HackTheBox - Bagel

00:00 - Introduction
01:00 - Start of nmap
02:50 - Taking a look at the web page
04:30 - Looking for LFI, then exploring /proc to find where the application is and extracting the source code
06:30 - Taking a look at the Python Source Code and discovering port 5000 is the dotnet application and uses websockets
07:55 - Using wscat to test the websocket
09:00 - Bruteforcing the /proc/{pid}/cmdline directory in order to see running processes and find the dotnet dll
13:45 - Reversing Bagel.dll and discovering a deserialization vulnerability in dotnet which allows us to read files
15:00 - Looking at what TypeNameHandling means in NewtonSoft's deserialize
20:00 - Looking for a gadget to use with our deserialization
21:40 - Building the deserialization payload
23:20 - Dumping Phil's SSH Key, then logging in
25:00 - The dotnet app, had developers password, switching to that user
25:50 - Developer can run dotnet with sudo, using the FSI gtfobin to get a shell.

Support the originator by clicking the read the rest link below.