HackTheBox - CCTV

IppSec Video 7 days ago

Description

00:00 - Introduction
00:40 - Start of nmap
03:00 - Logging into zoneminder with default credentials, flailing around trying to find the date this version was released
10:55 - Looking into the SQL Injection, lots of weird confusion around the date this was released... should of prepared more
13:30 - Getting this into SQLMap to test the injection, discovering it finds Time Based Blind which is really slow and unreliable
16:00 - Playing with the SQL Injection to get it to turn this into Boolean Based which is much better than time based
19:50 - Getting SQLMap to exploit this with boolean using prefix and suffix
24:10 - Cracking the password
30:00 - Got marks credentials, can login now
32:30 - Forwarding port 8765 back to us and accessing the MotionEye webserver, looking at configs and getting an admin password that lets us login
37:00 - RootPath1: Looking at public exploits, finding a command injection, testing it out and getting a shell
42:00 - RootPath2: Talk to the Web Control Port directly, poison that config and get command injection. Misspeak when i say camera, mean web control port
48:30 - Intended path to sa_mark, can tcpdump, capture packets get a credential and login
58:00 - Beyond Root: Using Claude to help me turn the blind injection into boolean.