00:00 - Intro
01:00 - Start of nmap
03:45 - Discovering dev.devvortex.htb is a Joomla Page, showing JoomScan and enumerating version manually through manifests
07:00 - Looking for Joomla Exploits for version 4.2.6, discovering a way to view application config as an unauthenticated user
09:40 - Start of deep dive into the exploit, looking at commits on the day the advisory said this was patched
10:50 - Showing the fix just shows it is a mass assignment vulnerability, looking at how this works
17:10 - Showing fuzzing for arguments with ffuf would have caught this
26:18 - Logging into Joomla, then placing a shell in the Joomla Templates
32:15 - Logging into the database, cracking a hash to gain access to another user
35:30 - Taking a look at sudo discovering apport-cli, gtfobins comes up with nothing, looking at the version to discover an exploit within how it uses PAGER
Support the originator by clicking the read the rest link below.
