HackTheBox - Control

00:00 - Start 01:02 - Begin of nmap 04:00 - Checking out the webpage, notice an IP in the comments and run GoBuster to discover /uploads/. Run GoBuster on /uploads/ looking for PHP files 07:50 - Begin fuzzing Proxy Headers with wfuzz to access admin.php 12:30 - Using Python's netaddr to generate an IP List based upon subnet, discovering X-Forwarded-For: 192.168.4.28 allows access to admin.php 15:30 - Having BurpSuite automatically add the x-forwarded-for header to our requests 16:45 - Explaining a reason why this header exists in the first palce 19:25 - Discovering Union injection on the admin page 22:45 - Telling SQLMap to run in the background, while we manually enumerate this ourselves. 24:00 - Using Group_Concat to return multiple rows in a union injection and enumerate the INFORMATION_SCHEMA Database 33:30 - Using LOAD_FILE and TO_BASE64 in our SQL Injection to extract source code from the webserver 39:30 - Enumerating who has the FILE privilege in the database, showing SQLMAP gives us some bad info 48:50 - Grabbing user hashes out of the database with our injection then cracking them to discover hector's password 51:30 - Using OUTFILE in our injection to drop a php webshell to the server 58:05 - Having trouble getting a reverse shell back, assuming it is defender so changing the name of some functions to bypass it 1:04:02 - Using powershell to run a command as hector with the password we cracked from the database 1:08:15 - Running WinPEAS and going over what it finds, looks like it misses some permissions around editing services 1:14:30 - Looking at the PSReadLine directory to get some powershell history and a hint at enumerating permissions in the registry 1:15:40 - Running ConvertFrom-SddlString to make sense of the registry permissions 1:21:20 - Listing services on the box, then shrinking the number by only showing ones that run as LocalSystem with a Manual startup type 1:26:00 - Shrink the list some more by only showing the services that our user has permission to startup 1:35:30 - Showing the "SC" command cannot set the BinPath of services, need to do this via registry 1:38:00 - Changing the ImagePath of the wuauserv service in the registry via PowerShell 1:41:15 - Setting the ImagePath to be a reverse shell via netcat, then starting the service to get a shell as LocalSystem