HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor

00:00 - Intro 01:00 - Start of nmap 02:00 - Using MSFVenom to upload a reverse shell to identify what the malware sandbox looks like 04:25 - Examining the source code of the sandbox 12:00 - Creating a program in C to see the size of an unsigned long 13:40 - Creating a program to replace the output of the trace program and exfil data via the return register on the webapp 20:50 - Creating a python program to automate uploading the file and returning the output 27:05 - Creating a program in C to perform ls, so we can enumerate the jail 34:00 - Changing our ls to enumerate /proc 36:25 - Adding a readlink() call to our ls program so we can view symlinks 41:00 - Discovering an open file descriptor in PID 1, using this to escape the jail and read /etc/passwd 44:40 - Dumping the Django Database 46:00 - Using hashcat to crack a custom salted MD5 hash/password 51:00 - Examining how the sandbox is created on the box itself, explaining how we can abuse setuid binaries because we can write to /lib (path injection) 53:20 - Using ldd to view all the libraries su needs, copying them to a directory 55:40 - Creating a malicious linux library with a constructor to execute code when it is loaded 59:18 - Changing our readfile poc to execute su and read the output, discovering we need to modify our malicious library slightly 1:02:10 - Adding a misc_conv function so our library loads and getting code execution as root