00:20 - Flow chart of potential paths through this box
02:25 - Begin of recon, SSL Enumeration, examining PHP Behavior
06:23 - Using GoBuster to dicover directories, pdf's, and php scripts
08:10 - Using wfuzz to discover subdomains (virtual host routing)
12:15 - Guessing credential, logging in with guest:guest disover SQL Injection
16:45 - Manually doing an error-based SQL Injection with extractquery()
** Go watch the Enterprise Video if you want Double Query Based Errors **
31:50 - A good screenshot showing the SQL Inject Queries used, then cracking
35:00 - Doing the SQLInjection with SQLMap, needed the delay flag!
** Going back to start of box
37:50 - Examining the account-signup.pdf to create a user
39:50 - Doing XSS (cross site scripting) to steal a cookie of the admin
43:15 - Going to admin.redcross.htb and showing that any way you got the PHPSESSID cookie would work
46:15 - Poking at admin.redcross.htb, creating a user that lands us in an SSH Jail
48:38 - Playing with the Firewall portion of the site, discover command injection in deleting rules!
52:28 - Reverse shell as www-data
54:40 - Discover postgresql credentials in actions.php, this database lets you create users!
1:00:21 - Inserting a user into the database, then logging in with SSH
1:02:40 - Examining /etc to discover a different postgresql account-signup
1:04:50 - Adding a root user with the new credentials, then sudo to root!
*** Going back to just adding our IP to the whitelist in firewall
1:06:29 - Discovering Haraka running
1:09:10 - Using Metasploit to exploit haraka, get shell as penelope
1:12:26 - Doing the PG thing again but this time specify sudo group, so we don't need to use the other PG account.
*** Going back, lets do the overflow! No postgres at all
* Go watch Bitterman if this is confusing
1:15:50 - Examining iptctl.c
1:19:56 - Using Pattern_Create to discover where the RSP (RIP) Overwrite occours.
1:21:15 - Start of python script
1:24:11 - Dumping PLT Functions to use with our rop chain (no aslr on binary)
1:28:00 - Getting pop gadgets with radare
1:29:40 - Building our ROP Chain
1:34:28 - Exploiting the binary! To get root.