HackTheBox - Poison

00:56 - Start of recon, use Bootstrap XSL Script to make nmap pretty
03:10 - Looking at nmap in web browser
03:52 - Navigating to the web page, and testing all the pages.
06:25 - Testing for LFI
07:00 - Using PHP Filters to view the contents of php file through LFI (Local File Inclusion)
08:40 - Testing for RFI (Remote File Inclusion) [not vuln]
10:00 - Code Execution via LFI + phpinfo()
14:45 - Modifying the PHP-LFI Script code to get it working
17:10 - Debugging the script to see why tmp_name couldn't be found
20:12 - Shell returned!
21:25 - Looking at pwdbackup.txt and decoding 13 times to get password.
23:37 - SSH into the box (Do not privesc right away!)
24:29 - Getting shell via Log Poisoning
26:39 - Whoops. Broke the exploit, because of bad PHP Code... We'll come back to this! (42:50)
28:47 - Begin of PrivEsc, grabbing secret.zip off
32:38 - Searching for processes running as root, find VNC
33:49 - Setting up SSH Tunnels without exiting SSH Session.
37:43 - Something weird happend... Setting up SSH Tunnels manually.
40:10 - PrivEsc: VNC through the SSH Tunnel, passing the encrypted VNC Password
41:40 - Decrypting the VNC Password because we can.
42:50 - Examining the log file to see why our Log Poison Failed, then doing the Log Poison