HackTheBox - Swagshop

00:45 - Begin of recon 01:36 - Examining the web page to find Magento, noticing /index.php/ mod-rewrite misconfig and old copyright 04:50 - Whoops should of done apt search magescan, either way this package is not in Kali 05:30 - Running MageScan to scan the website 08:20 - Finding an open configuration file (app/etc/local.xml) 10:30 - Running searchsploit to identify public exploits 12:10 - Examining an exploit that will add an administrative user via SQL Injection 15:15 - Running the exploit out of the box didn't work, send it through burp in order to debug it 16:45 - Exploit needed to be modified to include index.php due to mod-rewrite misconfig 19:25 - Going back to SearchSploit and using the Authenticated RCE Exploit 21:30 - Making the obvious changes to fix the exploit script 24:17 - Debugging the exploit by running it through burpsuite, find out we need to use an login page 29:00 - Bit more in-depth debugging by setting a breakpoint with pdb 30:30 - The regex is failing due to page not returning anything, the URL has a time span lets increase that 33:15 - Finally fixed this exploit! Reverse Shell Returned 35:30 - Noticing we can exec vim with sudo, lets privesc 37:10 - Mentioning GTFOBins which helps find privesc paths from privileged programs 38:15 - EXTRA: Examining the PHP Object Injection RCE Exploit