Рет қаралды 17,539
00:00 - Intro
01:00 - Start of nmap
02:45 - Taking a look at websites, making note of all login prompts (bolt, rocketchat)
07:15 - Start of looking at Jamovi, using the Rj Editor to execute code and get a reverse shell
09:10 - Using cat to send files over the network to our box and viewing the bolt-administration document
12:50 - Taking a credential from the document and logging into Bolt CMS
13:40 - Editing a theme in bolt to give us code execution
19:00 - Using script to get a full PTY since python isn't on this box
20:40 - Looking for passwords for bolt, finding a sqlite database
25:45 - Getting the ip address of the box via the hostname command since ifconfig and ip were not on the box
26:40 - Using /proc/net/tcp to get listening ports
29:20 - Using the docker container to SSH into the host computer via its docker IP
31:25 - Using ps -ef --forest to view running processes, can see inside docker containers to find mongo
34:50 - Using bash to perform a portscan based upon the exit codes of echo'ing data to a network socket
36:40 - Setting up chisel so we can talk to the mongo port
39:00 - Using MongoDB Shell to log into mongo and change the user we created to become an administrator on RocketChat
44:25 - Using Web Hook Integration in RocketChat to get RCE as an authenticated admin
49:15 - Reverse shell returned
51:00 - Manually identifying our Docker Capabilities with /proc/self/status
55:40 - Using cat to download files from the network and downloading the shocker exploit which should exploit this capability
1:02:30 - Was using the wrong shocker exploit to exploit cap_dac_read_search. Downloading the one to write files and putting our passwd file on the box