HackMyVM - Klim

*any action done in the video is only for educational purpose only*

Timestamps
00:00 - Intro
00:20 - Runnning netdiscover to find the IP of the box
00:21 - Start of nmap scan & enumerating apache2
00:46 - Running gobuster to find directories
1:06 - Visiting /wordpress and enumerating WordPress for users and posts
2:07 - Running wpscan to enumerate for users & brute force user klim
3:19 - Looking under wp-content to find a picture that has stego (really CTF'y)
3:50 - Using stegseek to brute force the password & viewing the data dump
4:28 - Going to cyber chef to URL Decode
4:50 - Viewing the "log" and "pwd" params and it contains a password for klim
5:02 - Using the password found on WordPress
5:10 - Getting a login successful as klim!
5:13 - Creating WP Plugin & Uploading a WordPress plugin to get RCE
7:01 - Getting RCE and we are www-data
7:04 - Sending the request through BurpSuite to get a reverse shell
8:15 - We got our shell!
8:20 - Spawning a TTY shell
8:40 - Doing manual enumeration on users under /home & finding a executable
8:52 - Finding out we can run the executable as klim with no password
9:01 - Enumerating config file (wp-config.php) for WordPress and trying a password reuse for the user
9:37 - We don't know what the executable to doing so we use gdb-peda to find what the program is executing
11:53 - Creating our own file to see if the executable will use the "/usr/bin/cat" command to cat our file
12:55 - Using the executable to cat out klims SSH private key
13:15 - Setting permission for the private key and logging in as a user
13:43 - Doing manual enumeration and find a SSH public key for root
13:52 - Finding out if the key was generated by ssh-keygen or openssl
14:18 - Looking for an exploit for openssl
14:47 - Using wget to get our keys & using tar to extract the keys
15:23 - Using wget to get our exploit & running the exploit
16:30 - Running our exploit
16:46 - The key was found!
16:53 - Using the key found to log into root
16:59 - Got root & catting out our root.txt