

In Beyond Root, I’ll look at some oddities of the file scanner. I’ll abuse it’s ability to specify a length to give myself file read as root by brute-forcing one byte at a time. This user can run a hashing program as root to look for copywritten material. With a foothold, I’ll find credentials in an old Git commit, and pivot to the next user. I’ll identify this is using ImageMagick, and abuse arbitrary object instantiation to write a webshell. As admin, I have access to new features to modify images.

I’ll find a version of the login form that hashes client-side and send the hash to get access as admin.

Intentions starts with a website where I’ll find and exploit a second order SQL injection to leak admin hashes. Htb-intentions ctf hackthebox nmap ubuntu php laravel feroxbuster image-magick sqli second-order second-order-sqli sqli-union sqli-no-spaces sqlmap sqlmap-second-order ssrf arbitrary-object-instantiation msl scheme webshell upload git capabilities brute-force python youtube file-read htb-extension htb-earlyaccess htb-nightmare
