HackTheBox - Topology

00:00 - Introduction 01:00 - Start of nmap 02:30 - Discovering Discovering the LaTeX Equation Generator Page 04:10 - Attempting to get code execution, discovering a WAF. Building a wordlist and using FFUF to identify potentially dangerous commands that aren't blocked 07:45 - Discovering lstinputlisting is not blocked, which will let us read files 10:45 - Using FFUF to bruteforce subdomains, show the automatic calibration, so you don't need to manually specify filters 13:25 - Looking for the Apache Config for the Dev subdomain, as it likely has a htpasswd file we can get a password from 15:25 - Showing the alternate path to get RCE, Bypassing the filter by encoding characters in hex with ^^ 18:50 - Talking about the catcode command and a failed path at evading a filter with this, but it pointed me towards superscript 21:40 - Looking at the wikibooks latex page and seeing ^ is superscript by default, so we don't need the catcode 22:20 - Testing the bypass with a valid c