HackTheBox - Ghoul


01:29 - Begin of Recon, notice multiple SSH Host Keys
06:15 - Discovering the HTTPD Website has a PHP Script, Run SQLMap and update gobuster to find PHP
07:30 - Moving onto enumerating TOMCAT, default password (admin:admin) logs in and attempting to discover framework via google images
09:00 - Discovering that this TOMCAT page allows the ability to upload images and zips
10:45 - Explaining the ZipSlip Vulnerability
12:20 - Walking through how ZipSlip Works
14:30 - Start of using EvilArc with a PHP-Reverse-Shell to perform ZipSlip
18:30 - Reverse Shell Returned
18:51 - Looking at Secret.php to get potential usernames and passwords
22:20 - Discovering tomcat listens on port 8080 then use that to drop SSH Key to get root (Unintended Path)
25:55 - Enumerating HTTPD PHP Scripts and TOMCAT Config to find some usernames and passwords
35:00 - Using find to list files modified between two dates
39:30 - Copying SSH Keys back to our box
42:30 - Logging into SSH over port 22 with Kaneki and SSH Key
44:00 - Creating a bash script to perform a ping scan to discover other hosts
49:55 - Extracting additional usernames from ~/.ssh/authorized_keys file and SSH Into the host
52:12 - Running the HostScan utility again to find another host, then modifying script to do a portscan
55:00 - Tunneling to the GOGS Box via SSH Tunnels
58:00 - Verifying the tunnel works by going to the GOGS HomePage and then searching for exploits
59:15 - SearchSploit turned up nothing, lets search for CVE's and hunt for a POC (CVE-2018-18925)
01:00:25 - Copying the GOGS Exploit, and logging in with a password we previously found. Note: There is a tool called gogsownz, but it automates so much you don't really learn anything.
01:02:30 - Creating a Repository in GOGS then dropping a file to the box
01:03:50 - Uploading the file to the repo, then modifying our i_like_gogs cookie to load it via an LFI and becoming admin
01:06:38 - As an Admin now we can create a Git Hook to execute code upon updating and get a shell
01:11:50 - Searching for what the gosu binary does, finding out it lets us privesc to root
01:18:15 - Examining the git history (git reflog) of the aogiri-chatapp found in the root directory to find credentials
01:22:00 - Escalating to root on kaneki-pc (second docker box) via password found
01:25:00 - Abusing SSH Agents to intercept the "SSO Like Token" and swim upstream to the Host OS

HackTheBox - Ghoul HackTheBox - Ghoul Reviewed by Unknown on October 05, 2019 Rating: 5