HackTheBox - Tartarsauce

01:10 - Begin of recon 03:00 - Discovery of Wordpress and fixing broken links with burp 06:50 - Start of WPScan 07:14 - Start of poking at Monstra, (Rabbit Hole) 13:05 - Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits 16:30 - Reverse shell returned as www-data 18:08 - Confirming monstra was read-only 18:50 - Running LinEnum.sh to see www-data can run tar via sudo 20:30 - Use GTFOBins to find a way to execute code with Tar 22:00 - Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script 24:10 - Examining backuperer script 26:00 - Hunting for vulnerabilities in Backuperer 32:15 - Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false 34:20 - Begin of exploiting the backuperer service by exploiting intregrity check 36:40 - Creating our 32-bit setuid binary 39:16 - Replacing backup tar, with our malicious one. (File Owner of Shell is wrong) 40:54 - Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root 42:30 - Exploiting the Backuperer Service via SetUID! 45:00 - Unintended Exploit: Using SymLinks to read files via backuperer service