01:05 - Begin of recon
02:20 - Starting up GoBuster then editing /etc/hosts to add the hosts in nmap
03:20 - Going over the website
06:00 - Discovering a wordpress instance (/wp/ form goBuster)
09:50 - Finding webmail credentials from a wordpress Protected Post
10:30 - Discovering webmail.chaos.htb (Method 1)
12:50 - Testing IMAP, then configuring Evolution to login to the mail server (Method 2)
16:40 - Decrypting the message that was in the draft.
22:55 - Message decrypted, new page discovered
23:11 - Discovering a webpage for creating pdfs
24:10 - Searching for a code injection path for LaTex
24:45 - Discovering the blacklist is on "input"
25:30 - Testing for blind command execution via ping
27:43 - Reverse Shell Returned
28:10 - Enumerating the web directory to find passwords
29:11 - Switching to the "Ayush" user with mail password, discover we are in rBash
29:45 - Escaping rBash by via tar (Method 1: GTFOBins)
31:00 - Escaping rBash by editing path (Method 2)
32:55 - Discovering a mozilla user configuration directory, copying it off to export passwords
36:30 - Using firefox_decrypt to export root password
37:30 - Logging into webmin with credentials from firefox
37:50 - Privesc via switching to root user with known password (Method 1)
38:10 - Using webmin to execute commands as root (Method 2)