HackTheBox - CCTV

00:00 - Introduction 00:40 - Start of nmap 03:00 - Logging into zoneminder with default credentials, flailing around trying to find the date this version was released 10:55 - Looking into the SQL Injection, lots of weird confusion around the date this was released... should of prepared more 13:30 - Getting this into SQLMap to test the injection, discovering it finds Time Based Blind which is really slow and unreliable 16:00 - Playing with the SQL Injection to get it to turn this into Boolean Based which is much better than time based 19:50 - Getting SQLMap to exploit this with boolean using prefix and suffix 24:10 - Cracking the password 30:00 - Got marks credentials, can login now 32:30 - Forwarding port 8765 back to us and accessing the MotionEye webserver, looking at configs and getting an admin password that lets us login 37:00 - RootPath1: Looking at public exploits, finding a command injection, testing it out and getting a shell 42:00 - RootPath2: Talk to the Web Control Port directly, poison that config and get command injection. Misspeak when i say camera, mean web control port 48:30 - Intended path to sa_mark, can tcpdump, capture packets get a credential and login 58:00 - Beyond Root: Using Claude to help me turn the blind injection into boolean.