HackTheBox - Magic

00:00 - Intro 00:50 - Nmap 02:40 - Starting GoBuster on the root and images 05:00 - Finding Auth Bypass via SQL Injection on login then throwing it to SQLMap 09:00 - Creating a basic PHP Shell, then attempting to upload it 12:30 - Grabbing the magic bytes off a JPG, then prepending it to our shell 16:00 - File uploaded, hunting for an LFI and doing more SQLMap 18:20 - Turns out we don’t need the PHP Extension (.htaccess allows anything) 26:20 - Reverse Shell returned 27:50 - Grabbing the username and password out of Website Configuration 36:10 - Using VirusTotal to identify when a file was created 37:20 - Examining the .htaccess to see why we could execute code (should have a $ at the end) 39:30 - Using MsqlDump to dump the database and get a password out of it, su to the theseus user 46:00 - Found a SetUID Binary (sysinfo) then using strace to see what it does 48:00 - Using the -f argument with strace to follow forks and see the exec() calls 51:00 - Using