HackTheBox - Doctor

00:00 - Intro 00:57 - Start of Nmap 01:40 - Poking at the website and doing Gobuster/SQLMap In the BG 07:50 - Registering an account and enumerating the new features, looking for XSS 08:30 - Testing if the box will click links, discovering Curl reaches back to us 11:20 - Finding command injection in the URL, finding a way to execute commands with spaces 13:37 - Brace expansion isn’t working, but IFS allows us bypass space being a bad character 15:30 - Trying to get a reverse shell but failing due to bad characters 18:47 - Using Curl to download a rev shell script and then execute it in order to avoid bad characters 22:00 - Transfering to our box, so we can view the contents and attemp to crack the admins password 29:40 - Finding out we are part of the ADM Group and can read logs! Log contains a password 33:50 - Checking the Splunk Version and looking for exploits 34:55 - Didn’t see anything in SearchSploit googling for an exploit then getting root 38: