HackTheBox - Phoenix

00:00 - Intro 01:00 - Start of nmap 02:22 - Taking a look at the SSL Certificates and website to find blog/forum 04:57 - Running WPScan, explaining why i like aggressive scanning 09:00 - Finding public vulnerability in Asgaros Forms (Blind Time Based SQLi) 10:45 - Running SQLMap to confirm the injection 21:00 - Examining the Wordpress Database structure, so we can run SQLMap to dump very specific things 25:20 - Cracking wordpress credentials to find out we can't use any because of MFA 30:10 - Using our SQL Injection to dump a list of activated plugins in wordpress 32:00 - Finding an exploit in the Download From Files plugin, converting it to ignore SSL Validation Errors 35:45 - Uploading a malicious phtml (php) file to get a shell on the box 41:00 - Examining how MFA is enabled on SSH/SU by looking at PAM files 42:10 - Discovering the 10.11.12.13 network can bypass MFA, which our host is on. 45:10 - Using find to show files created between two dates 48:20 - Discovering backups are created in /backups and explaining why we cannot view other users processes (hidepid) 48:50 - Looking in the */local/bin directories to discover an obfuscated shell script (sh.x) 51:30 - Running the script and then examining the /proc/pid directory to find the shell script unobfuscated in the cmdline 52:50 - Explaining wildcard injection 56:00 - Exploiting the wildcard injection in rsync 57:30 - Showing how we could of used the SQL Injection to leak all the secrets in the MFA Plugin and generate our own codes 59:10 - Looking at the MiniOrange MFA Source Code, the uninstall.php shows a lot of good information 1:03:45 - Showing how to do a "pretty print" or format output better in a MySQL Command (using \G instead of ;) 1:06:45 - Failing to generate a QR Code that we can use google authenticator to login with 1:12:44 - Going back to the source code to find another way to generate MFA Codes 1:15:45 - Fixing our generator script to decrypt the secret which we can paste to oauthtool and get a M