HackTheBox - Static

00:00 - Intro 01:05 - Start of nmap 02:50 - Noticing there is weird behavior on /vpn, it doesn't direct to the folder /vpn/ probably reverse proxy [MasterRecon] 04:20 - Corrupted GZIP, using zcat to view it and fixgz to repair 08:30 - Building a Python Script to generate TOTP for MFA (the NTPDate failed because i didn't use -q. Nmap would have worked with -sV) 14:20 - Talking about things I would be monitoring for on Login Forms [Detection] 16:45 - Talking about a common issue when layering VPN's (MTU). Won't fix it right now, since I want to display the weird behavior later 20:15 - VPN Connection established, looking at routes. Adding additional routes that don't exist 28:30 - Going over the NMAP ran from the second VPN 30:40 - Fully understanding the weird behavior from /vpn earlier on. It is indeed a reverse proxy. [MasterRecon] 32:00 - Exploiting the fact that XDEBUG is enabled on info.php 41:40 - Running Chisel to create a pivot rhrough web to access mysql 42:10 - The Multiple VPN MTU Issue explained, demonstrating i can't send big packets because of chunking 48:00 - Finishing with setting up the chisel tunnel 51:45 - Switching up chisel to look at PKI. 53:34 - Running PHuiP-FPizdaM to exploit PHP-FPM/7.1 57:23 - Changing up our Chisel so we can send a reverse shell through the web box 1:01:45 - Looking at the ersatool source code to find a printf/format string vulnerability 1:04:15 - Verifying we have the format string vuln and some really basic talk about it 1:07:30 - Exploring the memory around our leaked address to defeat ASLR and edit the variable we want 1:10:30 - Start of a pwntools script to exploit format string 1:15:48 - Pwntools successful leak and calculating offset to the string we want to manipulate... cleaning up the script a little 1:19:05 - Explaining how we are going to write to an address and why the null byte is a small problem 1:27:15 - Overwriting the ERSA_DIR variable 1:33:55 - Tons of funny failing trying to verify this exploit worked