HackTheBox - Timing

00:00 - Intro 01:05 - Start of nmap 02:00 - Running feroxbuster and discovering image.php 05:05 - Fuzzing image.php for parameters and discovering an LFI 07:15 - Enumerating the WAF to find blacklisted strings and then using a php filter to extract source 10:00 - Examing the login.php source code and discovering a timing attack 12:00 - Demonstrating attempting to login with valid users takes a longer time so we can bruteforce users 14:10 - Creating a python script to enumerate users 21:00 - Logging in with aaron:arron (guessed the password) 22:30 - Extracting upload.php and admin_auth_check.php to see how we can upload files 23:30 - Attempting a mass assignment vulnerability on profile_update.php and discovering we can change our roles 28:00 - Discovering a timing attack to discover filenames uploaded, which can be chained with our LFI to execute code 31:50 - Using the CLI PHP Interpreter to generate potential filenames 34:00 - Uploading a webshell and then generating the filename based upon time 38:50 - Executing commands on the box, discovering we can't do reverse shells 43:30 - Using my Forward Shell Python script to gain an interactive shell on the box 50:40 - Discovering a backup directory that has the web source but also the git repo 51:20 - SSH in as aaron and discovering he can run the netutils binary with sudo, which uses Axel to download files 54:00 - Tricking axel to write to authorized_keys via symlinks 56:40 - Demonstrating we didn't need that sleep(1) for the initial timing attack where we can enumerate valid users to work