00:00 - Intro
02:35 - Running GoBuster to discover /music/, checking the page to try to find out what it is.
05:00 - Going to login reveals this is OpenNetAdmin version 18.1.1, searchsploit isn't updated and fails to find the correct exploit
06:00 - Showing what to do when an web exploit script gives HTML
10:30 - Finding the correct exploit script, setting it to go through burpsuite
15:30 - Failing to get a reverse shell for a bit because of bad characters (explained at end, we needed to URL Encode it).
23:30 - Reverse shell worked when doing the python one.
25:30 - Running LinPEAS
31:30 - Looking for a config file with database connection info
33:00 - Exploring the MySQL Database to get additional creds
37:40 - Running Medusa to test the passwords against users on the box to discover we can login as jimmy
38:40 - Showing of "sucrack" to brute force with "su" incase SSH Was not open
44:00 - Running find to see what files are owned by Jimmy to see some new php scripts
45:00 - Discovering a second webserver, accessing main.php lets us read an SSH Key... Digging into why, because it looks like it wants us to login (forgot the die; command)
48:10 - Lets try it the "correct" way with an SSH Tunnel and using firefox to login, going down a "magic hash (===)" rabbit hole. When we could just crack the pw.
1:01:20 - Running John to crack the SSH Key
1:08:35 - Linpeas shows Joanna can run nano with sudo
1:14:30 - GTFOBins shows a way to have nano execute commands
1:19:00 - GOING BACK: URL Encoding the the original RCE to see a standard bash revshell would work