HackTheBox – Feline
00:00 – Intro
01:00 – Start of nmap digging into Version numbers of applications
04:00 – Finding Tomcat is an old version
06:00 – Checking out the web page
07:45 – Playing with the file upload, uploading an EICAR to test virus scanning
12:00 – Finding if we put a directory or nothing for filename we get an error message
14:00 – Looking at Tomcat exploits to see that we may be able to perform a deserialization attack by uploading a serialized object
17:00 – Using ysoserial to generate a CommonsCollection payload
18:15 – Showing a trick to copy binary content into BurpSuite
22:00 – Testing RCE by making the application ping us
22:30 – Failing to get a reverse shell, going through a lot of issues, attempting to encode our command to avoid bad characters
29:20 – Attempting to use a different one-liner to get a shell
32:30 – Giving up using one liners, sometimes two payloads are better than one. Downloading a script and then executing it.
37:00 – Discovering Docker is running on this box
40:35 – Finding out SALT is running on this box, which did have an unauth RCE recently (Salt Stack)
44:40 – Running chisel to forward SALT Ports which are listening on localhost (firewall bypass)
50:20 – Downloading a different exploit as the one we had doesn’t seem to be working
53:00 – Getting a reverse shell with the SALTSTACK exploit and using script to log all the output of our reverse shell
56:00 – Reverse shell returned and we are in a Docker Container. This is weird.
57:55 – Running LinPEAS and discovering it has docker.sock exposed in it, along with .bash_history works.
58:50 – Exploring the Docker Web API, which we can access through the exposed docker socket
1:03:25 – Doing some redirection magic to allow the Web API Request to be sent to our box which automatically does JQ to prettify it
1:05:50 – Creating a JSON File which we will use in our HTTP Request to create a new docker container
1:07:30 – Using CURL To make the request and send our JSON File
1:08:45 – Fixing up our terminal with the STTY command as our line wrapping is behaving oddly
1:12:00 – Having trouble running the CMD, changing it up the command
1:19:15 – Finally getting the command right and getting a reverse shell
by IppSec
redhat openstack