HackTheBox - BroScience

00:00 - Intro 00:51 - Start of nmap 02:30 - Finding some vulnerable-looking parameters 03:50 - Testing some basic things for LFI, finding a WAF blocking ../. Double encoding it to get passed 07:11 - Start of writing a script to abuse this LFI and crawl/download all the php source 10:30 - Making the script recursive, so it will check pages downloaded for new links 16:50 - Making the script save the files 19:40 - Opening the code in Visual Studio Code, and showing off Snyk's static code anlysis to highlight a Unserialization vuln 22:20 - Identifying how the site generates activation codes upon registration identifying an insecure use of SRAND(). Generating our own activation code 25:30 - Exploiting the PHP Unserialization by finding a vulnerable gadget (wakeup) which will save a file 27:45 - Building a deserialization object to download a file off our server and write it to the web directory 32:08 - EDIT: Talking about webserver hardening (allow_url_fopen in php) and how it would slow down this attack 35:00 - EDIT: Poisoning our PHP Session with PHP Code as our username, then building an object to copy that to the server so don't need to use a remote host 41:38 - Getting a shell on the box, dumping credentials from postgres 44:55 - Attempting to crack the passwords, failing, checking the source code to identify there is a hidden salt. Then cracking the passwords 51:25 - Passwords cracked logging in as bill 55:10 - Using pspy to identify a script runs to renew certificates 57:15 - Going over the bash script and identifying a command injection vulnerability. 1:01:45 - Failing for a bit because I didn't change the certificate time, then changed too much at once which caused me more problems 1:06:04 - Finding the CheckEnd parameter, setting our days equal to one but our payload doesn't work 1:08:15 - Putting the payload in $(), and getting root to the box 01:10:20 - Just making sure we fully understood why our first attempts failed