00:00 - Introduction
01:00 - Start of nmap
02:30 - Poking at the DNS Server and discovering its hostname when querying itself
03:00 - Using dig to show the reverse lookup aswell, then perform a zone transfer with axfr
04:30 - Just showing dnsrecon to bruteforce a range of IP's, not really relavent to this but figured I'd show it
06:00 - Poking at the website and logging into the website
07:30 - Finding an LFI that allows us to disclose PHP Source code, can't do much else because it appends .php to our string
12:15 - Using SQLMap with the login to extract files
14:20 - SQLMap only found time injection, changing the levels and specifying the techniques which allows it to find a quicker method
16:45 - Having SQLMap extract the nginx configuration and discovering another subdomain
19:10 - Checking out the new domain preprod-marketing.trick.htb, discovering an LFI but this time the extension is in the URL!
21:30 - Going over the source code of the LFI to show why this was vulnerable the ../ strip was not recursive
24:00 - Using the LFI to discover the user we are running as, then extracting an SSH Key
25:30 - Showing another way to weaponize this LFI, poisoning the nginx access log
27:15 - Showing yet another way to weaponize the LFI with sending email to the user, then accessing it with the LFI
29:40 - Shell on the box, checking Sudo then using find to see files owned by my user/group and seeing I can write fail2ban rules
36:10 - Editing iptables-multiport.conf to execute a file instead of banning a user and getting root
37:30 - Showing an alternate way to discover preprod-marketing, using a creative sub domain bruteforce with ffuf
39:45 - Checking out why we couldn't read the environ file, turns out it was owned by root and only root readable.
Support the originator by clicking the read the rest link below.
