00:00 - Intro
00:51 - Start of nmap
02:30 - Finding some vulnerable-looking parameters
03:50 - Testing some basic things for LFI, finding a WAF blocking ../. Double encoding it to get passed
07:11 - Start of writing a script to abuse this LFI and crawl/download all the php source
10:30 - Making the script recursive, so it will check pages downloaded for new links
16:50 - Making the script save the files
19:40 - Opening the code in Visual Studio Code, and showing off Snyk's static code anlysis to highlight a Unserialization vuln
22:20 - Identifying how the site generates activation codes upon registration identifying an insecure use of SRAND(). Generating our own activation code
25:30 - Exploiting the PHP Unserialization by finding a vulnerable gadget (wakeup) which will save a file
27:45 - Building a deserialization object to download a file off our server and write it to the web directory
32:08 - EDIT: Talking about webserver hardening (allow_url_fopen in php) and how it would slow down this attack
35:00 - EDIT: Poisoning our PHP Session with PHP Code as our username, then building an object to copy that to the server so don't need to use a remote host
41:38 - Getting a shell on the box, dumping credentials from postgres
44:55 - Attempting to crack the passwords, failing, checking the source code to identify there is a hidden salt. Then cracking the passwords
51:25 - Passwords cracked logging in as bill
55:10 - Using pspy to identify a script runs to renew certificates
57:15 - Going over the bash script and identifying a command injection vulnerability.
1:01:45 - Failing for a bit because I didn't change the certificate time, then changed too much at once which caused me more problems
1:06:04 - Finding the CheckEnd parameter, setting our days equal to one but our payload doesn't work
1:08:15 - Putting the payload in $(), and getting root to the box
01:10:20 - Just making sure we fully understood why our first attempts failed
Support the originator by clicking the read the rest link below.
