HackTheBox RegistryTwo
IppSec
View ChannelAbout
Video Search: https://ippsec.rocks
Latest Posts
Video Description
00:00 - Intro 01:00 - Start of nmap 03:10 - Enumerating port 5000/5001 to see a Docker Registry and Auth Server 06:10 - Creating our auth token for the Docker Registry 08:45 - Adding the SSL Cert to our certificate store, then doing a docker pull to download and run the container 13:00 - Discovering JSESSIONID Cookie, attempting the weird directory traversal bug of /..;/ (nginx directory didn't have a trailing slash on the location) 16:45 - The Examples directory has a sessions example that lets us modify the session, doing this to get a File Disclosure vulnerability then downloading the WAR file hosting the app 27:45 - Opening the WAR in JD-GUI then examining the source code, discovering we can change our user to admin by editing the session 33:30 - Pointing the RMI.HOST back to us, then use YSOSERIAL to host a malicious server 42:50 - YSOSERIAL-MODIFIED Docker is up, using YSOSERIAL to start a JRMP Listener and host a malicious payload 46:45 - Shell on the container, showing where IPv6 addresses are stored (/proc/if_inet6) and that we could have gotten this with the file disclosure which allows for bypassing the firewall, did not need to do the ysoserial step for this next one. 52:51 - Looking at the source code again, discovering we can use the RMI to perform file operations on the host 56:00 - Start of creating the RMI Client Java App 1:09:18 - Running into an error using our decompiled code. Having our exploit just reference the class files (before decompilation) 1:25:00 - Finishing up our exploit script, then writing an SSH Key 1:36:60 - Looking at running processes, discovering the RMI Server restarts every 3 minutes, then running PSPY discovering a quarentine.jar 1:43:00 - Looking at the initial JAR again, discovering it will give out a config. Using RECAF so I can just replace code in the jar without recompiling 1:48:00 - Looking at the Quarantine Service, which pulls a config from the RMI Server then runs CLAM AV 1:51:40 - Having CLAM AV scan /root, and flag every file as a virus sending it to /dev/shm
DIY Slime Supplies You Can't Resist
AI-recommended products based on this video
Elmer's Disappearing Purple School Glue Stick, 20G, 0.7-Ounce Each, 3-Pack (61666Q)
ESR for iPhone 16 Case, Military-Grade Protection, Shockproof Air Guard Corners, Yellowing-Resistant Acrylic Back, Phone Case for iPhone 16, Air Armor Series, New Clear Blue
Yarxiawin Phone Case for Samsung S25 Case with Ring Stand Magnetic Compatible with Magsafe Wireless Charger, Pink Bumper Cover Samsung Galaxy S25 Case Clear Shockproof (Blue)
【Best Sellers Rank 1#】1/2/3/4/5PCS La-rineco Remineralizing Toothpaste, larineco Remineralizing Gum, larineco Remineralizing Gum Chewing Gu-m, Deep Cleaning, Fresh Breath (1)
Spigen Case for iPhone 16 Plus Case, Liquid Crystal Glitter Designed for Apple iPhone 16 Plus - Crystal Quartz
LITTLEFUN Decorate Your Own Baseball Cap with Glitter Gem Stickers for Kids Crafts Toys Gifts - Girls Birthday Presents
Furiet for Samsung Galaxy S24/S25 5G Floral Wallet Case with Flip Zipper Purse Wrist Strap Shoulder Strap Luxury Glitter PU Leather Card Holder Stand Phone Cover for S 24 24S 25 25S G5 Women Purple
Generic Jelly Shoes for Girls, Kid Fishermen Sandals, Princess Birthday Toddler Glitter Sandal Summer Beach Shoe Footwear
BEoffer 8 Pack Baby Newborn Hats Set Unisex Top-Knot Beanie Soft Stretchable Hats Adjustable Caps Fit for Infant Girls Boys
Ksipze led Lights Strip for Bedroom 100FT,Smart Music Sync RGB Color Changing with App and Remote Control, Power Supply Led Strip Lights Lumiere LED for Room Home Party Decoration
9V Battery Powered Led Kayak Strip Lights, 2 Pcs 6.56 FT RGB Color Changing Paddleboard SUP Canoes Lights, IP68 Waterproof Marine Submersible Boat Light Strip with Remote, Marine Boat Interior Light.
Transferproof Color Changing Lipstick,Gold Crystal Ph Lipstick Color Changing,Long Lasting 24 Hours Moisturizing Glossy Shine Lip Gloss for Women
