HackTheBox - Bolt скачать в хорошем качестве

HackTheBox - Bolt

00:00 - Intro 00:50 - Start of nmap 01:50 - Examining the SSL Certificate to find alternative names 02:30 - Discovering PassBolt, but looks like we need an email to login to passbolt 04:10 - Checking the bolt.htb and finding a link to download a custom docker image 06:30 - Extracting the docker image and viewing the docker layers 08:00 - Showing off "Dive" which is a tool to navigate docker images 08:50 - Showing my initial process at analyzing this with a little bash-fu 10:50 - Creating a bash loop to print every file 11:50 - Viewing config.py, and history files by decompressing the layers they are in 14:20 - Viewing information in the SQL Lite Database and grabbing a password hash 17:00 - Logging into the web app 21:00 - Extracting all of the layers so we can view the source code 23:30 - ash_history is now empty, which shows there were multiple versions of this file 25:00 - Viewing different versions of routes.py in the docker layers 27:30 - Exrtacting the invite code from an old version of routes.py, then registering an account on demo.bolt.htb, which also allows for access to mail.bolt.htb 31:50 - Checking the mail and finding out the SSTI Worked 34:10 - Finding an SSTI Jinja2 Payload on PayloadAllTheThings that we can use for RCE, then getting a reverse shell 36:30 - Grabbing passwords from all the web applications 42:00 - The PassBolt application doesn't have password hashes for users, but has a PGP Encrypted Secret 45:10 - Using CME (CrackMapExec) to spray ssh with a list of usernames and passwords and finding Eddie's password which we can use SSH With 47:10 - Extracting information out of Eddie's Google Chrome and finding data a PGP Private Key 50:15 - Trying to import the PGP Key from chrome with GPG but it is encrypted 51:00 - Using John The Ripper GPG2John to crack the PGP Key 52:45 - Importanting the private key, then decrypting the message to get root's password