HackTheBox - Writer

00:00 - Into 00:49 - Start of nmap 06:10 - Discovering admin login page, running SQLMap and discovering it is SQL Injectable 07:45 - Testing for SQL Injections in the username and password, discovering injection in the username 10:15 - The adminsitrative interface lets us upload images, failing to upload a PHP Shell 14:30 - Using the SQL Union Injection to extract source code via Load_file, then creating a python script to automate it 17:35 - Creating a Regular Expression in Python to grab only the data we want and be multiline 22:45 - Downloading a good LFI Wordlist and then using it with our python script to find interesting files 26:30 - Finding the apache configuration which gives us where the web application lives 27:10 - Updating our LOAD_FILE command to utilize TO_BASE64 in order to get around the web application doing HTML Entity Encoding 33:30 - Discoving an hardcoded password in the python flask web application 35:05 - Discovering command injection in how the web application handles URL's 37:20 - Simplifying our reverse shell by using a base64 cradle 40:04 - Having troubles uploading the image, create the image manually on our box, so the image upload form creates the request for us. Then getting a shell 45:10 - Discovering another database password within the second web application, cracking a password then switching to the Kyle user 51:00 - Using find to find files owned by a group 51:45 - Examaning the Postfix config to see it executes the Disclaimer script as John and is editable by our gorup. Edit the file, then sent an email to get shell as John. 55:00 - Showing John doesn't get all the groups assigned to him from the Postfix shell. SSH allows this group to be assigned to him 57:24 - Write access to apt.conf.d, creating a pre-invoke script which is a persistence technique to run code whenever apt is ran 1:01:04 - Showing the intended route of this box by editing a python script over SMB 1:04:30 - Using the Image Upload form as a SSRF in order to ac