HackTheBox - Stacked

00:00 - Intro 00:57 - Start of Nmap 03:10 - Start of gobuster to enumerate VHOST and Files 07:15 - Showing how I like to find the needles in a haystack when it comes to parsing lots of data. 09:40 - Using google reverse image search to try to identify what a logo means 11:00 - Hunting for XSS, putting unique URL's in all fields (check for a callback later) 13:45 - Going over the Docker Compose file we had downloaded 14:50 - Discover our XSS Attack worked, looking for LocalStack CVE's and discovering one in the dashboard 18:15 - Start of exploiting the XSS 20:00 - Creating a CSRF to force the victim to navigate to pages and send us the date, read his email to discover an S3 Domain 30:00 - Start of looking at creating an AWS Lambda application 33:20 - Using aws cli to create a lambda function 39:30 - Creating a malicious lambda, then using XSS to send the user to the LocalStack dashboard and trigger our code 44:30 - Reverse shell returned on the docker container. Use PSPY to identify what localstack does when invoking lambda functions and finding an 0day 49:30 - Testing out our 0day, creating a malicious lambda and injecting when localstack creates a docker to run the code 51:50 - Got root on the localstack container, abusing our ability to create docker containers to escalate to root on the host system