HackTheBox - Nocturnal

00:00 - Introduction 00:50 - Start of nmap 02:10 - Running gobuster to find PHP Files 04:15 - Uploading a file and playing with the file upload functionality 08:00 - Playing with the username variable, discovering we can list files of other users 09:08 - Fuzzing usernames to see if any other user has uploaded files, getting an document that contains a password for amanda 13:00 - Logging in as Amanda, who has access to admin. It gives us a way to look at source code 15:22 - Looking at the sanitization function, finding a dangerous non-blocked character (new line) which gives us command injection 25:30 - Using curl to download and execute a shell 28:70 - Got a shell on the box, dump the database, crack passwords and discover Tobias's password 32:45 - Discovering an application on port 8080, using SSH to forward the port and logging into ISPConfig application 35:20 - Exploiting the ISPConfig Application with a known CVE 42:50 - Beyond Root, playing with the command injection vulnerability