HackTheBox - Snoopy

00:00 - Introduction 01:00 - Start of nmap, discovering ssh/dns/http 02:30 - Taking a look at the website 04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled 09:40 - Identifying the website is running with PHP Enabled, then running gobuster 13:00 - Attacking the file download and discovering File Disclosure 15:35 - We got lucky discovering the File Disclosure filter bypass, using FFUF which would be make catching this more consistent 19:30 - Automating the File Disclosure by creating a python script 24:30 - Looking at files on the target, discovering the DNS Configuration which has the RNDC Key to update DNS 30:40 - Looking at the NSUPDATE Man page and then adding a the DNS Record mail.snoopy.htb and pointing it to us 34:24 - Using python to run a SMTP Server and then having Mattermost's forgot password email us the password reset 39:50 - Using the Mattermost bot to provision a server via SSH which causes it to SSH back to us 42:30 - Backdooring PAM with pam_exec and a bash script to log passwords of users logging into our box, and grabbing CBROWN's password 50:40 - cbrown can run Git apply as sbrown, looking for exploits around it and discovering CVE-2023-23946. 1:08:50 - sbrown can run clamscan in debug mode as root 1:11:45 - Looking at CVE's in clamav and discovering an XXE in the DMG Parser (CVE-2023-20052) 1:23:30 - Downloading a DMG File (sublime), then modifying the XML to put an XXE in, scanning, then exfiltrating the root ssh key