Hack The Box Doctor

00:00 Intro 00:57 Start of Nmap 01:40 Poking at the website and doing Gobuster, SQLMap In the BG 07:50 Registering an account and enumerating the new features, looking for XSS 08:30 Testing if the box will click links, discovering Curl reaches back to us 11:20 Finding command injection in the URL, finding a way to execute commands with spaces 13:37 Brace expansion isn t working, but IFS allows us bypass space being a bad character 15:30 Trying to get a reverse shell but failing due to bad characters 18:47 Using Curl to download a rev shell script and then execute it in order to avoid bad characters 22:00 Transfering to our box, so we can view the contents and attemp to crack the admins password 29:40 Finding out we are part of the ADM Group and can read logs Log contains a password 33:50 Checking the Splunk Version and looking for exploits 34:55 Didn t see anything in SearchSploit googling for an exploit then getting root 38: