HackTheBox - Flujab

01:30 - Begin of Recon 04:15 - Adding DNS Names to /etc/hosts 05:20 - Using Aquatone to take HTTP Screenshots of a bunch of pages 11:00 - Start of looking at FreeFlujab.htb 15:40 - Looking at HTTP Cookies we send 17:40 - Editing Cookies in Firefox 19:50 - Discovering SMTP_CONFIG, which lets us change where the mail server is 21:50 - Using FireFox to remove character restrictions on a page 24:15 - The WebPage kept resetting our cookie, using Burp to auto replace 27:30 - Standing up a SMTP Server in python to read mail 30:20 - Discovering SQL Injection 34:50 - SQL Injection confirmed, testing Union Injections 37:40 - Creating a Python Script to aid us in running SQL Injections 37:40 - Script: Running a SMTP Server in background thread 41:35 - Script: Adding ability to use arrow keys to go to previous command 46:42 - Script: Making our command prompt send HTTP Requests 52:40 - Dumping database structure from INFORMATION_SCHEMA 1:05:00 - Dumping information out of the VACCINATIONS Table 1:07:50 - User information dumped, cracking a sha256 hash 1:11:00 - Accessing a new HOSTNAME from the database (sysadmin-console-01) 1:16:00 - Logging into Ajenti 1:17:00 - Discovering Notepad can read files from the server 1:24:10 - Looks like there was a SSH Key Compromise on the box from a README File 1:27:40 - Searching the compromised debian keys for one on the box 1:29:48 - Able to SSH Into the box with the Key! However we are in restricted bash 1:30:30 - rBash escape 1: Using GTFOBins to find a way to escape restricted bash 1:32:30 - rBash escape 2: Using -t bash argument in SSH to escape restricted bash 1:33:30 - Exploiting an old version of Screen to PrivEsc! * Second way to get a shell on the box * 1:43:40 - Creating files in /home/sysadm 1:46:40 - SSH is configured to allow public keys to also be placed in ~/access 1:48:00 - Reading Ajenti Documentation to see API lets us change file permissions 1:50:00 - Ajenti wants the CHMOD Number to be in a weird format