HackTheBox - Unobtainium

Name: HackTheBox - Unobtainium
Uploaded: 2021-09-04T15:00:11Z
Channel: IppSec
Description: 00:00 - Intro 01:10 - Start of nmap 05:00 - Downloading and installing the deb package with dpkg, then fixing the host file 06:35 - Running wireshark wh...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 01:10 - Start of nmap 05:00 - Downloading and installing the deb package with dpkg, then fixing the host file 06:35 - Running wireshark when examining the unobtainium application then examining the HTTP Requests 09:25 - Proxying the unobtainium app through Burpsuite by creating a new proxy listener and updating the host file 10:40 - Playing with the LFI on /todo and discovering we can only cause errors or include files in the local directory 12:30 - Using FFUF to attempt to find other JS Files with this LFI 14:50 - Copying the index.js source code and looking for vulnerabilities …

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

1:10 Start of nmap

5:00 Downloading and installing the deb package with dpkg, then fixing the host fil

6:35 Running wireshark when examining the unobtainium application then examining th

9:25 Proxying the unobtainium app through Burpsuite by creating a new proxy listene

10:40 Playing with the LFI on /todo and discovering we can only cause errors or incl

12:30 Using FFUF to attempt to find other JS Files with this LFI

14:50 Copying the index.js source code and looking for vulnerabilities

15:50 Discovering hard coded credentials, examining the administrator password to se

17:45 Analyzing the upload functionality to discover an RCE if we can upload

19:40 Discovering a merge command and looking up Prototype Pollution to potentially

23:55 Giving ourself the Upload Functionality then performing the RCE in Upload

25:53 Ping works, now lets get a reverse shell

28:15 Reverse shell returned, confirming we are in kubernetes downloading peirates a

32:49 Using kubectl to do basic enumeration of kubernetes, switching our namespace t

36:15 Demonstrating Peirates which makes the enumeration of kubernetes easier by pro

38:15 Exploiting the same application in dev which gets us a different kubernetes to

41:15 Doing the enumeration with kubectl again but this time we can utilize the Kube

43:45 Using our stolen token and discovering we can create pods using kubectl auth c

44:22 Explaining the attack we are about to do to create a pod with host disk mounte

47:00 Looking at the Peirates source code to see how the attack works

48:55 Doing

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →