HackTheBox - UpDown

00:00 - Intro 01:00 - Start of nmap 01:30 - Testing the webhook, examining the request the server makes 05:30 - Trying other URL Wrappers to see how the application behaves 08:10 - Finding the .git sub directory, running git-dumper to extract source code 10:55 - Finding and explaining the LFI Vulnerability 12:10 - Attempting to use the php filter to extract source code, does not work, turns out there's another website 14:00 - Discovering there is a special header requried to access the DEV Website 16:00 - Configuring BurpSuite to add the header for us 18:15 - Explaining the LFI And why we are going to use a phar file to get code execution 22:30 - Attempting to get a shell, when executing our file we get a ERROR 500. Simplify the payload to see it works. 26:00 - Examining phpinfo to see disabled functions, and discovering system() was blocked 27:00 - Converting the dfunc-bypasser script to PHP, so we can just upload it to the server and have it tell us what is available 29:15 - Showing off github co-pilot, turns out it didn't exactly give me what I wanted. 31:00 - Uploading our script to check dangerous functions and identifying we can use the proc_open() function 32:00 - Creating a script to send us a reverse shell, more github copilot finishing our code for us 35:20 - Exploring the developer home directory, finding a setuid python binary that uses input(), exploiting to get developer user 39:30 - We can run easy_install with sudo, getting root 40:30 - Explaining the Code Execution without dropping a file, by using gadgets with php filters to create text for us