HackTheBox - Talkative

Name: HackTheBox - Talkative
Uploaded: 2022-08-27T15:00:11Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap 02:45 - Taking a look at websites, making note of all login prompts (bolt, rocketchat) 07:15 - Start of looking at J...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·3y ago

00:00 - Intro 01:00 - Start of nmap 02:45 - Taking a look at websites, making note of all login prompts (bolt, rocketchat) 07:15 - Start of looking at Jamovi, using the Rj Editor to execute code and get a reverse shell 09:10 - Using cat to send files over the network to our box and viewing the bolt-administration document 12:50 - Taking a credential from the document and logging into Bolt CMS 13:40 - Editing a theme in bolt to give us code execution 19:00 - Using script to get a full PTY since python isn't on this box 20:40 - Looking for passwords for bolt, finding a sqlite database 25:45 - Ge…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Intro

1:00 Start of nmap

2:45 Taking a look at websites, making note of all login prompts (bolt, rocketchat)

7:15 Start of looking at Jamovi, using the Rj Editor to execute code and get a reve

9:10 Using cat to send files over the network to our box and viewing the bolt-admin

12:50 Taking a credential from the document and logging into Bolt CMS

13:40 Editing a theme in bolt to give us code execution

19:00 Using script to get a full PTY since python isn't on this box

20:40 Looking for passwords for bolt, finding a sqlite database

25:45 Getting the ip address of the box via the hostname command since ifconfig and

26:40 Using /proc/net/tcp to get listening ports

29:20 Using the docker container to SSH into the host computer via its docker IP

31:25 Using ps -ef --forest to view running processes, can see inside docker contain

34:50 Using bash to perform a portscan based upon the exit codes of echo'ing data to

36:40 Setting up chisel so we can talk to the mongo port

39:00 Using MongoDB Shell to log into mongo and change the user we created to become

44:25 Using Web Hook Integration in RocketChat to get RCE as an authenticated admin

49:15 Reverse shell returned

51:00 Manually identifying our Docker Capabilities with /proc/self/status

55:40 Using cat to download files from the network and downloading the shocker explo

1:02:30 Was using the wrong shocker exploit to exploit cap_dac_read_search. Downloadin

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →