HackTheBox: Trick
An Easy Linux box: a DNS zone transfer leaks a preprod payroll vhost, a boolean SQL injection with the MySQL FILE privilege reads the nginx config to expose a second vhost, then a str_replace LFI bypass combined with SMTP mail-spool poisoning lands RCE as michael — and a writable fail2ban action plus a passwordless sudo restart escalates to root.
Read 