HackTheBox - Bighead

00:01:10 - Begin of Nmap 00:04:45 - Pulling important information from the website 00:06:00 - Discovering DNS Names, adding stuff to /etc/hosts 00:18:30 - Odd behavior with code.bighead.htb, redirects us to 127.0.0.1; change that with Burp 00:23:50 - Using wfuzz to dirbust, with the ability to see HTTP Codes (hunting for 418) 00:27:00 - Found BigHead Web Server on Github, pulling Zips and cracking 00:36:40 - Before reversing the binary, keep hunting for information about the OS 00:43:40 - Discovering PHPInfo within the PhpMyAdmin directory, has OS. 00:46:00 - Installing Immunity and Mona 00:47:30 - Grabbing MinGW so we can run the Bighead Webserver 00:55:40 - Crashing the webserver, seeing we have 01:00:00 - Sending a pattern to the box and examining the stack to see where our overwrites are 01:06:15 - Validating we know where all our overwrites are (EAX,EBX,EIP,ESP) 01:10:06 - Explanation of EggHunters 01:16:05 - Grabbing the shellcode we want, then adding it to our exploit script 01:24:50 - Validating our exploit is working as we intended by setting a break point on JMP ESP 01:27:00 - Our box complains about DEP, lets disable that on our OS and hope its disabled on target 01:30:00 - Running the exploit against the target and getting a shell back! 01:35:00 - Searching the registry (HKLM) for "password" 01:37:00 - Dumping information about services on the box (HKLM\System\CurrentControlSet\Services) 01:38:15 - Discovery of NGINX password, then looking at ports listening on localhost 01:41:08 - Found SSH Listening on 127.0.0.1:2020, Setting up a reverse tunnel with Chisel 01:45:10 - SSH into nginx@Bighead over port 2020, land in an extremely restricted shell 01:50:30 - Searching for vulnerable PHP Code, discovering testlink 02:02:55 - Exploiting an LFI Vulnerability 02:07:00 - Using Netcat to get a reverse shell 02:16:10 - Looking at the KeePass Configuration File to see where the KDBX and Key is 02:18:55 - A bunch of pain trying to get data off the Alternate Data St