HackTheBox – Ophiuchi
00:00 – Intro
00:45 – Start of nmap, looking at release date of tomcat
04:00 – Starting a bruteforce of /manager login to run in the background
06:55 – Playing with the YAML Parser, sending special characters leads to a stack trace showing the library
08:15 – Testing a YAML Deserialization payload for Snake YAML
09:15 – Start of weaponizing the payload
13:20 – Having a lot of trouble with building out a payload due to special characters
18:50 – Making it simple, just downloading a script then executing it
22:20 – Finally got a shell
24:10 – Going into how we know the sudoers file is non-default by date or filesize
25:00 – Finding out install date of a linux machine by SSH Host Key
25:50 – Finding where tomcat is installed and then grabbing the password out of the config tomcat-users
29:00 – Trying the tomcat password with the admin user
30:00 – Going over the go source code which can be ran with sudo
32:00 – Downloading the web assembly so we can decompile the wasm into a wat then edit it
37:00 – Got Root, showing why i used metasploit to bruteforce tomcat password (lockouts)
by IppSec
linux web server
