00:00 - Introduction 01:00 - Start of nmap 02:10 - Finding some CVE's in FontTools, but doing more recon on the site before we dive too deep 06:30 - Enumerating the website is flask based upon error message (cookie works too) 09:20 - Trying to create an error message which could leak information about the server like its local path 11:30 - Taking a look at portal.variatype.htb which shows it is PHP 13:50 - Gobuster found a .git, running git-dumper to get the source 15:30 - Finding a File Disclosure in the PHP App because the ../ removal was not recursive 20:30 - Updating the FontTools script to put a reverse shell in, then using it to upload a php reverse shell to the portal 22:00 - Reverse shell returned 22:30 - Looking at the sudoers file, we can't read it but the metadata is a treasure trove of information. Looking at timestamps, doing some filtering getting nothing 26:30 - Using docker to spin up a debian image quickly, looking at the size of the default sudoers file and then comparing it to the box to see it has likely been modified 28:00 - Using find to look for files owned by steve, finding a backup script. It uses FontForge which has a CVE. We can put a malicious archive file and get RCE 37:00 - Shell returned as Steve 39:00 - Looking at the validator python script, first thought with symlinks won't work because we don't own the plugin directory 41:30 - Finding a CVE within SetupTools, using it to write an SSH Key
Trust cues for videos
