HackTheBox - Era

00:00 - Introduction 00:55 - Start of nmap 04:45 - Discovering the file subdomain 08:10 - Bruteforcing files to find login.php 11:25 - Bruteforcing ID's on the download functionality, discovering two other files 18:10 - Got creds from the database dump, logging into ftp and downloading Apache backup 23:10 - Looking at the source code, discovering some weird behavior around PHP Streams and the download functionality 26:27 - Logging in as admin with security questions 32:08 - Looking at PHP Wrappers, then using the SSH One to login and run a command to get a shell 37:55 - Looking at files owned by the group devs, discovering a monitor binary 41:20 - Making an ELF File and uploading it, to discover it needs to be signed 45:20 - Using docker to build the linux-elf-binary-signer program on github, then signing the binary 54:10 - Showing we could of done this with just pspy and copying the text_sig because signing isn't checked properly