HackTheBox - Unbalanced

00:00 - Introduction 01:03 - Start of nmap 02:27 - Setting Squid up to do a portscan while we work on something else 07:00 - Poking at RSYNC and seeing we can download encrypted config backups 09:40 - Examining files downloaded from RSYNC, specifically looking at entropy to validate encryption 14:30 - Finding the EncFS Config file, and then using John to Crack it 18:15 - Decrypting the config directory and finding a squid password and some hostnames 22:30 - Examining the new website exposed to us, configuring BurpSuite to use the squid proxy 24:00 - Showing the Intranet-Host header is changing, then accessing Squid Cache Manager to find some more ip addresses 26:15 - Using curl to view Squid Cache Information 28:25 - Finding a new IP Address for a decomissioned server. Looks like this one has a vulnerability 32:15 - Poking at the login form on the intranet-host1, looks like its vulnerable to SQL Injection 37:30 - Trying SQL Injection in the Password Field since the User was behaving weirdly.. Password behaving slightly differently 38:20 - Examining what XPATH Injection is 39:15 - Confirming it is XPATH Injection by using standard XPATH Payloads 44:10 - Using a XPATH Payload to extract the password length for a user 46:00 - Using XPATH Injection to bruteforce the password one character at a time 48:40 - Using Python to Automate the XPATH Injection to dump passwords 1:01:30 - Script near done, grabbing the password for all users 1:06:40 - Using Hydra to find one of the users had SSH Access 1:08:30 - Reading the TODO and finding pi-hole by checking arp with ip neigh 1:10:10 - Creating an SSH Port Forward to access Pi-Hole 1:13:55 - Finding Pi-Hole Exploits 1:15:00 - Using FFUF to bruteforce the Pi Hole login form 1:17:50 - Failing to use public exploits for this 1:19:45 - Finding a blog post to examine how this exploit works 1:21:45 - Using CyberChef to edit the payload for our Pi Hole exploit 1:23:55 - Manually sending the exploit and getting a shell 1:25:00 - Finding the root password in a config file, then using SU to get root