HackTheBox - Analytics
0:00 - Introduction
01:00 - Start of nmap
03:20 - Discovering Metabase, noticing the HTTP Headers are different. Checking TTL just to see if it decrements from the main web page.
07:00 - Searching for an exploit for metabase, then enumerating version
09:30 - Manually exploiting Metabase by pulling the setup-token, then getting injection on the /setup/validate endpoint through the JDBC Driver
15:50 - Reverse shell returned
18:30 - Discovering credentials in the environment variables, then ssh into the box
20:12 - Googling the kernel to discover its vulnerable to GameOverlay
24:00 - Explaining the gameoverlay exploit (CVE-2023-23640, CVE-2023-32629)
25:50 - Stepping through the exploit manually to understand how the overlay fs works, and what the exploit did to abuse it
28:10 - Looking into the permissions of the binaries that were created
Watch video HackTheBox - Analytics online without registration, duration hours minute second in high quality. This video was added by user IppSec 23 March 2024, don't forget to share it with your friends and acquaintances, it has been viewed on our site 12,571 once and liked it 423 people.