HackTheBox - CrimeStoppers

01:18 - Begin of Recon: Getting ubuntu version 04:00 - Navigating to the CrimeStoppers Page 05:15 - First Hint - Read The Source! 05:50 - 2nd Hint - No SQL Databases and playing with the upload form 07:55 - 3rd Hint - Setting Admin cookie to 1 to see whiterose.txt 09:00 - Explanation of PHP App and why I went down testing $op parameter 10:45 - Testing $op parameter, another hint what year is it? 12:20 - Finding out $op appends .php 13:05 - Using php b64 filter to view php files ("Read the source luke") 22:50 - Looking into PHP Wrappers to try to gain code execution 24:50 - Placing our PHP Script in a zip so we can reference it with zip://, also improperly upload it to the server 26:20 - Attempting to use the zip:// wrapper to execute our php script, then troubleshooting the bad upload. 30:30 - Easy way to copy binary data into BurpSuite (Base64) 34:10 - Getting a shell 37:18 - Downloading ThunderBird Directory and reading email + getting dom's password 46:20 - Begin of looking into Apache Rootkit (mod_rootme) 48:04 - Begin of using r2 (Radare) to analyze rootkit, basic intro 50:55 - Analyzing DarkArmy Function 55:30 - Grabbing the strings and using python to XOR them to get secret that allows root 58:35 - Get Root ##### BOX DONE 59:10 - Potential rabbit hole in the binary /var/www/html/whiterose.txt in the binary 01:04:20 - Second way to get root, looking around at file modification times to find FunSociety in logs