00:00 - Introduction
01:00 - Start of nmap
04:40 - Identifying this page is built with flask based upon a 404 page
06:15 - Looking at /api/
07:15 - Showing a weird bug in python where you cannot run int() on a string that is a float
08:00 - Showing the source code on why this bypassed the check
10:12 - End of edit, extracting all the users passwords with curl
15:40 - Cracking the hashes and getting a password of rubberducky, playing with creating containers
22:30 - Getting a reverse shell on the Alpine-Python container
24:00 - We are a privileged container and can see processes from root, which lets us access the hosts disk and CWD leaks file handles to directories. Grab an SSH Key
27:15 - Can execute safe_python with sudo as jack_adm but it turns out to be a sandbox, eventually find a use-after-free vuln on google and use that to escape
33:50 - Shell as Jack_adm, we can use sudo with hash_password.py, its a bcrypt hash but we can't crack what we create
35:40 - Explaining the vulnerability, bcrypt has a maximum length we can fill the buffer and prevent the python script from appending something to the password
43:40 - Creating a Hashcat rule file to append a single character to the password
45:50 - Creating a python script to exploit this vuln in bcrypt and leaking the secret key one character at a time
53:48 - Script to exploit the truncation vuln in bcrypt complete. Using hashcat to crack the password, showing two ways rule file and combinator attack which uses two dictionary files
1:00:00 - Finished the box but we skipped one step. Going back to show there was a dev subdomain which we need to pivot through a container to access
1:05:50 - The dev site has a different /api/healhtcheck page, we can use boolean logic with regex to perform a file disclosure vulnerability one char at a time
1:13:24 - Creating a python script to automate the file disclosure vulnerability and exporting files to leak extracting the cookie
1:30:10 - Talking about ways to improve the script, and realizing we can just run the script on the docker which makes this process exponentially faster. Good demo on how much a proxy slows things down.
1:40:50 - Showing the web source code which starts the container and why background was not pid 1337
Support the originator by clicking the read the rest link below.
