HackTheBox - Faculty

00:00 - Intro 01:01 - Start of nmap 02:10 - Testing login of the webapp, finding SQL Injection to bypass it 03:20 - Running gobuster with our cookie so it has access to any authenticated page 04:50 - Examining the course edit functionality and discovering how the page tells us if our update was a success 05:50 - Explaning the dangerous thing with update injections, we accidentally changed EVERY row. 08:45 - Extracting information from this Update Injection in MySQL by editing a second column 10:15 - Standard MySQL Injection to extract table information from Information_Schema, then dumping hashes 15:00 - Showing a second login form, which is also SQL Injectable 17:00 - Examining the Generate PDF Function 19:00 - Verifying we can put HTML in the PDF 21:40 - Going to GitHub Issues and finding issues with MPDF to find vulnerabilities in old versions 22:30 - Showing we do have SSRF but this doesn't really give us anything 24:10 - Using Annotations to add loca files into the PDF 25:25 - Dumping source code of the webapp to find the configuration file, then getting the MySQL Password 29:40 - Testing the MySQL Password with SSH and logging in as gbyolo 31:20 - Exploiting Meta-Git to gain access to the developer user 36:40 - Shell as Developer and running LinPEAS 38:48 - Testing CVE-2022-2588 as a privesc on Ubuntu, it works! (unintended route) 42:30 - Finding GDB has cap_sys_ptrace permissions, which means we can debug processes running as root 43:20 - Using MSFVENOM to generate shellcode to perform a reverse shell, which we will inject into a process 45:00 - Creating a python script to format the shellcode in a way we can just paste it into gdb 46:25 - Explaining the modulo operator (%) which is how we will pad our payload 49:00 - Building our payload 53:00 - Payload has been built! Lets inject it into a process and get a shell