HackTheBox - Hawk

01:00 - Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver 03:50 - Checking FTP Server for hidden files 04:30 - Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher 08:20 - Creating a bunch of files varying in length to narrow likely ciphers down. 14:35 - Encrypting all of the above files and checking their file sizes 22:45 - Decrypting file, obtaining a password 24:25 - Begin looking at Drupal, running Droopescan 25:12 - Manually examining Drupal, finding a way to enumerate usernames 25:50 - Placing invalid emails in create account, is a semi-silent way to enumerate usernames 28:15 - Logging into Drupal with Admin. 29:25 - Gaining code execution by enabling PHP Plugin, then previewing a page with php code 32:30 - Reverse Shell Returned 33:25 - Running LinEnum.sh - Discover H2 (Database) runs as root 37:00 - Hunting for passwords in Drupal Configuration 39:25 - Finding database connection settings. SSHing with daniel and the database password (not needed) 40:10 - Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk’s Loopback. Only need to do one of those, just showing its possible without daniel 44:30 - Accessing Hawk’s H2 Service (8082) via the loopback address 50:00 - Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console. 51:45 - Logging into H2 by using a non-existent database, then testing code execution 52:50 - Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service. 59:50 - Reverted box, cleaning up environment then getting reverse shell 01:02:45 - Discovering could have logged into the database with Drupal Database Creds.