HackTheBox - Crossfit

00:00 - Intro
01:08 - Installing Obsidian which lets us take notes in Markdown format
03:10 - Running nmap to see FTP over SSL and it has certificates
05:20 - Using openssl to grab the SSL Certificate from FTP
06:50 - Going over the web page extracting emails, people, and user input locations
08:20 - Installing flameshot, which helps us take better screenshots
18:15 - Testing each contact form with XSS Cross Site Scripting
19:10 - XSS in blog-single.php Triggers an security error saying admins will be looking over our request, attempt to attack admins
23:10 - Putting XSS Payloads in the User Agent
25:25 - XSS Attempting to steal cookies with a basic payload, failing here. Document.location is lazy, should do document.write to write an image so the user is not redirected.
27:50 - Using ffuf to bruteforce domains via the CORS Origin header to discover FTP
33:35 - XSS Using XMLHttpRequest to use the victims browser like a proxy and return web pages to us
38:20 - XSS Using XMLHttpRequest to grab a CSRF Token then send a post request to create a user
46:50 - Using lftp to login to the ftp and upload a webshell to development-test
57:50 - Shell returned as www-data, finding a Hank's password in /etc/ansible/playbooks
1:16:05 - SSH as hank and examine the send_updates.php file to find command injection
1:24:40 - Finding credentials for ftpadm which lets us create a file to trigger the command injection
1:33:40 - SSH as Isaac and doing some basic enumeration, explaining why we can't see processes from other users hidepid is set on /proc
1:35:50 - Using find to do a bunch of IR to find what is unique about hank
1:37:50 - Using find to look for files modified between two dates and dbmsg stands out
1:42:10 - The dbmsg stands out due to its timestamp having nanoseconds, it is the only file like this in /usr/bin
1:51:00 - Going over DBMSG in Ghidra, explaining the SRAND setting seed to current time
1:56:15 - Attempting to name variables based upon what we think they are
2:03:00 - Attempting to explain how we are going to get code execution through symlinks
2:07:50 - Creating a C Program to set the seed to be the next minute + 1 second and call RAND()
2:13:40 - Incorrectly putting data into database in order to trigger the file write exploit
2:21:40 - Changing up how we put things into the database and hoping we write the key correctly
2:27:45 - Explaining why we broke the ssh key up into multiple variabes. The fputsc(0x20) is the spaces
2:28:50 - Cleaning up our notes
2:43:10 - using cat to combine all pages into one, then exporting to PDF