HackTheBox - Trick

00:00 - Introduction 01:00 - Start of nmap 02:30 - Poking at the DNS Server and discovering its hostname when querying itself 03:00 - Using dig to show the reverse lookup aswell, then perform a zone transfer with axfr 04:30 - Just showing dnsrecon to bruteforce a range of IP's, not really relavent to this but figured I'd show it 06:00 - Poking at the website and logging into the website 07:30 - Finding an LFI that allows us to disclose PHP Source code, can't do much else because it appends .php to our string 12:15 - Using SQLMap with the login to extract files 14:20 - SQLMap only found time injection, changing the levels and specifying the techniques which allows it to find a quicker method 16:45 - Having SQLMap extract the nginx configuration and discovering another subdomain 19:10 - Checking out the new domain preprod-marketing.trick.htb, discovering an LFI but this time the extension is in the URL! 21:30 - Going over the source code of the LFI to show why this was vulnerable the ../ strip was not recursive 24:00 - Using the LFI to discover the user we are running as, then extracting an SSH Key 25:30 - Showing another way to weaponize this LFI, poisoning the nginx access log 27:15 - Showing yet another way to weaponize the LFI with sending email to the user, then accessing it with the LFI 29:40 - Shell on the box, checking Sudo then using find to see files owned by my user/group and seeing I can write fail2ban rules 36:10 - Editing iptables-multiport.conf to execute a file instead of banning a user and getting root 37:30 - Showing an alternate way to discover preprod-marketing, using a creative sub domain bruteforce with ffuf 39:45 - Checking out why we couldn't read the environ file, turns out it was owned by root and only root readable.