HackTheBox - Laboratory

Name: HackTheBox - Laboratory
Uploaded: 2021-04-17T15:00:30Z
Channel: IppSec
Description: 01:00 - Start of nmap, looking at SSL Certificates to get a hostname 02:20 - Examining the website 04:30 - Getting git.Laboratory.htb out of the certifi...

IppSec · Intermediate ·🔐 Cybersecurity ·4y ago

01:00 - Start of nmap, looking at SSL Certificates to get a hostname 02:20 - Examining the website 04:30 - Getting git.Laboratory.htb out of the certificate and checking that host 06:10 - Registering for a GitLab Account then poking at gitlab 07:20 - Getting the GitLab Version and finding a Vulnerability 09:20 - Creating two issues, so we can perform the LFI 11:45 - Using the LFI to extract the application secret then b 15:55 - Installing a vulnerable gitlab docker so we can build our serialized payload 17:00 - Starting the docker container, then executing bash inside of it 17:55 - Changing th…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

1:00 Start of nmap, looking at SSL Certificates to get a hostname

2:20 Examining the website

4:30 Getting git.Laboratory.htb out of the certificate and checking that host

6:10 Registering for a GitLab Account then poking at gitlab

7:20 Getting the GitLab Version and finding a Vulnerability

9:20 Creating two issues, so we can perform the LFI

11:45 Using the LFI to extract the application secret then b

15:55 Installing a vulnerable gitlab docker so we can build our serialized payload

17:00 Starting the docker container, then executing bash inside of it

17:55 Changing the docker secret to the one of Laboratory

18:25 Restarting with gitlab-ctl restart, then entering the console with gitlab-rail

19:20 Creating the serialization payload

22:10 Reverse shell as git returned. Discovering we are inside of docker

23:00 Running the automated docker script DeepCe

24:50 Playing with the gitlab console to turn our user into an admin

27:00 Sorry for the abrupt cut, phone went off and edited that out poorly.

27:15 Viewing projects on gitlab as admin to find an SSH Key

31:20 Shell as dexter, running LinPEAS

34:05 SetUID Binary docker-security found, searching for strings then running ltrace

34:50 ltrace shows the binary does not use absolute path, doing a PATH HIJACK to tri

36:50 Going over notes

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →