HackTheBox - ForwardSlash

00:00 - Intro 00:52 - Begin of Nmap 02:50 - Running Gobuster to Bruteforce the pages and subdomains to find backup.forwardslash.htb 08:10 - Registering an account and examining the functions to signed in users 10:00 - Playing with the ProfilePicture.php to discover we can do file inclusion 12:50 - Testing for RFI 14:25 - Using the PHP Filter Wrapper to convert php files to base64 and extract source code 16:50 - Start of creating a script to automate this 19:40 - Terminal portion of the script completed, now to add HTTP Requests 23:30 - Script cannot access the page due to requiring a login session, hard code the login cookie 26:50 - Script now is able to extract files off the server, now to add a save_file function 34:00 - Using the script we created as a library and building a brute forcer! 37:50 - Manually looking at source code while our script runs in the background 42:00 - Going back to gobuster seeing the "/dev" directory, extracting source to get credentials to SSH into the box 45:00 - Examining the Backup SetUID File with strace, explaining Path Injection (but it doesn't work here). 48:00 - Opening up the backup file in Ghidra 51:00 - Using find to search for files owned by Pain to discover config.php.bak, then abusing the backup program to read this file 53:40 - Abusing the sudo rules to skip the crypto challenge. Upload a luks container with a SetUID Binary 55:45 - Creating a Luks Container 58:00 - Adding a SetUID Binary in the luks container then uploading it, and executing it to get root 1:02:40 - Going back to look over the Crypto Challenge 1:06:30 - Using the program to encrypt text we know the key to, so we can build a bruteforcer 1:14:00 - Found a weird bug, we only need to know the first character of the key and length... Build a cracker based upon that 1:23:40 - Key found, decrypt the container 1:28:55 - Going back to the ProfilePicture, and finding the SSRF + XXE Chain 1:33:50 - Showing the importance of double URL Encoding 1:42:55 - Creating ano