01:45 - Begin of recon, wireshark nmap to see how it identified the hostname. The way this box is configured apache is placing the hostname when the "Host: " HTTP Header is not present.
06:00 - Starting a bunch of automated tools. Nmap all ports, and gobuster to discover VHOST (virtual hosts) and files.
09:55 - Checking dev.player.htb and identify the framework (Codiad) is being leaked in some javascript
12:25 - Checking chat.player.htb, nothing really here just hints at source code disclosure on other domains
14:05 - Checking staging.player.htb, sending an email leaks some interesting files
18:00 - Checking player.htb/launcher, entering an email leaks some other PHP Files along with a JWT Token
21:00 - Discovering backup files, showing BurpSutie Pro can do it but I had added this feature in GoBuster
21:50 - Going over exactly what I did in GoBuster to add the DiscoverBackup feature
27:35 - Using GoBuster with the new feature to discover some PHP Source that leaks the JWT Secret
32:20 - Using JWT.IO to create our forged JWT and discover a new page that proccesses Video Files
37:25 - Looking into FFMPEG Vulnerabilities to discover an LFI, using "Payload All The Things" to exploit this. Grab files Apache Config, Config files in web directories, /proc/net to see listening ports
50:00 - Trying the telegen credentials we retrieved from /var/www/backup/service_config with various services. See we can login to 6686 but are in a locked down shell
51:45 - Running searchsploit to see an XAUTH command injection that allows for reading/writing files. Failing to writefiles, but can now read .php files grab more source code to get another credential (Peter)
55:45 - Peter's creds work at dev.player.htb which allows for uploading files. Uploading a php reverse shell
1:00:40 - Reverse shell returned. Running su -s /bin/bash telegen to bypass the restricted shell
1:01:30 - Noticing the XAUTH command actually wrote a file! Going back to see why we failed to write to web directories. Trying it again but turns out quotes/spaces are bad chars which would make dropping a webshell tough.
1:04:50 - Giving up with XAUTH, running pspy64 with our SSH Shell to see a PHP File is running every minute, checking it out to see it includes a file WWW-DATA can write to and that there is a unserialize vulnerability
1:07:40 - Exploiting the unserialize() vulnerability to write an SSH Key to /root/.ssh/authorized_keys
1:13:53 - UNINTENDED METHOD: Exploiting Codiad by using the installation scripts left behind to install it to chat.player.htb
1:16:45 - Stepping through the installation script to understand the vulnerability. Upon install it writes unsanitized user input to the config.php directory
1:29:30 - Reverse shell returned as www-data!
1:30:45 - UNINTENDED METHOD 2: Performing the Authenticated Codiad RCE, stepping through it in BurpSuite to understand what the exploit does. At the very end of the video we will examine codiad source to understand the vuln.
1:36:00 - Privesc from www-data by placing a PHP Rev Shell in the file the cron script included
1:38:35 - Analyzing the Source of Codiad to see why the CRLF Exploit worked.