - Exploring the Docker Web API, which we can access through the exposed docker socket 1:03:25 - Doing some redirection magic to allow the Web API Request to be sent to our box which automatically does JQ to prettify it 1:05:50 - Creating a JSON File which we will use in our HTTP Request to create a new docker container 1:07:30 - Using CURL To make the request and send our JSON File 1:08:45 - Fixing up our