HackTheBox - Travel

00:00 - Intro 00:58 - Start of recon, discovering a bunch of hostnames in a cert 04:24 - Running wpscan against blog.travel.htb 06:10 - Running the raft-large-files.txt against blog-dev.travel.htb to discover the git repo 07:45 - Using git-dumper to download the git repo 10:28 - Examining the git project to discover what it is and where its installed on the webserver 14:20 - Discovering a debug file 16:30 - Hunting for where web app accepts user input 19:10 - Getting the server to make a request back to us 21:00 - Examining what debug.php is telling us (memcache) 26:15 - Hunting around wordpress/simplepie to see how it is using memcache 33:00 - Begin of trying to poison the memcache object, talking about bypass the ip filter via hex encoding the ip 36:00 - Bypassing the file:// filter by using gopher to smuggle in a request to memcache. Using gopherus 39:15 - Explaining what gopherus is doing 41:48 - Creating a php serialized object to drop a file to the webserver 44:24 - Having gopherus generate a malicious payload then dropping a web shell to the server 47:00 - Getting a reverse shell 50:50 - Examining the MySQL database 53:45 - Discovering the wordpress backup file with additional users 56:40 - Logging in with lynik-admin and cracked password from WP backup. Finding ldaprc and viminfo 58:45 - Downloading Apache Directory Studio so we have a gui to LDAP 59:45 - Using SSH to forwarding port 389 to our box, so our LDAP Gui can access the service 01:04:00- Using Apache Directory Studio to modify a users password 01:06:00 - Using Apache Directory Studio to add an SSH Key 01:09:10 - Using Apache Directory Studio to modify the user group to sudo, then we can sudo su to root