HackTheBox - Cache

00:00 - Intro 01:10 - Running NMAP and checking out the page 03:30 - Author page contains a hint to do some type Domain Brute Forcing 04:25 - The Login form won’t go to burpsuite, lets check out javascript 08:05 - Doing VirtualHost (VHOST) Bruteforcing with GoBuster to discover 12:00 - Discovering OpenEMR, running searchsploit, attempting to find the version of it 15:25 - Searchsploit doesn’t have any exploits, checking one on google to find a SQL Injection 19:00 - Discovering error based SQL Injection (XPATH) 23:10 - Manually extracting data from error based SQL Injection (XPATH) 27:25 - Using BurpSuite Intruder to aid us in running a bunch of SQL Injections, incrementing a number to get all the fields 33:08 - XPATH Injection only extracts 32 characters, we need to use SUBSTRING to extract fields longer than 32 37:40 - Logging into OpenEMR then using file upload functionality to upload a webshell 46:15 - Enumerating Memcache to discover credentials for luff