00:00 - Intro
00:51 - Begin of NMAP
02:00 - Identifying the Virtual Host (VHOST) player2.htb and doing recon on the webserver
07:00 - Testing basic SQL Injection on product.player2.htb
08:10 - Running gobuster against the product domain to find potential pages
13:00 - Running gobuster to try to enumerate sub domains.
17:50 - Checking the full port scan of the box to see 8545
19:45 - Gobuster had an issue enumerating subdomains, switched to wfuzz
22:45 - Investigation TWIRP because port 8545 had that in an error mesage
24:40 - Running gobuster to hunt for protobuf files and api endpoints
28:50 - Exploring the generated.proto file
32:00 - Seeing how TWIRP uses Protobuf files, then making the HTTP Request to pull credentials
43:50 - Using Hydra to bruteforce an http login form
47:50 - Exploring login logic to see how SESSIONS are handled after invalid logins
50:00 - Testing /api/totp now that we have a session and finding ways to generate backup codes
54:00 - Looking at the authenticated product page
56:00 - Playing with the upload form of the protobs interface
59:20 - (unintended) Hunting for the uploads/ directory and testing for potential race condition
01:03:00 - Winning the race to get a reverse shell
01:05:15 - Doing the firmware upload the intended way.
01:07:20 - Using DD to extract data out of binwalk
01:09:50 - Exploring the firmware in Ghidra
01:11:50 - Testing the firmware signing by opening the ELF in a hex editor and changing a byte near the beginning of the file, then the end of the binary
01:15:10 - Editing the string in the system() call test for RRCE
01:19:30 - Changing our ping command to be a reverse shell
01:27:00 - Reverse shell returned but wanted to see how much of this ELF we messed up by overflowing the string.
01:35:00 - Checking the MySQL Database for creds
01:41:50 - Running pspy to see some hidden crons
01:44:40 - Running chisel to forward the MQTT Port back to our box
01:51:10 - Using mosquitto_sub to subscribe to a topic and get messages
01:53:40 - Subscribing to $SYS/# and seeing an SSH Key broadcast to it
01:54:40 - Changing the SSH Key on the box, which root reads and broadcasts. Use this to get shadow and root.txt