01:05 - Begin of recon
01:58 - Taking a loot at the webserver and seeing a GitLab signin page
02:53 - Using wget and exiftool to check metadata on files on the server to see when stuff was uploaded
04:00 - Running gobuster, explaining why we need the Wildcard flag on this box for this tool to work
05:50 - Finding the /help directory which has some javascript that contains the password to GitLab
10:28 - Logging into Gitlab with creds from the bookmark.html
11:11 - Showing how to do GoBuster with a cookie (gets past the wildcard issue earlier in the video)
13:20 - Looking at snippets to see a Postgresql password
14:10 - Looking at Git Commit History of various files to see there's a post hook to upload merges to a webserver
16:10 - Creating a New Branch on Profile, adding a webshell, then merging it to trigger it to be uploaded to the server
19:10 - CMD PHP Shell is on the server, lets get a reverse shell.
20:05 - Reverse shell returned, setting up a proper pty with rows and cols
** BEGIN OF UNINTENDED WAY **
21:20 - Checking sudo to see we can do a git pull as root, and explaining git hooks
22:50 - Copying the git repo to a different directory so we take ownership of every file
23:20 - Creating a Post-Merge script that gives us a shell, the running sudo git pull to execute it as root
25:40 - Explaining why the copied directory still pulled new version from the website
**END OF UNINTENDED WAY**
26:50 - Getting PostGres Creds
27:30 - Creating a PHP Script to dump the PostGres database
31:07 - Clave's password was in the database, logging in as that user
32:00 - Initial analysis of the RemoteConnection.exe file (strings)
35:10 - Looking at the file in Ghidra
39:30 - Lets just do some dynamic analysis with x32debug, switching over to windows
41:00 - Setting breakpoints around interesting strings and running the program
43:00 - Stepping through the program and seeing a password on the stack
48:20 - Using this credential to SSH into the box