HackTheBox - Resource
00:00 - Introduction
01:00 - Start of nmap
06:55 - Discovering LFI in the page parameter but we cannot immediately exploit it
10:00 - Discovering admin and playing with ping, deciding its not vulnerable and moving on
15:06 - Uploading a zip file to the ticket, then using the phar wrapper with our LFI to include it
19:50 - Shell returned on the box, python doesn't exist using script to fix our tty
23:00 - Editing our session file on the box, so we can change users without having to change the database
27:50 - Obtaining the HAR File from a ticket, showing Google's web app that visualizes the file
31:50 - Examining the HAR File from command line, which I think is easier
36:30 - Discovering old SSH CA Files in msainristil's directory, checking the SSH Config to see it has TrustedUserCaKeys which lets this CA Sign Public Keys
38:50 - Using SSH-Keygen to sign a public key with a CA specifying root as the principal then logging in
43:00 - Discovering a bash script which uses a web API to sign certificates with another CA, creating a ticket that lets us on as support
45:55 - The host server has AuthorizedPrincipalsFile configured, explaining how this works with TrustedUserCAKeys and ssh
50:00 - Logging in as ZZINTER and discovering they can run a bash script as sudo, which has a File Disclosure vulnerability due to lack of quotes around a comparison
51:40 - Explaining how this works, by doing a couple characters manually
57:50 - Creating a program in golang to dump the CA File
1:09:15 - Running the program, grabbing the CA then creating a root key
