HackTheBox - Unattended

2SATzCQY0Zw/default.jpg

01:00 - Begin of recon
03:30 - Running GoBuster to discover /dev and index.php
06:50 - Checking out the web application
07:55 - Discovering SQL Injection in ID and playing with it
11:45 - Running SQLMap to dump pieces of the database
14:55 - Nginx Misconfiguration, missing trailing slash
19:10 - Downloading source code of the application
21:20 - Exploring the source of the application
25:47 - Specifying an error string in SQLMap to have it do boolean logic versus time-based
27:00 - Installing a Docker LAMP Server to run the web application
45:40 - Finally got the application running locally (Missed a comma which created a lot more work)
46:15 - Analyzing the SQL Injection with Debug turned on to see how it works
50:00 - Explanation of gaining code execution through an LFI + PHP Cookies
53:00 - Exploring the cookie
55:40 - Have code execution on our docker, lets exploit the server
01:00:00 - Reverse Shell returned
01:02:35 - Exploring MySQL database and escalating to GULY
01:08:30 - Running LinEnum as Guly and going through the results
01:12:00 - Exploring files Guly can access due to Grub Group, downloading initrd
01:14:10 - Decompressing initrd.img and looking for the file GULY modified
01:21:20 - Running STRACE to see what uinitrd does
01:24:20 - Running uinitrd after modifying /etc/hosts and /boot/guid
01:26:20 - Extra Content: If you had trouble with TTY, SSH is accessible via IPv6
01:30:50 - Extra Content: Runing GIXY to analyze the NGINX Configuration
01:35:20 - Extra Content: Looking at uinitrd in Ghidra

2SATzCQY0Zw/default.jpg
HackTheBox - Unattended HackTheBox - Unattended Reviewed by Unknown on August 24, 2019 Rating: 5