00:00 - Intro
01:00 - Start of nmap discovering the distribution of Ubuntu based upon SSH Headers
03:40 - Looking at the WebPage and discovering credentials
06:20 - Checking No-IP's documentation for updating Dynamic DNS Names
07:30 - Using Curl to create a dynamic DNS Name
10:10 - Testing for Command Injection
12:45 - Enumerating the bad character and explaining why we could not use periods
14:45 - Converting the IP Address to a format that won't have periods (Hex)
19:00 - Reverse Shell returned, checking out the web source
28:00 - Discovering hosts from *.infra.dyna.htb can ssh into the box if there is a private key and finding the private key in the support directory
32:15 - Using SSH-Keygen to get the SSH Keys fingerprints to make sure private and public key match
35:00 - Attempting to create the DNS Record with the DNS Key that was in the web source
36:35 - Finding a second DNS Key, which can update Infra's subdomains
40:30 - SSH in as bindmgr and discover we can execute a bash script with sudo, exploiting a wild card argument
45:35 - Testing the cron without doing anything malicious
47:55 - Creating the file --preserve=mode, which the cp command will treat as an argument letting us drop a SetUID Binary and have it owned by root
Support the originator by clicking the read the rest link below.
