HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor

00:00 - Intro 01:00 - Start of nmap 02:00 - Using MSFVenom to upload a reverse shell to identify what the malware sandbox looks like 04:25 - Examining the source code of the sandbox 12:00 - Creating a program in C to see the size of an unsigned long 13:40 - Creating a program to replace the output of the trace program and exfil data via the return register on the webapp 20:50 - Creating a python program to automate uploading the file and returning the output 27:05 - Creating a program in C to perform ls, so we can enumerate the jail 34:00 - Changing our ls to enumerate /proc 36:25 - Adding a readlink() call to our ls program so we can view symlinks 41:00 - Discovering an open file descriptor in PID 1, using this to escape the jail and read /etc/passwd 44:40 - Dumping the Django Database 46:00 - Using hashcat to crack a custom salted MD5 hash/password 51:00 - Examining how the sandbox is created on the box itself, explaining how we can abuse setuid binaries because we can