HackTheBox - Compromised

00:00 - Intro 01:30 - Start of nmap, discover web and ssh. Discover litecart, fail to find a way to identify version 03:10 - Running GoBuster to find the backup directory 05:20 - Examining the tar archive 06:30 - Talking about the unix time being 32-bit timestamps but tar did not keep entire timestamp 09:10 - Using find with printf to sort files by modified time 10:30 - Discovering the admin/login.php file was modified to drop the credentials to disk 11:50 - Logging into LiteCart as admin 13:20 - Finding exploits on searchsploit, then manually running through the exploit because its Python2 with some annoying libraries 17:20 - Uploading our PHP Shell but it doesn't work, checking for PHP Disabled functions by using a simple php file. Then doing phpinfo() to see other functions 20:50 - Running through Chankro even thoe it wouldn't work. 23:50 - Uploading large binary files in BURPSUITE by pasting base64 and decoding it within burpsuite 25:33 - Chankro wont work due to putenv being disabled. Looks like there's a PHP 7.0 - 7.4 bypass. Trying this! 28:15 - Attempting a reverse shell but it doesn't work. Viewing iptables configuration 29:45 - Using my Forward Shell script to get a TTY on the box 34:00 - Again, talking about 32-bit timestamps to find files that were put into /lib/ not by a Apt 36:30 - Discovering the PAM Backdoor (pam_unix.so), then reversing it to get a skeleton password 43:30 - BOX COMPLETED. Doing USER/ROOT a different way 45:00 - Generating a Weevely Reverse shell which will let us do more things in PHP 47:00 - Discovering MySQL has a bash shell 49:30 - Discovering the MySQL has a UDF (User Defined Function) that allows for code execution 53:30 - Dropping an SSH Key, then seeing a strace-log.dat file which acts as a keylogger on linux. Also the 32 bit timestamp sticks out 1:00:15 - Discovering a LD_PRELOAD Rootkit (libdate.so),reversing it to see a hidden privesc