HackTheBox - TheNotebook

00:00 - Intro
00:50 - Start of nmap
02:40 - Checking out the webpage, trying to identify the language running the page
03:50 - Exploring how Add Note works and testing SSTI/SQL/XSS
06:30 - Checking out the cookie to see how the JWT is encoded
07:30 - JWT.IO shows the JWT is RS256 and there's a URL for the privKey
08:30 - Editing the PrivKEy, I'm not sure why i didn't do this within the JWT.IO website...
10:00 - Confirming the server goes to us to get the PrivateKey
10:45 - Using ssh-rsa/openssl to create a RSA Key and forging the JWT
14:55 - Exploring the IDOR Vulnerability to see if unauthenticated users can access notes
18:45 - Uploading a PHP File to confirm code execution then a reverse shell.
21:23 - Identifying when the box was created by looking at SSH Host Keys, then using find to list files created around that time
26:20 - My reverse shell keeps crashing, doing the finds without the PTY Trick to find a backup that has an SSH Key
30:50 - SSH into the box with the SSH Key and discovering we can use sudo to access Docker
31:40 - Exploring the docker for sensitive information that could be used to access other users on the box
34:25 - Looking at the Docker Version to see it from 2018 and finding a vulnerability
36:10 - Performing CVE-2019-5736 to get root