TryHackMe - Second (Hard) - Live Walkthrough

0:00 - Introduction
0:20 - Starting Second
2:47 - Scanning with AutoRecon.
4:38 - Exploring the web app.
5:56 - Trying some SSTI payloads on the word counter.
6:53 - Second Order SQL Injection explanation.
17:02 - Finding a Second Order SQL injection on the registration username.
18:46 - Database Variant Enumeration attempts.
25:09 - Using our user knowledge to make a valid SQL query which won't error.
26:59 - Using ORDER BY to figure out how many columms are in the query.
33:08 - Confirming our UNION injection works.
42:01 - Testing if the database is SQLite (it's not)
42:48 - Figuring out the database is MySQL.
45:47 - Database enumeration.
1:00:11 - Extracting credentials.
1:05:54 - Gaining access to the server as smokey via SSH.
1:11:17 - Finding another web app running on the server!
1:19:07 - Finding an SSTI vulnerability in the 2nd app, with an annoying WAF.
1:23:20 - Confirming the SSTI using a Jinja2 payload.
1:30:26 - Finding an SSTI payload which will bypass the WAF, fixing the error.
1:32:07 - Getting RCE and a reverse shell as hazel via the SSTI!
1:35:56 - Finding a THIRD web app. I'm in heaven.
1:38:49 - Downloading and reviewing the PHP source code.
1:46:40 - Not finding any vulnerable code or sudo rights, we run linPEAS.
1:50:12 - Finding that our hazel user can write to /etc/hosts.
1:53:13 - Checking out the /etc/hosts file and having an aha! moment.
1:59:04 - Hosting the password capturing code on my local server.
2:05:47 - Editing /etc/hosts so the dev site hostname points to my server.
2:08:03 - Capturing smokey's password and using it to login as root!
2:11:33 - Outro