HackTheBox - BigBang

00:00 - Introduction 01:00 - Start of nmap 03:40 - Discovering BuddyForms on Wordpress, manually discovering the version (before this we ran WPSCAN aswell) 06:20 - Finding a BlogPost showing a File Disclosure Vulnerability in BuddyForms and they used a Phar Deserialization trick to get RCE but this doesn't work on PHP8 09:00 - Playing with the File Disclosure, using a PHP Filter Chain to prepend GIF89a to our file and show we can trick the magic byte trick 15:20 - Finding a Blog Post which talks about a buffer overflow in GLIBC ICONV for PHP, which shows we can get RCE on file reads up to php 8.3.7 18:30 - Setting up WrapWrap which is just a better way to prepend/append bytes, showing we do miss the end of the file when we use this technique 20:40 - Modifying the CNEXT exploit which exploits the ICONV in PHP to achieve RCE on file_get_contents 33:30 - Reverse shell returned! Using Chisel to setup a tunnel to the MySQL Server, so we can dump and crack the wordpress database 39:14 - Shell as Shawking, finding Grafana and the SQLITE Database, downloading it and cracking the password to get another user 47:10 - Downloading the Satellite APK File, then decompiling it to discover the HTTP Requests it makes to the server 50:00 - Logging into the satellite webserver 52:40 - Exploring the command endpoint 55:00 - Using PSPY64 to examine what processes the webserver creates when we make requests, which helps identify potential RCE Endpoints and talking about how we know shell=true was passed due to the /bin/bash prefix 56:60 - Using a linebreak to get RCE on the server, making bash setuid to privesc 59:00 - Showing we could just edit the crontab since we are root, which would allow us to get RCE without having shell on the server to begin with