HackTheBox - Laser

00:00 - Intro 01:11 - Running nmap 03:20 - Discovering port 9100, and poking at it with nmap/pret 05:30 - Got access to the printer via PRET, dumping print jobs 07:20 - Running ENT to see the entropy is 7.99 which means it is probably encrypted... Then doing the same thing in Cyber Chef 10:50 - Discovering the encryption algorithm via inspecting variables on the printer. Then dumping the memory of the printer to get the AES Key and trying to decrypt in Cyber Chef 12:50 - Cutting up the Print Job with DD to extract the IV/Encrypted payload out of the print job. 18:58 - CyberChef decrypted our AES! Reading the PDF 23:46 - Creating the Protobuf object and converting to python 27:20 - Interacting with Port 9000 with our protobuf payload 31:10 - Attempting to Pickle a deserialization payload, to see its disabled 34:30 - Taking the example JSON Data and sending it to port 9000 and finding a SSRF Vulnerability! 41:00 - Using SSRF to scan ports on localhost and discovering SOLR 54:00 - Forcing the SSRF to send an HTTPS Post Request via GOPHER 58:00 - Sending the SOLR Post Payload 01:07:30 - Creating the second payload for SOLR 01:19:50 - Verifying our payloads doing some JSON Validation 1:31:50 - Finally fixed our payload! Darn URL Encoding issues. 1:35:50 - Reverse shell returned, doing some basic enumeration and seeing SSHPass 1:43:10 - Using PSPY to monitor processes and catching SSHPASS before it can rewrite its commandline 1:48:00 - Gaining root on the Docker Container, disabling SSH, and bending the port back at the host and gaining code execution