HackTheBox RegistryTwo

00:00 - Intro 01:00 - Start of nmap 03:10 - Enumerating port 5000/5001 to see a Docker Registry and Auth Server 06:10 - Creating our auth token for the Docker Registry 08:45 - Adding the SSL Cert to our certificate store, then doing a docker pull to download and run the container 13:00 - Discovering JSESSIONID Cookie, attempting the weird directory traversal bug of /..;/ (nginx directory didn’t have a trailing slash on the location) 16:45 - The Examples directory has a sessions example that lets us modify the session, doing this to get a File Disclosure vulnerability then downloading the WAR file hosting the app 27:45 - Opening the WAR in JD-GUI then examining the source code, discovering we can change our user to admin by editing the session 33:30 - Pointing the back to us, then use YSOSERIAL to host a malicious server 42:50 - YSOSERIAL-MODIFIED Docker is up, using YSOSERIAL to start a JRMP Listener and host a malicious payload 46:45 - Shell on the container, showin