HackTheBox - Ambassador

00:00 - Intro
00:45 - Start of nmap
03:30 - Discovering Grafana and seeing it is ~2 years old
05:00 - Looking for exploits
06:00 - Manually performing the exploit
08:45 - Looking for interesting files, extracting Grafana config which lets us log in
12:55 - Extracting the SQLite3 Database in order to get the MySQL Password
15:30 - Logging into MySQL and getting SSH Creds from the whackywidget database
18:00 - Looking at the WhackyWidget application and discovering an Consul API Key
21:20 - Looking for the Consul API Documentation
23:05 - Playing with the API, examining the Metasploit script and building out our curl request
26:40 - Building a JSON file which will create a Consul Script to send us a reverse shell and getting root
31:50 - Showing the Metasploit Script would work if we port forward
34:50 - Showing another way, we can write to the Consul Config directory and do it manually

Видео HackTheBox - Ambassador канала IppSec