HackTheBox - Toby

00:00 - Intro 00:50 - Start of nmap 03:30 - Discovering backup.toby.htb and discovering GOGS 07:40 - Discovering a backup project in toby-admin, which is wordpress 09:38 - Downloading and running php malicious file scanner and finding a backdoor in the web code 13:30 - Finding the backdoor in comment.php and finding out its packed a bunch of times. Using a loop to get it back to the original code. 19:00 - Analyzing the depacked malware, to see it will run a function on a specially crafted comment 22:40 - Placing the comment which should trigger the backdoor, then analyzing what happens 23:40 - Wireshark shows the box starts a request on port 20053, listening and discovering it sends us data encryped with our secret 28:20 - Changing the secret to be 00, so it doesn't xor anything making it a bit easier for us to analyze 29:25 - Sending it a command by XOR'ing it with the key the server sends back to us 32:00 - Creating a python script to automate this 40:22 - Reverse shell returned python isn't there so using script to get our regular TTY 42:15 - Looking at /proc to see network information since ifconfig and ip are not on the box 50:20 - Running chisel to setup a proxy back to us 58:00 - Connecting to the MySQL Database to crack wordpress accounts 1:01:10 - Logging into the GOGS instance as toby-admin, downloading personal-webapp source code 1:04:30 - Making the webapp talk initiate a MySQL Connection back to us 1:06:20 - Editing our mysql instance to allow a host, but first we have to reset our mysql root password 1:10:00 - Extracting the SALT + Password from wireshark of MySQL Trying to log into us, figuring out how to convert it so we can crack 1:16:38 - Converting the SALTS to hex, which is what hashcat needs, then trying to crack the mysql password but failing 1:18:35 - Discovering the password used the password generator which is using the epoch time as a seed for random 1:19:30 - Copying the PWGenerator code to create a new wordlist of all potential passwords