HackTheBox - Traverxec

01:00 - Running nmap against the box, port 80 is running a unique webserver (nostromo) 03:00 - Lets check out the website before we throw any exploits 06:37 - Launching metasploit then exploting Nostromo but sending the exploit through burpsuite to see what it is doing 10:34 - Code Execution worked, for some reason the proxies command didn't work the first time 11:18 - Explaining why the script does a GET request before throughing an exploit (Exploit Verification) 13:40 - Editing the payload to send a Bash Reverse Shell 15:40 - Running LinPEAS 17:20 - Running LinEnum in Thorough mode 19:22 - Going over LinPEAS Output 22:16 - Going over LinEnum Output 23:00 - Discovering a HTPASSWD Password, then using hashcat to crack it 26:45 - Looking at the HTTP Configuration file to discover public_www directory in home directories 27:30 - Explaining Linux Permissions on Directories and why we can do a ls in /home/david/public_www but not /home/david/ 29:50 - Discovering an encrypting SSH Key for David in public_www, downloading the file via netcat then cracking the key with sshng2john.py John 34:50 - SSH into the box as David 35:20 - Discovering David can sudo journalctl, 37:10 - Demonstrating that the pipe operator doesn't run as an elevated user when doing sudo 38:00 - Privesc by removing the pipe and then running !bash. Explaining why this works by tracing parent processes to see journalctl is just executing pager which is symlink'd to less 40:50 - Comparing the Directory traversal exploits (MSF and non-MSF) to see a weird bug adding %0d bypassed the /../ whitelist check 49:30 - Downloading the source code to nostromo (patched and unpatched versions) and analyzing the patch to see why %0d worked. 50:27 - Using find and grep to md5sum all the files to figure out what has changed. 53:26 - Using diff to compare two files