00:00 - Introduction
01:05 - Start of nmap
03:30 - Enumerating version of Bookstack by the HTML Source, it's part of the CSS Include
05:22 - Enumerating Teampass version by looking at github, discovering changelog.txt
08:45 - Looking at vulnerabilities in Teampass finding an SQLInjection on cvedetails
10:30 - Examining the SQL Bash Script, having it go through burp so we can inspect it
16:30 - Logging into Teampass and getting credentials to SSH and Bookstack
18:55 - Going back to Bookstack, looking at the SSRF Vulnerability
23:30 - Changing an SSRF in PHP to File Disclosure by using Filters
29:30 - Updating the PHP Filter Chain Oracle script and then running it to leak files
35:20 - Leaking the Google Authenticator seed and logging into SSH
38:50 - Extracting the server time from HTTP Headers so we can sed MFA Seed correctly
41:00 - SSH into the box, looking at sudo and seeing we can execute a binary as root
44:50 - Going over the binary in Ghidra, showing it is vulnerable to command injection if we can write to a shared memory space (shmid, shmget, shmat)
58:11 - Creating a binary that will seed random via time and then monitor and write to a shared memory space
Support the originator by clicking the read the rest link below.
