HackTheBox - Bagel
00:00 - Introduction
01:00 - Start of nmap
02:50 - Taking a look at the web page
04:30 - Looking for LFI, then exploring /proc to find where the application is and extracting the source code
06:30 - Taking a look at the Python Source Code and discovering port 5000 is the dotnet application and uses websockets
07:55 - Using wscat to test the websocket
09:00 - Bruteforcing the /proc/{pid}/cmdline directory in order to see running processes and find the dotnet dll
13:45 - Reversing and discovering a deserialization vulnerability in dotnet which allows us to read files
15:00 - Looking at what TypeNameHandling means in NewtonSoft’s deserialize
20:00 - Looking for a gadget to use with our deserialization
21:40 - Building the deserialization payload
23:20 - Dumping Phil’s SSH Key, then logging in
25:00 - The dotnet app, had developers password, switching to that user
25:50 - Developer can run dotnet with sudo, using the FSI gtfobin to get a shell.
5 months ago 00:00:00 1
6 months ago 00:04:06 1
7 months ago 00:32:44 18
7 months ago 00:34:38 2
7 months ago 01:27:34 5
7 months ago 00:37:18 6
7 months ago 00:41:25 5
7 months ago 01:46:13 2
7 months ago 01:12:42 3
7 months ago 00:26:29 1
7 months ago 02:06:46 2
7 months ago 00:54:43 11
7 months ago 02:05:30 1
7 months ago 00:33:44 1
8 months ago 00:27:16 1
8 months ago 00:30:39 1
8 months ago 11:21:04 1
10 months ago 05:30:24 3
10 months ago 01:02:06 16
10 months ago 00:16:21 18
10 months ago 02:09:39 14
10 months ago 00:29:19 2
11 months ago 00:39:17 7
11 months ago 00:42:37 10
