SSRF, arbitrary JWT validation & runc privilege escalation | TheNotebook @ HackTheBox

Описание: TheNotebook is a medium difficulty Linux machine from ‪@HackTheBox‬. It runs a custom web application vulnerable to authorization bypass caused by a Server Side Request Forgery vulnerability that allows the validation of arbitrary Json Web Tokens. Once authenticated, the application suffers a bug that allows us to execute PHP files, resulting in Remote Command Execution. Excessive permissions assigned to the Noah home backup file allows us to copy and extract its content, resulting in the leakage of Noah's SSH private key. Finally, the user is allowed to execute commands within a docker container using high privileges. Because the runc version used in Docker before 18.09.2 suffers a file-descriptor mishandling, it is possible to leverage the CVE-2019-5736 in order to inject a malicious root user and obtain high privileges on the target.

=== Timestamp ===
00:00 Intro
00:56 Target enumeration
01:59 Exploiting SSRF to arbitrary validate an administrator self-signed JWT
03:20 Exploiting a bug that allows to execute custom PHP code
03:49 Discovering a backup file containing local user's SSH private key
04:34 Privilege escalation exploiting runc (CVE-2019-5736)
06:17 Conclusions

If you enjoyed the video leave a like and subscribe to my channel!
For writeups in text format or other articles related to Ethical Hacking go to my blog: https://maoutis.github.io/
---
Would you like to support my work? Offer me a virtual coffee :)
https://www.buymeacoffee.com/0xbro

Check out my socials:
Twitter:   / 0xbro1  
Linkedin:   / mattia-0xbro-brollo-b4129614b