HackTheBox - Quick

00:00 - Intro
00:48 - Begin of Nmap, examining the page and running gobuster
03:30 - Identifying some extra care
04:30 - Adding portal.quick.htb to the host file so we can resolve hostname
06:00 - Trying to identify if the web application will tell us if an account is valid
07:20 - Building an email list based upon clients and then running wfuzz to try and identify valid emails
12:00 - Searching for the latest HTTP and seeing HTTP3 utilizes UDP instead of TCP
16:30 - Installing Quiche so we can navigate to the http3 site
19:40 - Having Quiche download files, discoving an initial password then revisiting the bruteforce to gain access to a ticket system
30:30 - Using wfuzz to search the helpdesk for all tickets
35:50 - Finding ESIGATE is vulnerable to xml entity injection
40:20 - Testing the XXE Attack to see if it connects to our webserver
41:50 - The server keeps putting the full URL in its GET Request, which messes with pythons webserver. Switching to PHP's built in will fix this.
45:20 - Failing to get a reverse shell to execute via XSLT, switching to download a file and execute it
56:45 - Reverse Shell Returned as SAM
58:30 - Finding printerv2.quick.htb and a little apache confusion its only listening on port 80. Esigate listens on 9001 then redirects to 80
01:04:20 - Dumping password hashes from MySQL to discover the server does some mangling of the password before md5sum, so we cant use hashcat
01:07:45 - Creating a cracking script in PHP
01:13:15 - Logging into the application and seeing we can print jobs, then looking at source code to see how its doing it
01:16:40 - Creating a script to abuse the race condition of printing a document. To replace documents with a symlink to sensitive files prior to printing.
01:25:20 - Printing out the SRVADM SSH Key
01:27:30 - Finding a password in the cups configuration file, which is the root password