HackTheBox - Mango

01:00 - Start of nmap and examining the HTTPS Certificate to get a potential hostname 04:00 - Doing light testing on the HTTPS Site for SQL Injection, then sending to SQLMap. Using --force-ssl to make SQLMAP do HTTPS instead of HTTP 06:26 - Playing with analytics.php and some light testing to see if we could do SSRF. Put it on the backburner and move on. 07:42 - Testing the logon prompt on the HTTP Site, playing with SQL Injection and starting another SQLMap 08:51 - Going over NoSQL Injection 09:44 - Attempting to explain NoSQL Injection 11:35 - Performing a NoSQL Injection test via x-www-form-encoded data 12:44 - Doing Regular Expressions with NoSQL Injection to extract the password length 14:00 - Explaining how you would have done NoSQL Injection on NodeJS (Sending objects in JSON) 16:00 - Logging into the webserver via NoSQL Injection, running GoBuster with our cookie that is logged in 18:50 - Going back to NoSQL Injection with RegularExpression and Boolean injection to extract the password 19:20 - Going over doing Burp Intruder to extract data 21:45 - Creating a Python Script to do this NoSQL Injection since Burp cost $$ and is slow. 37:11 - Script mostly done extracting admin's password 40:47 - Trying to extract Mango's password but there's a tricky character, troubleshooting 44:00 - Screwed up a loop and didn't go through all the character space. Getting Mango's password using SSH to login to the box. 46:00 - Running LinPEAS and seeing JJS is a SetUID Bin 48:00 - Turns out we can't execute JJS as mango, only admin. Use "su" to switch to admin and run JJS 50:11 - Using JJS to write a file and drop an SSH Key