HackTheBox - Hospital

00:00 - Introduction 01:00 - Start of nmap 03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented 07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files 13:48 - Uploading a php shell, discovering there are disabled functions blocking system 17:15 - Using dfunc bypass to identify proc_open is not disabled and then getting code execution 23:00 - Reverse shell returned on the linux host 26:00 - Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password 29:20 - Talking about Man Pages and how they are organized to identify $y$ is yescrypt 33:40 - Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit 36:00 - Building a malicious EPS File with a powershell reverse shell 43:40 - PRIVESC 1: Uploading a shell in XAMPP and getting system 52:30 - PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password 1:01:50 - While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen 1:10:08 - PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password