00:55 - Start of recon
02:30 - Running GoBuster to discover the /monitoring directory
03:50 - Running hydra to try to brute force the HTTP Authentication (Does not work due to it being a secure password)
05:20 - Bypassing the AUTH Request by changing to a POST — Explain why this works later
06:30 - Looking at the Centreon Changelog to look for any exploits
08:10 - There aren’t any unauthenticated exploited, lets brute force a login. The main way uses a CSRF Token.
08:50 - Bypassing the CSRF by using the Centreon API
12:00 - Using wfuzz to brute force the API Login and get admin:Password1
14:15 - Changing the Monitoring Engine Binary under Configure Pollers to get code execution
16:15 - Trying to ping ourselves, find out we can’t use space
17:10 - Using IFS to instead of space
20:11 - Ping worked, trying to do a Reverse Shell
23:50 - The reverse shell didn’t work lets do some debugging
25:55 - Adding a semicolon at the end of the script and getting a reverse shell
26:20 - Reverse shell returned, lets build a proper TTY with ROWS and COLUMNS so we can do things like vi
30:20 - Searching for files between two dates
33:00 - Discovering backup which is a PYC File, using uncompyle to decompile it
34:55 - Getting Shelby’s password out of the backup script
35:45 - Using LinPEAS instead of LinEnum to look for privescs
43:10 - Exploiting Screen-4.5.0 to get root
## Extra
46:30 - Static Code Analysis tip, looking for dangerous functions
