HackTheBox - Eureka

00:00 - Introduction 01:00 - Start of nmap 03:45 - Discovering the default 404 page of Springboot, then using GoBuster with a Springboot wordlist to show actuator endpoint 06:10 - Showing a good blog post about Actuator Misconfigurations 07:10 - Downloading the heapdump, while that downloads, showing Nuclei will show this with default options 09:10 - Using strings to look for sensitive things in the heapdump 10:40 - Showing VisualVM which lets us search heapdumps with OQL Queries which is like SQL 15:10 - Using JDumpSpider to analyze the heapdump, does a good job at showing only the security relevant things 18:30 - SSH into the box with the Oscar190 account, which we got from the heapdump. 19:30 - Finding log_analyse.sh bash script, we can't exploit this yet but sometimes it is useful to backtrace from vulnerable things to find the path 21:00 - User controlled input to the bash eq functionality which leads to code execution 28:10 - Running pspy to see if this program gets executed from a cron and getting the arguments sent 30:45 - Discovering the log file, we don't have permission to it but users of the developers group does. Searching those users in the web directory to discover a log showing them logging in 32:50 - Exploiting Eureka by joining the cluster and having some requests destined for User-Management-Service sent to us, so we can hijack the /login endpoint to see credentials 43:25 - Getting Miranda's credentials then exploiting the log_analyse script