HackTheBox - Armageddon

00:00 - Intro
00:50 - Start of the box, showing a quick way to nmap
02:15 - Looking at web page
03:00 - Looking for Drupal Scanners
04:00 - Showing how I would fingerprint opensource apps if there was no scanner
06:30 - Using DroopeScan to scan the site
07:50 - Starting to use Drupalgeddon2 to get a shell
11:40 - Installing gems so DrupalGeddon works
12:15 - Drupalgeddon2 works, going from a webshell to reverse shell
16:00 - Confused about OSError: out of pty devices when improving the shell, give up eventually
17:50 - Looking for users on the box, then hunting for the Drupal configuration
21:00 - Cannot find the drupal configuration, going to google and asking for how to change the SQL Password
22:45 - Logging into the Drupal MySQL Database then dumping the Drupal Hash but have trouble getting it to work since we don't have a TTY
29:00 - Cracking the Joomla Password, then testing the password with ssh and logging in
30:00 - Our user can install Snap Packages with sudo, so building a malicious snap
31:20 - Installing FPM which lets us build packages, building a lot of bad packages until we find one that works
36:20 - Our malicious packages aren't working, switching to a non-malicious one to test the exploit
40:16 - Having our snap attempt to grab the root flag, turns out i was just impatient before
43:43 - Moving bash to avoid system directories and setting it to setuid
45:10 - Explaining what snap is