HackTheBox - Breadcrumbs

00:00 - Intro
00:45 - Start of nmap
03:50 - Poking at the website
05:20 - Quickly testing for SQL Injection and coming up with nothing
12:30 - Creating an account and checking what regular users can do
14:15 - Using BurpSuite Sequencer to identify low entropy within login cookies
18:30 - Finding the 302 redirect still outputs the page, its just that the browser doesn't want to show it
21:10 - Creating a simple PHP File to be uploaded
23:00 - Finding the /books/ url and checking the book search page again to find LFI
28:00 - Building a quick python script to automate the LFI
38:00 - Windows is really weird with SSH, need to disable PubKeyAuth in order to login with a password
39:50 - Looking at the fileController php file to see who can upload files
43:00 - Looking around the source code to examine how PHP Sessions are built, so we can impersonate Paul
46:35 - Running makesession with all permutations so we can get Pauls login cookie
50:15 - Logged in as Paul, now we need to modify the JWT token to say we are Paul
53:50 - We can now upload php files! Some light AV Evasion and have a reverse shell with Nishang
59:50 - Finding Juliette's password within the web application and SSH'ing into Windows
1:02:20 - Hunting for Microsoft Sticky Notes and finding the Developer Password
1:10:50 - Logged in as Development, finding a linux app to reverse in ghidra
1:14:50 - Mimicing the curl requests by the linux app to port localhost:1234, so using SSH to forward that. (the localhost screws things up)
1:19:03 - Our curl still isn't working, figuring out the master key to see if the linux application works.
1:21:50 - The localhost in our SSH Port Forward is causing weird issues, changing it to 127.0.0.1 fixes it
1:23:10 - The app works, testing for SQL Injection
1:25:10 - Using information_schema to dump information about the database (databases, tables, columns), then extracting all info
1:28:40 - Using cyberchef to decrypt the AES Blob from the database
1:30:45 - PSExec isn't working (av?), switching to wmiexec and getting a shell.