00:00 - Into
00:49 - Start of nmap
06:10 - Discovering admin login page, running SQLMap and discovering it is SQL Injectable
07:45 - Testing for SQL Injections in the username and password, discovering injection in the username
10:15 - The adminsitrative interface lets us upload images, failing to upload a PHP Shell
14:30 - Using the SQL Union Injection to extract source code via Load_file, then creating a python script to automate it
17:35 - Creating a Regular Expression in Python to grab only the data we want and be multiline
22:45 - Downloading a good LFI Wordlist and then using it with our python script to find interesting files
26:30 - Finding the apache configuration which gives us where the web application lives
27:10 - Updating our LOAD_FILE command to utilize TO_BASE64 in order to get around the web application doing HTML Entity Encoding
33:30 - Discoving an hardcoded password in the python flask web application
35:05 - Discovering command injection in how the web application handles URL's
37:20 - Simplifying our reverse shell by using a base64 cradle
40:04 - Having troubles uploading the image, create the image manually on our box, so the image upload form creates the request for us. Then getting a shell
45:10 - Discovering another database password within the second web application, cracking a password then switching to the Kyle user
51:00 - Using find to find files owned by a group
51:45 - Examaning the Postfix config to see it executes the Disclaimer script as John and is editable by our gorup. Edit the file, then sent an email to get shell as John.
55:00 - Showing John doesn't get all the groups assigned to him from the Postfix shell. SSH allows this group to be assigned to him
57:24 - Write access to apt.conf.d, creating a pre-invoke script which is a persistence technique to run code whenever apt is ran
1:01:04 - Showing the intended route of this box by editing a python script over SMB
1:04:30 - Using the Image Upload form as a SSRF in order to access the second web application listening on localhost
Support the originator by clicking the read the rest link below.
