HackTheBox - Tenet

00:00 - Intro
01:20 - Start of nmap
03:00 - Discovering wordpress, fixing our host file
04:20 - Running wpscan to enumerate wordpress via aggressive mode
06:10 - Manually enumerating wordpress users by listing blog posts by author
08:30 - Discovering Sator.php, then using GoBuster to discover hidden backups to find Sator.php.bak
11:40 - Start of looking at the php source to see its a basic deserialization challenge.
12:40 - Building the deserialization gadget to write a file
15:15 - Uh oh. Made a typo, thankfully can find it quickly and get RCE
16:24 - Going back a step and showing a proper way to troubleshoot it
18:30 - Getting a reverse shell then examining wordpress config to get some credentials
20:15 - Testing the credentials with SSH and logging in with neil
21:00 - Discovering Neil can run enableSSH.sh with sudo, which has a race condition
23:00 - Writing a bash loop to exploit the race condition
25:20 - Exploiting the race condition more elegantly by using inotify to be notified when files are created
26:00 - Googling for an example written in C
27:00 - Going over the program
30:12 - Modifying the code to write a file upon discovering create
35:10 - Think i forgot to free th pointer, so it segfaults. Writing PleaseSubscribe to prove it worked.