HackTheBox - Charon
1:30 - Rabbit Hole - Searching for SuperCMS
6:23 - Running enumeration in the background (GoBuster)
7:40 - Rabbit Hole - SQLMap Blog SinglePost.php
12:04 - Finding PHP Files in /cmsdata/ (GoBuster)
12:53 - Manual Identification of SQL Injection
15:50 - SQL Injection Explanation
17:20 - Rabbit Hole - Starting SQLMap in the Background
18:10 - SQL Union Injection Explanation
19:30 - Identifying "Bad/Filtered Words" in SQL Injection
21:02 - SQL Union Finding number of items returned
21:48 - Returning data from Union Injection
22:48 - SQL Concat Explanation
23:55 - Enumerating SQL Databases Explanation (Information_Schema)
25:46 - Returning Database, Table, Columns from Information_Schema
29:30 - Scripting to dump all columns
36:45 - Listing of columns in SuperCMS
37:15 - Dumping User Credentials
41:36 - Logging in and exploiting SuperCMS
47:00 - Return of reverse shell
48:40 - Transfering small files from shell to my machine
50:56 - Using RsaCtfTool to decrypt contents with weak public key
52:52 - Breaking weak RSA manually
1:01:20 - Begin PrivEsc to Root
1:02:40 - Transering large files with NC
1:03:50 - Analyzing SuperShell with BinaryNinja (Paid)
1:06:04 - Analyzing SuperShell with Radare2 (Free)
1:08:22 - Exploiting SuperShell
1:12:46 - Encore. Getting a Root Shell with SetUID Binary