HackTheBox - Secret

00:00 - Into
01:04 - Start of nmap talking about seeing two ports having the same HTTP Banner
03:20 - Checking out the webpage to discover source code and some docs
04:00 - Always RTFM, Playing with the API to Register a user, login, and check out privilege level.
05:50 - Renaming our burp repeater tab by just double clicking on the number
07:30 - Trying to login with a name instead of email
10:10 - Testing our login token to find out it uses JWT's in a non-standard way
10:50 - Analyzing the source code to see the token is used in a header called "auth-token"
12:40 - Looking at git commit history to see there is a hard coded secret in an older commit and forging a token
13:40 - Changing our tokens user, going back to the source code and seeing "theadmin" is a hardcoded administrative user
14:30 - Talking about the importance of rotating secrets in a web application
16:30 - Analyzing the private.js which shows a logs endpoint that is vulnerable to RCE
17:50 - Testing command injection and getting a reverse shell
22:00 - Noticing we are a user on the box, seeing our shell is /bin/bash, dropping a SSH Key for a second way into the box
23:40 - Checking NGINX Configuration to see if there is any difference between the two websites (port 80 and 3000), there isnt.
25:20 - Running LinPEAS, discovering a custom SetUID Binary called count
30:00 - Running the custom count binary against /etc/shadow, discovering it can read files as root, but not write files as root
31:57 - Examining the source code, to discover it allows for dump files to be created
33:15 - Failing to kill the linux process with the correct signal
34:50 - Pulling up the man page to kill and listing all signals, then killing the process with a Segfault (11)
36:40 - Using apport-unpack to extract the crash report into readable files
37:23 - Examining the coredump to discover the file read is there! Then doing the same thing with an SSH Key to get root on the box
40:00 - Showing how file descriptors (/proc/pid/fd) work and failing to pull the ssh key, because the key isn't readable by us.
41:30 - Failing to dump the the heap memory with DD as a regular user
44:10 - Back the examining the fd's in proc, showing if we had permission to read the file, that we could bypass the directory permission by cat'ing the file handle
48:00 - Dumping the heap of the process as the root user to show we can extract the file from the processes memory