Here is the first of many HTB machine video guides that I will be releasing. Today the JSON machine was retired so that’s what we are taking a look at in this video.

Rather than just tell you what to type and click on to get the user/root flag, these videos are going to be focused on the reasons why I’m doing those things and exactly how the exploits work. So in this first one we’re taking an in depth look at exactly how the ysoserial.net JSON deserialization exploit works (already covered in a previous blog post, but I’m sure some people will find the video much easier to follow).

As this is my first video like this, I’d really appreciate any feedback you have (post it in the comments on youtube). If you found the video interesting/useful but don’t want to leave a comment, just hit the like button so I know I’m on the right track. Of course if you want to see more videos like this you can hit the subscribe button.

Part 2 is also now up, showing 3 different methods to get root: