HackTheBox - Compromised
00:00 - Intro
01:30 - Start of nmap, discover web and ssh. Discover litecart, fail to find a way to identify version
03:10 - Running GoBuster to find the backup directory
05:20 - Examining the tar archive
06:30 - Talking about the unix time being 32-bit timestamps but tar did not keep entire timestamp
09:10 - Using find with printf to sort files by modified time
10:30 - Discovering the admin/login.php file was modified to drop the credentials to disk
11:50 - Logging into LiteCart as admin
13:20 - Finding exploits on searchsploit, then manually running through the exploit because its Python2 with some annoying libraries
17:20 - Uploading our PHP Shell but it doesn't work, checking for PHP Disabled functions by using a simple php file. Then doing phpinfo() to see other functions
20:50 - Running through Chankro even thoe it wouldn't work.
23:50 - Uploading large binary files in BURPSUITE by pasting base64 and decoding it within burpsuite
25:33 - Chankro wont work due to putenv being disabled. Looks like there's a PHP 7.0 - 7.4 bypass. Trying this!
28:15 - Attempting a reverse shell but it doesn't work. Viewing iptables configuration
29:45 - Using my Forward Shell script to get a TTY on the box
34:00 - Again, talking about 32-bit timestamps to find files that were put into /lib/ not by a Apt
36:30 - Discovering the PAM Backdoor (pam_unix.so), then reversing it to get a skeleton password
43:30 - BOX COMPLETED. Doing USER/ROOT a different way
45:00 - Generating a Weevely Reverse shell which will let us do more things in PHP
47:00 - Discovering MySQL has a bash shell
49:30 - Discovering the MySQL has a UDF (User Defined Function) that allows for code execution
53:30 - Dropping an SSH Key, then seeing a strace-log.dat file which acts as a keylogger on linux. Also the 32 bit timestamp sticks out
1:00:15 - Discovering a LD_PRELOAD Rootkit (libdate.so),reversing it to see a hidden privesc
