HackTheBox - RainyDay

00:00 - Introduction 01:00 - Start of nmap 04:40 - Identifying this page is built with flask based upon a 404 page 06:15 - Looking at /api/ 07:15 - Showing a weird bug in python where you cannot run int() on a string that is a float 08:00 - Showing the source code on why this bypassed the check 10:12 - End of edit, extracting all the users passwords with curl 15:40 - Cracking the hashes and getting a password of rubberducky, playing with creating containers 22:30 - Getting a reverse shell on the Alpine-Python container 24:00 - We are a privileged container and can see processes from root, which lets us access the hosts disk and CWD leaks file handles to directories. Grab an SSH Key 27:15 - Can execute safe_python with sudo as jack_adm but it turns out to be a sandbox, eventually find a use-after-free vuln on google and use that to escape 33:50 - Shell as Jack_adm, we can use sudo with hash_password.py, its a bcrypt hash but we can't crack what we create 35:40 - Explaining the vulnerability, bcrypt has a maximum length we can fill the buffer and prevent the python script from appending something to the password 43:40 - Creating a Hashcat rule file to append a single character to the password 45:50 - Creating a python script to exploit this vuln in bcrypt and leaking the secret key one character at a time 53:48 - Script to exploit the truncation vuln in bcrypt complete. Using hashcat to crack the password, showing two ways rule file and combinator attack which uses two dictionary files 1:00:00 - Finished the box but we skipped one step. Going back to show there was a dev subdomain which we need to pivot through a container to access 1:05:50 - The dev site has a different /api/healhtcheck page, we can use boolean logic with regex to perform a file disclosure vulnerability one char at a time 1:13:24 - Creating a python script to automate the file disclosure vulnerability and exporting files to leak extracting the cookie 1:30:10 - Talking about ways to improve the scrip