HackTheBox - Crossfit

00:00 - Intro 01:08 - Installing Obsidian which lets us take notes in Markdown format 03:10 - Running nmap to see FTP over SSL and it has certificates 05:20 - Using openssl to grab the SSL Certificate from FTP 06:50 - Going over the web page extracting emails, people, and user input locations 08:20 - Installing flameshot, which helps us take better screenshots 18:15 - Testing each contact form with XSS Cross Site Scripting 19:10 - XSS in blog-single.php Triggers an security error saying admins will be looking over our request, attempt to attack admins 23:10 - Putting XSS Payloads in the User Agent 25:25 - XSS Attempting to steal cookies with a basic payload, failing here. Document.location is lazy, should do document.write to write an image so the user is not redirected. 27:50 - Using ffuf to bruteforce domains via the CORS Origin header to discover FTP 33:35 - XSS Using XMLHttpRequest to use the victims browser like a proxy and return web pages to us 38:20 - XSS Using XMLHttpRequest to grab a CSRF Token then send a post request to create a user 46:50 - Using lftp to login to the ftp and upload a webshell to development-test 57:50 - Shell returned as www-data, finding a Hank's password in /etc/ansible/playbooks 1:16:05 - SSH as hank and examine the send_updates.php file to find command injection 1:24:40 - Finding credentials for ftpadm which lets us create a file to trigger the command injection 1:33:40 - SSH as Isaac and doing some basic enumeration, explaining why we can't see processes from other users hidepid is set on /proc 1:35:50 - Using find to do a bunch of IR to find what is unique about hank 1:37:50 - Using find to look for files modified between two dates and dbmsg stands out 1:42:10 - The dbmsg stands out due to its timestamp having nanoseconds, it is the only file like this in /usr/bin 1:51:00 - Going over DBMSG in Ghidra, explaining the SRAND setting seed to current time 1:56:15 - Attempting to name variables based upon what we think they are 2:03:0