00:00 - Intro
01:05 - Start of nmap, then going over the website
03:30 - Examining all the pages on the blog
04:40 - Looking at the report parameter, doing some light testing for SQL Injection before moving on to IDOR
07:00 - Using ffuf to bruteforce all reports matching upon a word (phrase) on the page
11:00 - Attempting to figure out if the md5sum in the logs URL is random by submitting the hash to crackstation
13:00 - Discovering a file upload vulnerability, faking a PDF and uploading a PHP Shell
18:25 - When using a PHP Shell System() commands don't work. Uploading PHPInfo to view disabled functions and seeing System is blocked
21:00 - Getting code execution through Popen() which wasn't blacklisted
24:30 - Reverse shell returned
26:55 - Discovering another webserver is running on localhost, turns out to be Wordpress
29:50 - Exploiting the wordpress plugin BrandFolder to get a shell as Lexi
35:00 - Lexi has an SSH Key, using SSH to access the server and then setting up a tunnel to access the wordpress site and checking out the PWDMS Plugin
40:55 - Using MySQL to reset a wordpress password, so we can log in
43:50 - Gaining access to the box as John
46:30 - Finding a Virtual Box file that has an encrypted VDI
48:20 - Using Hashcat to crack the VirtualBox VDI File
52:55 - Installing the VirtualBox extension that would allow us to utilize an encrypted VDI
56:45 - Decrypting the VirtualBox VDI Image with VBoxManage
58:45 - Mounting the VirtualBox VDI Image and discovering the hard drive is encrytped with LUKSv2
59:50 - Cracking the LUKS v2 Password
1:02:00 - Mounting the Luks Drive then discovering a bunch of scripts
1:03:55 - Doing some bash-fu to extract all variables and run them against the ent command to display entropy, then discovering the password somewhat sticks out, which gets root
1:08:50 - Another fun trick to find passphrases. Creating a regex to path for WORDS_seperated-LIKE-this
Support the originator by clicking the read the rest link below.
