HackTheBox - Analytics
0:00 - Introduction
01:00 - Start of nmap
03:20 - Discovering Metabase, noticing the HTTP Headers are different. Checking TTL just to see if it decrements from the main web page.
07:00 - Searching for an exploit for metabase, then enumerating version
09:30 - Manually exploiting Metabase by pulling the setup-token, then getting injection on the /setup/validate endpoint through the JDBC Driver
15:50 - Reverse shell returned
18:30 - Discovering credentials in the environment variables, then ssh into the box
20:12 - Googling the kernel to discover its vulnerable to GameOverlay
24:00 - Explaining the gameoverlay exploit (CVE-2023-23640, CVE-2023-32629)
25:50 - Stepping through the exploit manually to understand how the overlay fs works, and what the exploit did to abuse it
28:10 - Looking into the permissions of the binaries that were created
Watch video HackTheBox - Analytics online, duration hours minute second in high quality that is uploaded to the channel IppSec 23 March 2024. Share the link to the video on social media so that your subscribers and friends will also watch this video. This video clip has been viewed 12,571 times and liked it 423 visitors.
