HackTheBox - Lantern
00:00 - Intro
01:00 - Start of nmap
06:40 - Discovering the Skipper Proxy header, discovering an SSRF CVE
08:40 - Using FFUF with this SSRF to scan local ports, discover port 5000. Using BurpSuite to add the proxy as our header and discover an internal web service
13:40 - Discovering an SQLite Injection
17:10 - Dumping the SQLite Table Schema from our injection, then grabbing data to get the password
22:20 - Showing an alternate way to get the password, decompiling DLL to discover hardcoded credentials
28:00 - Looking at the Admin Dashboard, finding a File Disclosure vulnerability
32:00 - Manipulating a File Upload request, showing we can't just change the filename because we break the serialization, grabbing the Blazor Traffic Processor so we can edit the requests
38:40 - Creating a malicious DLL, by copying the Logs.dll obtained from file disclosure and putting a reverse shell in it, having a bunch of annoying issues
56:50 - Reverse shell returned
1:03:25 - We can run Procmon with sudo, there's a expect script running nano. Dumping the Write syscall to examine the screen of nano
1:15:10 - Writing a python script to dump the SQL Database procmon creates so we can parse the arguments to get the output
1:24:30 - Something odd happened. Apparently, if you don't filter the write syscall then you won't get any repeat data. When I solved the box, I never examined the output of a non-filtered query, so this is new to me.
1:33:30 - Rewriting the python script in golang
