HackTheBox - OpenKeyS

00:00 - Introduction 00:31 - Begin of nmap 01:10 - Nmap shows it is BSD, going over some command differences 02:00 - Running GoBuster to find other PHP Scripts 04:30 - Looking at the includes directory and finding source code 10:14 - Reversing the Check_Auth binary with Ghidra, to see it doesn't decompile well 12:00 - Using VirusTotal to find out if this an old binary 13:20 - Using Cutter to decompile this binary, to see it does a better job than Ghidra! 17:50 - Finding some BSD Exploits related to authentication 20:00 - Putting SCHALLENGE as the username, causes a different error message. Then doing some code analysis around $_REQUEST 24:50 - Abusing the $_REQUEST() feature to overwrite the username file with a valid user and grab their SSH Key 26:10 - Showing how OpenBSD has some different command line switches 31:00 - Going back to the earlier CVE, since it showed a privesc aswell and explaining CVE-2019-19520 40:45 - EXTRA: Looking at the PHP Code t