HackTheBox - Skyfall

00:00 - Introduction 01:11 - Start of nmap 03:00 - Discovering the demo subdomain, which is a Flask website 04:00 - Quickly playing with the File Download, Upload, and Rename -- Looking for low hanging fruit, not finding any 07:00 - Playing with the URL Fetch looking for a good SSRF, Discovering the site is likely in Docker 09:00 - Running FFUF with our SSRF to identify ports listening on the Host and Docker 11:30 - Talking about the two different 403's and why its important that one is coming from Flask and the other NGINX 15:00 - Talking about a URL Parsing bug between NGINX and PYTHON/WERKZEUG where strip is removing some special characters after NGINX letting us bypass the denylist 18:36 - Viewing the Metrics Page and getting information about MinIO Discovering it is out of date and exploiting CVE-2023-28432 to get the credentials 23:00 - Downloading the MinIO Client, then interacting with the filesystem manually 26:40 - Searching all fileversions on MinIO then finding an older copy of .bashrc which contains an hashicorp vault API Key 34:40 - Downloading and running the Hashicorp Vault Binary to interact with the service 37:20 - Showing how to identify all of our privileges, then creating an OTP for SSH and logging in 40:00 - Showing how this Vault Binary works by proxying the traffic 41:20 - Showing another way to do this step, by manually enumerating the API which exposes additional endpoints and the benefits of using a tool like Postman to manually enumerate API's 53:22 - Shell as askyy returned, discovering we can run vault-unseal with a few flags the d flag will output debug information to a file in our CWD but we can't read it 57:30 - Using libfuse to create a virtual mount on a directory we control, using memfs to log writes to this directory, so we can read what root writes