00:42 - Begin of recon
01:08 - Examining the webpage
04:28 - Discoving SFTP Credentials on the web page
07:00 - Playing with the SFTP Server
08:40 - Discoving the SymLink command to break out of home directory
09:40 - Symlinking the root directory to find the source of login.php through VIM SWP Files.
13:00 - Second way to get source code, symlink with a file naming ending in not PHP
15:30 - Examining the source code to login.php and getting a hard coded username
18:10 - Examining index.php to see how to access a login portal (admin)
19:20 - Using SSH to do port forwarding (Reddish)
21:20 - Examinig the admin web page
24:13 - Examing the Apache Rewrite Engine Rules
25:10 - Checking the source code to addon-manager to identify how upload/download features work
26:15 - Explaining the Rewrite attack
30:40 - Uploading a reverse shell, then executing
33:30 - Reverse shell returned
34:30 - Can sudo with apt, checking GTFO Bins
36:00 - Looks like we can MITM Apt due to passing a proxy through sudo
37:00 - Configuring Burp to act as an HTTP Proxy and pass it to Python
40:50 - Creating the Malicious APT Repo
45:30 - Creating the Malicious Deb File
51:30 - Getting the Root Shell