HackThebox - Dynstr

00:00 - Intro 01:00 - Start of nmap discovering the distribution of Ubuntu based upon SSH Headers 03:40 - Looking at the WebPage and discovering credentials 06:20 - Checking No-IP's documentation for updating Dynamic DNS Names 07:30 - Using Curl to create a dynamic DNS Name 10:10 - Testing for Command Injection 12:45 - Enumerating the bad character and explaining why we could not use periods 14:45 - Converting the IP Address to a format that won't have periods (Hex) 19:00 - Reverse Shell returned, checking out the web source 28:00 - Discovering hosts from *.infra.dyna.htb can ssh into the box if there is a private key and finding the private key in the support directory 32:15 - Using SSH-Keygen to get the SSH Keys fingerprints to make sure private and public key match 35:00 - Attempting to create the DNS Record with the DNS Key that was in the web source 36:35 - Finding a second DNS Key, which can update Infra's subdomains 40:30 - SSH in as bindmgr and discover we can execute a bash script with sudo, exploiting a wild card argument 45:35 - Testing the cron without doing anything malicious 47:55 - Creating the file --preserve=mode, which the cp command will treat as an argument letting us drop a SetUID Binary and have it owned by root