00:00 - Introduction
00:50 - Start of nmap
04:00 - Running a VHOST Scan to discover CRM Subdomain
04:50 - Discovering Dolibarr is running at version 17.0.0 which is vulnerable to CVE-2023-30253
05:30 - Discovering default credentials of admin:admin work then running the exploit
07:30 - Using BurpSuite to act as a Transparent/In-Line proxy so we can proxy the exploit script without editing it, so we can understand what it does
12:45 - Manually stepping through the exploit to understand exactly what it does
19:15 - Reverse shell returned, dumping the local database
22:50 - Just trying the MySQL Password with Larissa and finding password re-use
25:20 - Discovering a SetUID Binary called Enlightenment_sys getting the version from dpkg and finding it vulnerable to CVE-2022-37706 and getting root
30:00 - BEYOND Root: Understanding how the Enlightenment_sys privesc works and doing source code analysis
35:00 - Discovering why the exploit uses /tmp///net
38:35 - Looking at how the command injection happens
40:55 - Looking at why we couldn't use www-data to exploit this binary
Support the originator by clicking the read the rest link below.