00:00 - Intro
00:55 - Start of Nmap
01:25 - Taking a look at the web page
02:40 - Discovering Megahosting.HTB and adding it to /etc/hosts
04:04 - Playing with news.php and explaining the logic of LFI
08:40 - Discovering it is a file_get_contents(), which means we can skip all our "RCE Tests" as it won't execute PHP Code
11:20 - Poking at Tomcat and hunting for its tomcat-users.xml file to use with our LFI on apache2
17:30 - Uploading a JSP Webshell to tomcat with credentials found in tomcat-users.xml
20:20 - Using Curl to upload the JSP webshell.
23:10 - Whoops was uploading to the wrong port and then forgot to convert the JSP to a WAR File
25:38 - Reverse shells having trouble running due to bad characters.
27:55 - Downloading the shell to disk, then executing it in order to avoid special characters
31:15 - Reverse shell returned and TTY fixed. Discovering an encrypted zip file that we crack with John
35:00 - Exploring the Zip file to find there's nothing really interesting
39:00 - Trying the zip password as users on the box and getting a shell as Ash, dropping an SSH key and logging in with ash
42:00 - Running linpeas
43:00 - Discovering user is a member of LXD Group
44:42 - Building an alpine container, then uploading it to the target machine
47:45 - Uploading the alpine container and using lxc to privesc