HackTheBox - Guardian

00:00 - Introduction 00:52 - Start of nmap 03:00 - Discovering the portal.guardian.htb sub domain, there is a PDF here that shows the default password. Failing to enumerate valid accounts. 06:00 - Using FFUF to Bruteforce all accounts with the default password of GU1234 10:25 - Logging into the application, doing some quick notes of what functionality is exposed 14:25 - Identifying the Chat Functionality, attempting to see if there are broken access controls letting us read other users messages with ffuf 17:30 - Looking at the chats to admin, discovering a Gitea Password then finding the Gitea sub domain 22:00 - Doing some light enumeration against Gitea showing the Public API will let us enumerate if a user exists 24:45 - Logging in as Jamil and then downloading the portal source code and running it through Snyk 28:00 - Looking into the PHP Spreadsheet XSS Vulnerability and creating a python script to weaponize a document 35:20 - Stole the teachers cookie, switching our cookie and finding an CSRF Vulnerability 38:15 - Creating a quick CSRF Payload to add users 48:40 - Logged in as our newly created admin, exploiting the LFI Vulnerability with the Synactiv Filter Chain Vulnerability 55:15 - Got a shell on the box, dumping the database 58:30 - Identifying the hash, failing to crack it, realize its salted, finding the salt and cracking 1:06:10 - Logged in as Jamil, we can run a python script as Mark. We have write permission over a portion of the script allowing for RCE 1:08:45 - Mark can run SafeApache2CTL which is a custom wrapper, creating an apache module to show RCE 1:17:40 - Playing around with the binary, opening it up in Ghidra to show what it does and how weak the checks are 1:23:30 - Showing that using the Apache Include directive with a SymLink we can leak the first line of any file 1:25:10 - Showing copying the existing apache config and modifying it to just serve files out of /, this lets us grab entire files 1:34:30 - Showing a minimal apache config that