00:00 - Intro
00:55 - Nmap the box, examining server banners
02:20 - Checking out the website, doesn't seem like anything special
03:40 - Using Ffuf to perform a virtual host scan to discover other subdomains and find portal
04:50 - Discover the Motorcycle Store Portal. Trying to play with a potential LFI but deciding it may be a rabbit hole
09:30 - Stop of examining rabbit hole.
10:00 - Registering an account and noticing it goes to an API. Lets test the API Out by fuzzing other functions
11:20 - Running a GoBuster on the classes directory to find more controllers for the API
12:20 - Fuzzing the Users.php file for more functions and discovering Upload
13:00 - Using OpenAI to generate an HTML Upload form, so we can see create an HTTP Upload Request
14:30 - Pasting our upload request and uploading a webshell
17:30 - Showing a SQL Injection in the Login Function that is vulnerable to Mass Assignment
19:30 - The intended route: Editing our profile to change our login_type, which is our group. Editing it to be an admin which will reveal the upload form.
23:30 - Shell on the Docker Container, looking for credentials in the web app
24:30 - Discovering Truedesk.php which has an apikey, looking online to see how to use this api key
28:30 - Searching the Truedesk code for more endpoints, finding a stats endpoint which leaks some info about a ticket
31:30 - Finding a voicemail password and instructions of connecting a soft phone. Downloading Zoiper
33:25 - Running Zoiper and connecting
37:50 - Logging in as hflaccus
39:30 - Setting up a proxy through SSH so we can connect to the DropCMS
41:00 - Running TCPDump
42:20 - Going over the wireshark, finding the HTTPS Connection is using an insecure SSL Protocol that doesn't support PFS (port forward secrecy)
45:15 - Downloading the SSL Certificates and then using wireshark to decrypt the data and getting credentials to login to DropCMS
49:00 - Uploading a malicious DropCMS Module and getting a shell on this docker container
55:00 - Shell on the Docker of this container
56:00 - Finding a script that runs every 45 seconds as root, after looking into this it should allow us to run code as root on the container
1:04:45 - Root on this container, we can look for breakouts!
1:07:00 - Using the unshare command to exploit a vulnerability which gives us all the capabilities!
1:07:45 - Doing a somewhat standard way to execute code with the SYS_ADMIN capability (attacking overlayfs and cgroups) to get root on the host
1:14:15 - Showing that we could of skipped playing with TruDesk by using nmap and discovering mongo was open without credentials
1:18:10 - Using Mongosh to interact with mongo databases
Support the originator by clicking the read the rest link below.
