HackTheBox - OpenAdmin

00:00 - Intro 02:35 - Running GoBuster to discover /music/, checking the page to try to find out what it is. 05:00 - Going to login reveals this is OpenNetAdmin version 18.1.1, searchsploit isn't updated and fails to find the correct exploit 06:00 - Showing what to do when an web exploit script gives HTML 10:30 - Finding the correct exploit script, setting it to go through burpsuite 15:30 - Failing to get a reverse shell for a bit because of bad characters (explained at end, we needed to URL Encode it). 23:30 - Reverse shell worked when doing the python one. 25:30 - Running LinPEAS 31:30 - Looking for a config file with database connection info 33:00 - Exploring the MySQL Database to get additional creds 37:40 - Running Medusa to test the passwords against users on the box to discover we can login as jimmy 38:40 - Showing of "sucrack" to brute force with "su" incase SSH Was not open 44:00 - Running find to see what files are owned by Jimmy to see some new php scripts 45:00 - Discovering a second webserver, accessing main.php lets us read an SSH Key... Digging into why, because it looks like it wants us to login (forgot the die; command) 48:10 - Lets try it the "correct" way with an SSH Tunnel and using firefox to login, going down a "magic hash (===)" rabbit hole. When we could just crack the pw. 1:01:20 - Running John to crack the SSH Key 1:08:35 - Linpeas shows Joanna can run nano with sudo 1:14:30 - GTFOBins shows a way to have nano execute commands 1:19:00 - GOING BACK: URL Encoding the the original RCE to see a standard bash revshell would work