HackTheBox - Fortune
01:04 - Begin of recon
04:41 - Exploring the web page on port 80
06:02 - Using wfuzz to do a special character fuzz to identify odd behavior and discover command injection
11:06 - Creating a hotkey in Burpsuite to send requests in repeater pane
11:50 - Start of creating a python program to automate this
17:30 - Script finished
18:30 - Exploring /var/appsrv
21:15 - Exploring authpf
22:30 - Hunting for the signing key for the CA to view HTTPS
24:40 - Copying the certificates to our box
26:00 - Creating and signing a Client Certificate
28:50 - Importing the certificate into FireFox
30:49 - Discovering the reason our certificate isn't working (time of server is behind)
31:50 - Accessing the HTTPS Website to get a SSH key for NFSUSER
33:40 - Discovering additional ports are open after using SSH with NFSUSER
34:45 - Installing the NFS-COMMON package to get the showmount binary
35:10 - Mounting a NFS Share with Version 2
36:00 - Editing our User ID on our box to gain access to the NFS Directories
37:00 - Reading mail to discover that the root password is set to the Postgres databases root pw
37:30 - Testing if we could setup a SetUID Binary with this NFS (Check Jail Video for this being successful)
40:20 - SSH into the box as Charlie and dumping the database
43:40 - Exploring the source code to the web application
47:00 - Copying the crypto python script to our box, which will let us decrypt it
47:40 - Copying the secrets into the crypto python script and decrypting the password