HackTheBox - TheNotebook

00:00 - Intro 00:50 - Start of nmap 02:40 - Checking out the webpage, trying to identify the language running the page 03:50 - Exploring how Add Note works and testing SSTI/SQL/XSS 06:30 - Checking out the cookie to see how the JWT is encoded 07:30 - JWT.IO shows the JWT is RS256 and there's a URL for the privKey 08:30 - Editing the PrivKEy, I'm not sure why i didn't do this within the JWT.IO website... 10:00 - Confirming the server goes to us to get the PrivateKey 10:45 - Using ssh-rsa/openssl to create a RSA Key and forging the JWT 14:55 - Exploring the IDOR Vulnerability to see if unauthenticated users can access notes 18:45 - Uploading a PHP File to confirm code execution then a reverse shell. 21:23 - Identifying when the box was created by looking at SSH Host Keys, then using find to list files created around that time 26:20 - My reverse shell keeps crashing, doing the finds without the PTY Trick to find a backup that has an SSH Key 30:50 - SSH into the box with the SSH Key and discovering we can use sudo to access Docker 31:40 - Exploring the docker for sensitive information that could be used to access other users on the box 34:25 - Looking at the Docker Version to see it from 2018 and finding a vulnerability 36:10 - Performing CVE-2019-5736 to get root