HackTheBox - Book

00:00 - Intro 00:34 - Begin of Recon 01:45 - Enumerating the login page 03:05 - Creating an account, identifying what fields are unique 05:00 - Logged into the page, examining functionality starting with the download.php file 07:30 - Playing with the search field 08:00 - Playing with XSS by using img src 13:00 - Examining the user signup more closely 15:25 - Viewing javascript on the page to show there is a maximum number of characters in username/email 17:20 - Start of attempting SQL Truncation attack 22:25 - Attempting to login to /admin/ with our account to see we get in, then redoing everything to explain it. 23:20 - Explaining the SQL Truncation Attack 35:40 - Noticing the PDF Generation processes HTML and probably JavaScript 39:00 - Using a Javascript payload that reads a local file on the box 45:20 - Getting rid of the Base64 Encoding in the payload and reading /etc/passwd 46:18 - Trying (and failing) to grab /proc/self/environ 54:10 - Attempting to grab an SSH Key for the Reader User 56:00 - SSH Key is poorly formatted. Using pdf2text to see if formatting is better 57:30 - PDF2Text didn't work, lets try PDF2HTML which does a great job 59:45 - Revisiting the Base64 Payload to see if PDF2HTML grabs all the Base64 (it does) 1:02:15 - Running LINPEAS to see we may be able to exploit log rotate 1:06:10 - Poorly explaining how logrotten works 1:12:30 - Performing the Logrotten exploit to get a reverse shell 1:18:15 - Finally keeping the reverse shell alive 1:20:25 - Examining how the SQL Truncation vulnerability came to be by looking at the PHP Source Code and then SQL Table Schema 1:27:30 - Showing how it determines the admin user and uses trim() which is why our attack works 1:29:40 - Examining the PHP Sessions