00:00 - Intro
01:08 - Start of nmap, discovering a webserver and filtered port
04:15 - Discovering a hostname in the 404 not found message in the mailto section
05:25 - Gobuster VHOST Discoery finds the subdomain db.admirer-gallery.htb which is adminer. Playing with the application and raw SQL Commands
07:25 - Trying to write files with INTO OUTFILE, also testing the secure file priv default directory for MySQL which is the most reliable
09:30 - Going to google and finding this version of adminer is vulnerable to a SSRF, but having trouble with this because the login for adminer is different
11:45 - Intercepting the login request, finding a hardcoded password that doesn't really help us
13:00 - Installing adminer in a docker container, so we can play with the application locally which helps us understand the SSRF Exploit
15:30 - Finding a python3 http server redirect example to use for our SSRF
17:00 - Performing the SSRF Vulnerability failing to extract local files
18:10 - The CSRF is annoying, configuring burpsuite to replace variables in our post automatically so we don't need to manually intercept.
20:00 - Having the SSRF access localhost:4242 (the filtered port from nmap), we see the OpenTSDB application, finding an exploit
21:15 - Exploit fails, it complains about an invalid metric. Googling to find OpenTSDB API Documentation and finding an endpoint to list metrics
24:30 - Updating the exploit to use the http.stats.web.hits metric and getting RCE
29:10 - Reverse shell returned
33:40 - Finding database credentials in server.php, which also are jennifers credentials.
36:00 - Enumerating Apache configuration files, discovering one webserver runs as devel
39:20 - Discovering a PHP Object Injection vulnerability in a OpenCats which is a webserver running on localhost, jennifer can login. We can't write to the web directory thoe
42:30 - Discovering devel can write to /usr/local/etc/ and fail2ban is installed, which has an RCE with whois
45:00 - Running strace on whois to discover it looks at /usr/local/etc/whois.conf
47:00 - Using phpgcc to test our file write to see what the file looks like
48:40 - Looking at an example whois configuration file
49:20 - Explaining our payload and doing some weird regex termination to get this to work
50:10 - Looking at the whois source code to see it only reads the first 512 bytes of the configuration file
52:00 - Creating the whois configuration file, which starts with ]* to terminate the regex, then puts 500 spaces to get rid of the appended data by the exploit
55:30 - Creating our payload for the fail2ban whois exploit and getting root
Support the originator by clicking the read the rest link below.
