HackTheBox - Skyfall
00:00 - Introduction
01:11 - Start of nmap
03:00 - Discovering the demo subdomain, which is a Flask website
04:00 - Quickly playing with the File Download, Upload, and Rename -- Looking for low hanging fruit, not finding any
07:00 - Playing with the URL Fetch looking for a good SSRF, Discovering the site is likely in Docker
09:00 - Running FFUF with our SSRF to identify ports listening on the Host and Docker
11:30 - Talking about the two different 403's and why its important that one is coming from Flask and the other NGINX
15:00 - Talking about a URL Parsing bug between NGINX and PYTHON/WERKZEUG where strip is removing some special characters after NGINX letting us bypass the denylist
18:36 - Viewing the Metrics Page and getting information about MinIO Discovering it is out of date and exploiting CVE-2023-28432 to get the credentials
23:00 - Downloading the MinIO Client, then interacting with the filesystem manually
26:40 - Searching all fileversions on MinIO then finding an older copy of .bashrc which contains an hashicorp vault API Key
34:40 - Downloading and running the Hashicorp Vault Binary to interact with the service
37:20 - Showing how to identify all of our privileges, then creating an OTP for SSH and logging in
40:00 - Showing how this Vault Binary works by proxying the traffic
41:20 - Showing another way to do this step, by manually enumerating the API which exposes additional endpoints and the benefits of using a tool like Postman to manually enumerate API's
53:22 - Shell as askyy returned, discovering we can run vault-unseal with a few flags the d flag will output debug information to a file in our CWD but we can't read it
57:30 - Using libfuse to create a virtual mount on a directory we control, using memfs to log writes to this directory, so we can read what root writes
Watch video HackTheBox - Skyfall online, duration hours minute second in high quality that is uploaded to the channel IppSec 31 August 2024. Share the link to the video on social media so that your subscribers and friends will also watch this video. This video clip has been viewed 10,036 times and liked it 337 visitors.
