HackTheBox - Surveillance

00:00 - Introduction 01:00 - Start of nmap 02:45 - Discovering an exploit for Craft CMS, it doesn't work out of the box because of a typo on exploit-db looking into this exploit 06:00 - Walking through the Exploit Script 11:45 - Getting a shell on the box with the script that was on Github 14:45 - Logging into the CraftCMS Database, finding the password 17:30 - There is a backup of the database in the storage directory, which contains an old password for Matthew 22:45 - Linpeas shows us configurations for ZoneMinder, which lets us into another table of the database 25:20 - Setting a port forward so we can access ZoneMinder, then updating the password so we could login (not needed but fun to do) 29:20 - Showing an unauthenticated exploit in ZoneMinder 31:40 - The ZoneMinder user can run zoneminder scripts with sudo 33:30 - Finding a command injection in ZMUPDATE, getting shell as root 42:20 - Showing ZoneMinder lets you set the LD_PRELOAD which is another way to get root 55:50 - Showing the intended way to exploit ZoneMinder to get a shell as the ZM User, authenticated RCE