00:00 Introduction
01:00 Start of nmap
03:00 Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 Attacking the PHP Image Upload Form, discovering we can upload phar files
13:48 Uploading a php shell, discovering there are disabled functions blocking system
17:15 Using dfunc bypass to identify proc_open is not disabled and then getting code execution
23:00 Reverse shell returned on the linux host
26:00 Uname shows a really old kernel, then doing CVE20241086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password
29:20 Talking about Man Pages and how they are organized to identify $y$ is yescrypt
33:40 Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit
36:00 Building a malicious EPS File with a powershell reverse shell
43:40 PRIVESC 1: Uploading a shell in XAMPP and getting system
52:30 PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password
1:01:50 While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen
1:10:08 PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password