HackTheBox - Breadcrumbs

00:00 - Intro 00:45 - Start of nmap 03:50 - Poking at the website 05:20 - Quickly testing for SQL Injection and coming up with nothing 12:30 - Creating an account and checking what regular users can do 14:15 - Using BurpSuite Sequencer to identify low entropy within login cookies 18:30 - Finding the 302 redirect still outputs the page, its just that the browser doesn't want to show it 21:10 - Creating a simple PHP File to be uploaded 23:00 - Finding the /books/ url and checking the book search page again to find LFI 28:00 - Building a quick python script to automate the LFI 38:00 - Windows is really weird with SSH, need to disable PubKeyAuth in order to login with a password 39:50 - Looking at the fileController php file to see who can upload files 43:00 - Looking around the source code to examine how PHP Sessions are built, so we can impersonate Paul 46:35 - Running makesession with all permutations so we can get Pauls login cookie 50:15 - Logged in as Paul, now we need to modify the JWT token to say we are Paul 53:50 - We can now upload php files! Some light AV Evasion and have a reverse shell with Nishang 59:50 - Finding Juliette's password within the web application and SSH'ing into Windows 1:02:20 - Hunting for Microsoft Sticky Notes and finding the Developer Password 1:10:50 - Logged in as Development, finding a linux app to reverse in ghidra 1:14:50 - Mimicing the curl requests by the linux app to port localhost:1234, so using SSH to forward that. (the localhost screws things up) 1:19:03 - Our curl still isn't working, figuring out the master key to see if the linux application works. 1:21:50 - The localhost in our SSH Port Forward is causing weird issues, changing it to 127.0.0.1 fixes it 1:23:10 - The app works, testing for SQL Injection 1:25:10 - Using information_schema to dump information about the database (databases, tables, columns), then extracting all info 1:28:40 - Using cyberchef to decrypt the AES Blob from the database 1:30:45 - PSExec isn't wo