HackTheBox - Redcross

00:20 - Flow chart of potential paths through this box 02:25 - Begin of recon, SSL Enumeration, examining PHP Behavior 06:23 - Using GoBuster to dicover directories, pdf's, and php scripts 08:10 - Using wfuzz to discover subdomains (virtual host routing) 12:15 - Guessing credential, logging in with guest:guest disover SQL Injection 16:45 - Manually doing an error-based SQL Injection with extractquery() ** Go watch the Enterprise Video if you want Double Query Based Errors ** 31:50 - A good screenshot showing the SQL Inject Queries used, then cracking 35:00 - Doing the SQLInjection with SQLMap, needed the delay flag! ** Going back to start of box 37:50 - Examining the account-signup.pdf to create a user 39:50 - Doing XSS (cross site scripting) to steal a cookie of the admin 43:15 - Going to admin.redcross.htb and showing that any way you got the PHPSESSID cookie would work 46:15 - Poking at admin.redcross.htb, creating a user that lands us in an SSH Jail 48:38 - Playing with the Firewall portion of the site, discover command injection in deleting rules! 52:28 - Reverse shell as www-data 54:40 - Discover postgresql credentials in actions.php, this database lets you create users! 1:00:21 - Inserting a user into the database, then logging in with SSH 1:02:40 - Examining /etc to discover a different postgresql account-signup 1:04:50 - Adding a root user with the new credentials, then sudo to root! *** Going back to just adding our IP to the whitelist in firewall 1:06:29 - Discovering Haraka running 1:09:10 - Using Metasploit to exploit haraka, get shell as penelope 1:12:26 - Doing the PG thing again but this time specify sudo group, so we don't need to use the other PG account. *** Going back, lets do the overflow! No postgres at all * Go watch Bitterman if this is confusing 1:15:50 - Examining iptctl.c 1:19:56 - Using Pattern_Create to discover where the RSP (RIP) Overwrite occours. 1:21:15 - Start of python script 1:24:11 - Dumping PLT Functions to use with our rop ch