HackTheBox - Nightmare
01:50 - Start of Recon
04:58 - /documents and /secret rabbit hole enumeration
08:13 - Using wfuzz on the /secret rabbit hole to find argument for download.php
13:40 - Begin of Web Application Enumeration, some XSS Found
18:23 - Throwing bad characters in username and finding Second-Order SQL Injection.
23:50 - Begin of Union Injection to dump the database via second order sql injection
39:36 - Dumping users and passwords from SysAdmin table and using Hydra to bruteforce SSH
43:54 - Enumerating SFTP (Using SSHFS to Dump a File Listing)
53:00 - Converting 64-Bit SFTP Exploit to 32-Bit
01:11:46 - Reverse Shell Returned, some stuff and finding Set-GID Binary
01:22:55 - Reversing SLS binary with Radare2 (r2)
01:47:53 - Exploiting SLS Binary with new line character (Get to Decoder User)
01:51:47 - Begin of Kernel Exploitation (CVE-2017-1000112)
01:56:00 - Kernel Exploit Compiled (silly mistake before)
01:59:52 - Creating a new lsb-release file so exploit can identify kernel
02:07:03 - Recap of Box
02:09:56 - Creating a Tamper Script to do Second-Order SQL Injection