HackTheBox - Ghoul

01:29 - Begin of Recon, notice multiple SSH Host Keys 06:15 - Discovering the HTTPD Website has a PHP Script, Run SQLMap and update gobuster to find PHP 07:30 - Moving onto enumerating TOMCAT, default password (admin:admin) logs in and attempting to discover framework via google images 09:00 - Discovering that this TOMCAT page allows the ability to upload images and zips 10:45 - Explaining the ZipSlip Vulnerability 12:20 - Walking through how ZipSlip Works 14:30 - Start of using EvilArc with a PHP-Reverse-Shell to perform ZipSlip 18:30 - Reverse Shell Returned 18:51 - Looking at Secret.php to get potential usernames and passwords 22:20 - Discovering tomcat listens on port 8080 then use that to drop SSH Key to get root (Unintended Path) 25:55 - Enumerating HTTPD PHP Scripts and TOMCAT Config to find some usernames and passwords 35:00 - Using find to list files modified between two dates 39:30 - Copying SSH Keys back to our box 42:30 - Logging into SSH over port 22 with Kaneki and SSH Key 44:00 - Creating a bash script to perform a ping scan to discover other hosts 49:55 - Extracting additional usernames from ~/.ssh/authorized_keys file and SSH Into the host 52:12 - Running the HostScan utility again to find another host, then modifying script to do a portscan 55:00 - Tunneling to the GOGS Box via SSH Tunnels 58:00 - Verifying the tunnel works by going to the GOGS HomePage and then searching for exploits 59:15 - SearchSploit turned up nothing, lets search for CVE's and hunt for a POC (CVE-2018-18925) 01:00:25 - Copying the GOGS Exploit, and logging in with a password we previously found. Note: There is a tool called gogsownz, but it automates so much you don't really learn anything. 01:02:30 - Creating a Repository in GOGS then dropping a file to the box 01:03:50 - Uploading the file to the repo, then modifying our i_like_gogs cookie to load it via an LFI and becoming admin 01:06:38 - As an Admin now we can create a Git Hook to execute code upon updating and get a sh