01:02 - Begin of nmap
04:00 - Checking out the webpage, notice an IP in the comments and run GoBuster to discover /uploads/. Run GoBuster on /uploads/ looking for PHP files
07:50 - Begin fuzzing Proxy Headers with wfuzz to access admin.php
12:30 - Using Python's netaddr to generate an IP List based upon subnet, discovering X-Forwarded-For: 192.168.4.28 allows access to admin.php
15:30 - Having BurpSuite automatically add the x-forwarded-for header to our requests
16:45 - Explaining a reason why this header exists in the first palce
19:25 - Discovering Union injection on the admin page
22:45 - Telling SQLMap to run in the background, while we manually enumerate this ourselves.
24:00 - Using Group_Concat to return multiple rows in a union injection and enumerate the INFORMATION_SCHEMA Database
33:30 - Using LOAD_FILE and TO_BASE64 in our SQL Injection to extract source code from the webserver
39:30 - Enumerating who has the FILE privilege in the database, showing SQLMAP gives us some bad info
48:50 - Grabbing user hashes out of the database with our injection then cracking them to discover hector's password
51:30 - Using OUTFILE in our injection to drop a php webshell to the server
58:05 - Having trouble getting a reverse shell back, assuming it is defender so changing the name of some functions to bypass it
1:04:02 - Using powershell to run a command as hector with the password we cracked from the database
1:08:15 - Running WinPEAS and going over what it finds, looks like it misses some permissions around editing services
1:14:30 - Looking at the PSReadLine directory to get some powershell history and a hint at enumerating permissions in the registry
1:15:40 - Running ConvertFrom-SddlString to make sense of the registry permissions
1:21:20 - Listing services on the box, then shrinking the number by only showing ones that run as LocalSystem with a Manual startup type
1:26:00 - Shrink the list some more by only showing the services that our user has permission to startup
1:35:30 - Showing the "SC" command cannot set the BinPath of services, need to do this via registry
1:38:00 - Changing the ImagePath of the wuauserv service in the registry via PowerShell
1:41:15 - Setting the ImagePath to be a reverse shell via netcat, then starting the service to get a shell as LocalSystem