HackTheBox - Bolt

Name: HackTheBox - Bolt
Uploaded: 2022-02-19T15:02:20Z
Channel: IppSec
Description: 00:00 - Intro 00:50 - Start of nmap 01:50 - Examining the SSL Certificate to find alternative names 02:30 - Discovering PassBolt, but looks like we need...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·4y ago

Network Security80%

00:00 - Intro 00:50 - Start of nmap 01:50 - Examining the SSL Certificate to find alternative names 02:30 - Discovering PassBolt, but looks like we need an email to login to passbolt 04:10 - Checking the bolt.htb and finding a link to download a custom docker image 06:30 - Extracting the docker image and viewing the docker layers 08:00 - Showing off "Dive" which is a tool to navigate docker images 08:50 - Showing my initial process at analyzing this with a little bash-fu 10:50 - Creating a bash loop to print every file 11:50 - Viewing config.py, and history files by decompressing the layers th…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

Intro

0:50 Start of nmap

1:50 Examining the SSL Certificate to find alternative names

2:30 Discovering PassBolt, but looks like we need an email to login to passbolt

4:10 Checking the bolt.htb and finding a link to download a custom docker image

6:30 Extracting the docker image and viewing the docker layers

8:00 Showing off "Dive" which is a tool to navigate docker images

8:50 Showing my initial process at analyzing this with a little bash-fu

10:50 Creating a bash loop to print every file

11:50 Viewing config.py, and history files by decompressing the layers they are in

14:20 Viewing information in the SQL Lite Database and grabbing a password hash

17:00 Logging into the web app

21:00 Extracting all of the layers so we can view the source code

23:30 ash_history is now empty, which shows there were multiple versions of this fil

25:00 Viewing different versions of routes.py in the docker layers

27:30 Exrtacting the invite code from an old version of routes.py, then registering

31:50 Checking the mail and finding out the SSTI Worked

34:10 Finding an SSTI Jinja2 Payload on PayloadAllTheThings that we can use for RCE,

36:30 Grabbing passwords from all the web applications

42:00 The PassBolt application doesn't have password hashes for users, but has a PGP

45:10 Using CME (CrackMapExec) to spray ssh with a list of usernames and passwords a

47:10 Extracting information out of Eddie's Google Chrome and finding data a PGP Pri

50:15 Trying to import the PGP Key from chrome with GPG but it is encrypted

51:00 Using John The Ripper GPG2John to crack the PGP Key

52:45 Importanting the private key, then decrypting the message to get root's passwo

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Bolt

Chapters (25)

Playlist

Lesson complete!