HackTheBox - AI

01:05 - Begin of Recon 01:50 - Taking a look at the page, noticing the site is PHP, running GoBuster to find other PHP Files. 03:45 - Playing with the File Upload, failing to identify how uploaded files are stored 05:20 - Investigating PHP Files that GoBuster found, discovering intelligence.php 06:30 - Searching for Text to Speach programs (create WAV Files) 08:50 - The first program didn't do a good job saving WAV Files, Downloading Festival 09:17 - Installing apt-file so we can use apt to search for what package contains a file (like yum whatprovides) 11:05 - Using text2wave to create wav files and upload them, then discover a SQL Injection over voice 14:04 - Having trouble getting the voice recognition to recognize the word union. Using "intelligence.php" to discover alternative words. 19:10 - Extracting the username and password out of the database, then logging in via SSH 21:00 - Investigating how the file upload script works, turns out to be a dead end 23:40 - Running linPEAS to check other privesc paths (see JDWP) 26:50 - Enumerating the local MySQL Database to get other credentials 28:00 - Starting to investigate the Tomcat ports (8000, 8009, and 8080) 29:00 - Doing SSH Tunnels via the SSH Binary to forward 8080/8009 to our box then looking at Tomcat 30:20 - Doing SSH Tunnels from within a SSH Session (~c) to forward port 8000 without reconnecting to SSH 32:10 - Manually using JDB to execute a command via java.lang.Runtime 42:30 - Manually debugging JDWP is a bad idea, doing it the better way with jdwp-shellifier