HackTheBox - Tabby

00:00 - Intro 00:55 - Start of Nmap 01:25 - Taking a look at the web page 02:40 - Discovering Megahosting.HTB and adding it to /etc/hosts 04:04 - Playing with news.php and explaining the logic of LFI 08:40 - Discovering it is a file_get_contents(), which means we can skip all our "RCE Tests" as it won't execute PHP Code 11:20 - Poking at Tomcat and hunting for its tomcat-users.xml file to use with our LFI on apache2 17:30 - Uploading a JSP Webshell to tomcat with credentials found in tomcat-users.xml 20:20 - Using Curl to upload the JSP webshell. 23:10 - Whoops was uploading to the wrong port and then forgot to convert the JSP to a WAR File 25:38 - Reverse shells having trouble running due to bad characters. 27:55 - Downloading the shell to disk, then executing it in order to avoid special characters 31:15 - Reverse shell returned and TTY fixed. Discovering an encrypted zip file that we crack with John 35:00 - Exploring the Zip file to find there's nothing really interesting 39:00 - Trying the zip password as users on the box and getting a shell as Ash, dropping an SSH key and logging in with ash 42:00 - Running linpeas 43:00 - Discovering user is a member of LXD Group 44:42 - Building an alpine container, then uploading it to the target machine 47:45 - Uploading the alpine container and using lxc to privesc