HackTheBox - Laboratory

IppSec · Intermediate ·🔐 Cybersecurity ·5y ago

Skills: Security Basics90%Tool Use & Function Calling80%AI Security70%Defensive AI60%

01:00 - Start of nmap, looking at SSL Certificates to get a hostname 02:20 - Examining the website 04:30 - Getting git.Laboratory.htb out of the certificate and checking that host 06:10 - Registering for a GitLab Account then poking at gitlab 07:20 - Getting the GitLab Version and finding a Vulnerability 09:20 - Creating two issues, so we can perform the LFI 11:45 - Using the LFI to extract the application secret then b 15:55 - Installing a vulnerable gitlab docker so we can build our serialized payload 17:00 - Starting the docker container, then executing bash inside of it 17:55 - Changing the docker secret to the one of Laboratory 18:25 - Restarting with gitlab-ctl restart, then entering the console with gitlab-rails console 19:20 - Creating the serialization payload 22:10 - Reverse shell as git returned. Discovering we are inside of docker 23:00 - Running the automated docker script DeepCe 24:50 - Playing with the gitlab console to turn our user into an admin 27:00 - Sorry for the abrupt cut, phone went off and edited that out poorly. 27:15 - Viewing projects on gitlab as admin to find an SSH Key 31:20 - Shell as dexter, running LinPEAS 34:05 - SetUID Binary docker-security found, searching for strings then running ltrace 34:50 - ltrace shows the binary does not use absolute path, doing a PATH HIJACK to trick the program into executing a shell 36:50 - Going over notes

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: Security Basics

View skill →

HackTheBox - Analytics

HackTheBox - Analytics

AWS Security Agent (Preview) Overview - Frontier Agent for Proactive AppSec | Amazon Web Services

AWS Security Agent (Preview) Overview - Frontier Agent for Proactive AppSec | Amazon Web Services

Amazon Web Services

HOW FRCKN' HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128

HOW FRCKN' HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128

Secure Hash Algorithms Using Python- SHA256,SHA384,SHA224,SHA512,SHA1- Hashing In BlockChain

Secure Hash Algorithms Using Python- SHA256,SHA384,SHA224,SHA512,SHA1- Hashing In BlockChain

Bruteforce 32bit Stack Cookie. stack0: part 3 - bin 0x23

Bruteforce 32bit Stack Cookie. stack0: part 3 - bin 0x23

Configure and Deploy AWS Client VPN

Configure and Deploy AWS Client VPN

Related AI Lessons

Virtual Keyboard Login with PingOne Advanced Identity Cloud

Learn how to use a virtual keyboard for secure login with PingOne Advanced Identity Cloud to prevent keylogger attacks

Medium · Cybersecurity

Why Businesses Quietly Accept Technology Friction as “Normal”

Businesses often accept technology friction as normal, but it can have significant impacts on productivity and security

Medium · Cybersecurity

The Model You Just Downloaded Might Own Your Network — What I Learned Building Defenses Against AI…

AI models from public repositories can pose a significant threat to enterprise security due to poisoned weights, and learning to defend against them is crucial

Medium · Cybersecurity

I Found Backdoored AI Models on Hugging Face — And So Has Everyone Else Who Bothered to Look

Backdoored AI models are prevalent on Hugging Face, posing a significant security risk to the AI supply chain, and it's crucial to secure it

Medium · Cybersecurity

Chapters (21)

1:00 Start of nmap, looking at SSL Certificates to get a hostname

2:20 Examining the website

4:30 Getting git.Laboratory.htb out of the certificate and checking that host

6:10 Registering for a GitLab Account then poking at gitlab

7:20 Getting the GitLab Version and finding a Vulnerability

9:20 Creating two issues, so we can perform the LFI

11:45 Using the LFI to extract the application secret then b

15:55 Installing a vulnerable gitlab docker so we can build our serialized payload

17:00 Starting the docker container, then executing bash inside of it

17:55 Changing the docker secret to the one of Laboratory

18:25 Restarting with gitlab-ctl restart, then entering the console with gitlab-rail

19:20 Creating the serialization payload

22:10 Reverse shell as git returned. Discovering we are inside of docker

23:00 Running the automated docker script DeepCe

24:50 Playing with the gitlab console to turn our user into an admin

27:00 Sorry for the abrupt cut, phone went off and edited that out poorly.

27:15 Viewing projects on gitlab as admin to find an SSH Key

31:20 Shell as dexter, running LinPEAS

34:05 SetUID Binary docker-security found, searching for strings then running ltrace

34:50 ltrace shows the binary does not use absolute path, doing a PATH HIJACK to tri

36:50 Going over notes

VPC Service Controls: Day Two Operations