HackTheBox - Player2

00:00 - Intro 00:51 - Begin of NMAP 02:00 - Identifying the Virtual Host (VHOST) player2.htb and doing recon on the webserver 07:00 - Testing basic SQL Injection on product.player2.htb 08:10 - Running gobuster against the product domain to find potential pages 13:00 - Running gobuster to try to enumerate sub domains. 17:50 - Checking the full port scan of the box to see 8545 19:45 - Gobuster had an issue enumerating subdomains, switched to wfuzz 22:45 - Investigation TWIRP because port 8545 had that in an error mesage 24:40 - Running gobuster to hunt for protobuf files and api endpoints 28:50 - Exploring the generated.proto file 32:00 - Seeing how TWIRP uses Protobuf files, then making the HTTP Request to pull credentials 43:50 - Using Hydra to bruteforce an http login form 47:50 - Exploring login logic to see how SESSIONS are handled after invalid logins 50:00 - Testing /api/totp now that we have a session and finding ways to generate backup codes 54:00 - Looking at the authenticated product page 56:00 - Playing with the upload form of the protobs interface 59:20 - (unintended) Hunting for the uploads/ directory and testing for potential race condition 01:03:00 - Winning the race to get a reverse shell 01:05:15 - Doing the firmware upload the intended way. 01:07:20 - Using DD to extract data out of binwalk 01:09:50 - Exploring the firmware in Ghidra 01:11:50 - Testing the firmware signing by opening the ELF in a hex editor and changing a byte near the beginning of the file, then the end of the binary 01:15:10 - Editing the string in the system() call test for RRCE 01:19:30 - Changing our ping command to be a reverse shell 01:27:00 - Reverse shell returned but wanted to see how much of this ELF we messed up by overflowing the string. 01:35:00 - Checking the MySQL Database for creds 01:41:50 - Running pspy to see some hidden crons 01:44:40 - Running chisel to forward the MQTT Port back to our box 01:51:10 - Using mosquitto_sub to subscribe to a topic and get messages