HackTheBox - SolarLab

00:00 - Introduction 01:05 - Start of nmap 02:50 - Discovering Guest can read files on SMB, using mount to copy all the files 08:30 - Grabbing usernames and passwords from the excel document so we can use them for spraying 15:45 - Taking a look at port 6791 to see ReportHub, using FFUF to spray usernames to get a valid user 18:00 - Using FFUF to spray two parameters, username and password by giving it two wordlists and settings markers 22:45 - Discovering the PDF ReportHub generates uses ReportLab which has a known vulnerability 28:40 - Shell returned on the box as Blake 29:50 - Copying the SQLite Database ReportHub uses to our box over SQLite so we can dump it 31:50 - Spraying passwords again from the SQLITE Database, getting OpenFire's password then using RunasCS to get a shell as openfire 35:50 - Setting up a reverse socks proxy with chisel so we can hit ports listening on localhost 39:20 - Going over how the Openfire Auth Bypass works, using Unicode to bypass an acl 54:50 - Logged into Openfire, uploading the management plugin to get a shell as openfire 59:30 - Decrypting the Openfire password out of its database to get administrators password