00:00 - Introduction
01:00 - Start of nmap
03:40 - Discovering BuddyForms on Wordpress, manually discovering the version (before this we ran WPSCAN aswell)
06:20 - Finding a BlogPost showing a File Disclosure Vulnerability in BuddyForms and they used a Phar Deserialization trick to get RCE but this doesn't work on PHP8
09:00 - Playing with the File Disclosure, using a PHP Filter Chain to prepend GIF89a to our file and show we can trick the magic byte trick
15:20 - Finding a Blog Post which talks about a buffer overflow in GLIBC ICONV for PHP, which shows we can get RCE on file reads up to php 8.3.7
18:30 - Setting up WrapWrap which is just a better way to prepend/append bytes, showing we do miss the end of the file when we use this technique
20:40 - Modifying the CNEXT exploit which exploits the ICONV in PHP to achieve RCE on file_get_contents
33:30 - Reverse shell returned! Using Chisel to setup a tunnel to the MySQL Server, so we can dump and crack the wordpress database
39:14 - Shell as Shawking, finding Grafana and the SQLITE Database, downloading it and cracking the password to get another user
47:10 - Downloading the Satellite APK File, then decompiling it to discover the HTTP Requests it makes to the server
50:00 - Logging into the satellite webserver
52:40 - Exploring the command endpoint
55:00 - Using PSPY64 to examine what processes the webserver creates when we make requests, which helps identify potential RCE Endpoints and talking about how we know shell=true was passed due to the /bin/bash prefix
56:60 - Using a linebreak to get RCE on the server, making bash setuid to privesc
59:00 - Showing we could just edit the crontab since we are root, which would allow us to get RCE without having shell on the server to begin with
Support the originator by clicking the read the rest link below.
