HackTheBox - Quick

00:00 - Intro 00:48 - Begin of Nmap, examining the page and running gobuster 03:30 - Identifying some extra care 04:30 - Adding portal.quick.htb to the host file so we can resolve hostname 06:00 - Trying to identify if the web application will tell us if an account is valid 07:20 - Building an email list based upon clients and then running wfuzz to try and identify valid emails 12:00 - Searching for the latest HTTP and seeing HTTP3 utilizes UDP instead of TCP 16:30 - Installing Quiche so we can navigate to the http3 site 19:40 - Having Quiche download files, discoving an initial password then revisiting the bruteforce to gain access to a ticket system 30:30 - Using wfuzz to search the helpdesk for all tickets 35:50 - Finding ESIGATE is vulnerable to xml entity injection 40:20 - Testing the XXE Attack to see if it connects to our webserver 41:50 - The server keeps putting the full URL in its GET Request, which messes with pythons webserver. Switching to PHP's built in will fix this. 45:20 - Failing to get a reverse shell to execute via XSLT, switching to download a file and execute it 56:45 - Reverse Shell Returned as SAM 58:30 - Finding printerv2.quick.htb and a little apache confusion its only listening on port 80. Esigate listens on 9001 then redirects to 80 01:04:20 - Dumping password hashes from MySQL to discover the server does some mangling of the password before md5sum, so we cant use hashcat 01:07:45 - Creating a cracking script in PHP 01:13:15 - Logging into the application and seeing we can print jobs, then looking at source code to see how its doing it 01:16:40 - Creating a script to abuse the race condition of printing a document. To replace documents with a symlink to sensitive files prior to printing. 01:25:20 - Printing out the SRVADM SSH Key 01:27:30 - Finding a password in the cups configuration file, which is the root password