HackTheBox - Trick

00:00 - Introduction
01:00 - Start of nmap
02:30 - Poking at the DNS Server and discovering its hostname when querying itself
03:00 - Using dig to show the reverse lookup aswell, then perform a zone transfer with axfr
04:30 - Just showing dnsrecon to bruteforce a range of IP's, not really relavent to this but figured I'd show it
06:00 - Poking at the website and logging into the website
07:30 - Finding an LFI that allows us to disclose PHP Source code, can't do much else because it appends .php to our string
12:15 - Using SQLMap with the login to extract files
14:20 - SQLMap only found time injection, changing the levels and specifying the techniques which allows it to find a quicker method
16:45 - Having SQLMap extract the nginx configuration and discovering another subdomain
19:10 - Checking out the new domain preprod-marketing.trick.htb, discovering an LFI but this time the extension is in the URL!
21:30 - Going over the source code of the LFI to show why this was vulnerable the ../ strip was not recursive
24:00 - Using the LFI to discover the user we are running as, then extracting an SSH Key
25:30 - Showing another way to weaponize this LFI, poisoning the nginx access log
27:15 - Showing yet another way to weaponize the LFI with sending email to the user, then accessing it with the LFI
29:40 - Shell on the box, checking Sudo then using find to see files owned by my user/group and seeing I can write fail2ban rules
36:10 - Editing iptables-multiport.conf to execute a file instead of banning a user and getting root
37:30 - Showing an alternate way to discover preprod-marketing, using a creative sub domain bruteforce with ffuf
39:45 - Checking out why we couldn't read the environ file, turns out it was owned by root and only root readable.