HackTheBox - Player

01:45 - Begin of recon, wireshark nmap to see how it identified the hostname. The way this box is configured apache is placing the hostname when the "Host: " HTTP Header is not present. 06:00 - Starting a bunch of automated tools. Nmap all ports, and gobuster to discover VHOST (virtual hosts) and files. 09:55 - Checking dev.player.htb and identify the framework (Codiad) is being leaked in some javascript 12:25 - Checking chat.player.htb, nothing really here just hints at source code disclosure on other domains 14:05 - Checking staging.player.htb, sending an email leaks some interesting files 18:00 - Checking player.htb/launcher, entering an email leaks some other PHP Files along with a JWT Token 21:00 - Discovering backup files, showing BurpSutie Pro can do it but I had added this feature in GoBuster 21:50 - Going over exactly what I did in GoBuster to add the DiscoverBackup feature 27:35 - Using GoBuster with the new feature to discover some PHP Source that leaks the JWT Secret 32:20 - Using JWT.IO to create our forged JWT and discover a new page that proccesses Video Files 37:25 - Looking into FFMPEG Vulnerabilities to discover an LFI, using "Payload All The Things" to exploit this. Grab files Apache Config, Config files in web directories, /proc/net to see listening ports 50:00 - Trying the telegen credentials we retrieved from /var/www/backup/service_config with various services. See we can login to 6686 but are in a locked down shell 51:45 - Running searchsploit to see an XAUTH command injection that allows for reading/writing files. Failing to writefiles, but can now read .php files grab more source code to get another credential (Peter) 55:45 - Peter's creds work at dev.player.htb which allows for uploading files. Uploading a php reverse shell 1:00:40 - Reverse shell returned. Running su -s /bin/bash telegen to bypass the restricted shell 1:01:30 - Noticing the XAUTH command actually wrote a file! Going back to see why we failed to write to web directori