00:00 - Intro
01:05 - Start of nmap, adding earlyaccess.htb to the hostfile
05:20 - Registering an account to see what features are enabled to regular users
06:20 - Discovering bad characters of username are only checked upon registration, not changing it from the profile page
11:50 - Testing the Contact Forms for XSS by sending a message to ourself
12:10 - Using document.location javascript to steal cookies
17:05 - Taking the administrators cookie and discovering some new hosts/functionality/key validation script
20:07 - Going over the key validaiton script
23:55 - Breaking the first part of the Key which is a simple Bit Shift and XOR to get KEY01
30:05 - Breaking the second part of the key which calculating every permutation of when two strings equal eachother
34:20 - Showing the lazy way to do the second part, since we never actually need to know every combination
36:15 - Breaking the third part of the key, which has a rotating magic. Discovering the keyspace for magic is only 60
38:50 - Coding the third part to display valid keys for all 60 combinations
43:30 - Breaking G4, which is just a simple XOR
47:00 - Talking about how the CheckSum works and how it is similair to the Luhn Check
48:50 - Putting everything togather and building a key generator to give us 60 keys
58:50 - Allowing our script to attempt to register keys on our behalf
1:11:30 - Debugging issues in our script
1:18 40 - The issue of our script, we copied the checksum incorrectly
1:22:50 - Logging in to play the game and talking about forging scores
1:24:20 - Playing with Second Order SQL Injection with our username and scoreboard
1:26:08 - Extracting table information from information_schema with our union sql injection
1:31:50 - Extracting hashes from the database than cracking to get the administrators password
1:36:10 - Logging into developer admin panel
1:39:00 - Fuzzing file.php to discover hidden parameters to find filepath which can be used to extract source code via lfi and php filters
1:42:30 - Reading the source code of hash.php to discover we can execute code if we pass a debug parameter
1:45:45 - Reverse shell returned
1:48:00 - Switching to www-adm user which has the .wgetrc file and can access the api
1:49:10 - Downloading a static compile of nmap so we can find the api host
1:53:00 - Using python to print the ip address of the box
1:55:40 - Parsing the check_db output to get database credentials, which can be used to SSH into the box
2:00:00 - Going over linpeas output
2:06:00 - Reading the mail to drew, to discover the gameserver will reboot upon crashing. Using static nmap to find the gameserver
2:08:45 - Setting up the SSH Port Forward so we can access the gameserver
2:10:20 - Creating a script that will execute upon the gameserver restarting to gain root on the docker
2:16:50 - Crashing the gameserver by setting the rounds to -1, and getting the root password to docker which is game-adm's password
2:20:25 - Abusing the capabilities set on arp to read files on the box
Support the originator by clicking the read the rest link below.
