01:05 - Begin of Recon
01:50 - Taking a look at the page, noticing the site is PHP, running GoBuster to find other PHP Files.
03:45 - Playing with the File Upload, failing to identify how uploaded files are stored
05:20 - Investigating PHP Files that GoBuster found, discovering intelligence.php
06:30 - Searching for Text to Speach programs (create WAV Files)
08:50 - The first program didn't do a good job saving WAV Files, Downloading Festival
09:17 - Installing apt-file so we can use apt to search for what package contains a file (like yum whatprovides)
11:05 - Using text2wave to create wav files and upload them, then discover a SQL Injection over voice
14:04 - Having trouble getting the voice recognition to recognize the word union. Using "intelligence.php" to discover alternative words.
19:10 - Extracting the username and password out of the database, then logging in via SSH
21:00 - Investigating how the file upload script works, turns out to be a dead end
23:40 - Running linPEAS to check other privesc paths (see JDWP)
26:50 - Enumerating the local MySQL Database to get other credentials
28:00 - Starting to investigate the Tomcat ports (8000, 8009, and 8080)
29:00 - Doing SSH Tunnels via the SSH Binary to forward 8080/8009 to our box then looking at Tomcat
30:20 - Doing SSH Tunnels from within a SSH Session (~c) to forward port 8000 without reconnecting to SSH
32:10 - Manually using JDB to execute a command via java.lang.Runtime
42:30 - Manually debugging JDWP is a bad idea, doing it the better way with jdwp-shellifier