HackTheBox - Patents

00:00 - Intro 01:00 - Begin of nmap, there's a weird 8888 port. 03:55 - Looking at the website, downloading a docx 06:30 - Finally running GoBuster, doing the raft wordlist because it has "UpdateDetails" 15:15 - Running GoBuster against the "release" directory to get release notes and researching XML and DocX 22:00 - Adding an XXE Payload into our Word Document: customXml/item1.xml 26:15 - Making an XXE Chain to extract files using HTTP and PHP's Encoder 33:20 - Extracting the Apache Config to see DocRoot, then extracting config.php 37:40 - Exploring LFI Injection into getPatent_alphav1.0.php, explaining what happens with bad regex to remove things. 42:10 - Exploring Log File Poisoning 54:00 - Shell returned on the box, fixing up the TTY and searching for files by creation time 58:30 - There's a file in /opt/, that hints at a cronjob running a task every minute. Running PSPY to see the process creation 01:01:40 - Password is exposed in the command, this is the root password to the docker. Exploring the Cron and /opt/lfm directory 01:11:25 - Exploring the lfm directory and examining old git commit's to get the binary of lfmserver and some old source code. 1:15:00 - Opening up on Ghidra, defining main 1:17:20 - Going into the first piece of the program which looks like an argument check. Looking at the source to verify we are correct. 1:20:30 - Searching for the password in the binary to see where it is used. Use GDB to help us understand what is happening 1:24:30 - Start of creating an exploit script 1:29:50 - Changing the password to ippsec, and looking at it in GDB to confirm a variable... Bunch more playing around learning the binary 1:44:10 - Discover the applicaiton is expecting files to be in /files/, behaves like DOC_ROOT 1:45:10 - Explaining where I think the Buffer Overflow Happens (URLDecode) 1:50:00 - Crashed the applicaiton, discovering the correct spot to overwrite with "pattern create" 1:54:00 - Using Ropper to find some pop gadgets to use, then cre