00:00 - Introduction
00:47 - Start of nmap
02:00 - Discovering the webserver is likely running Flask
03:30 - Discovering a SSRF in the request to publish books, showing we could leak the servers IPv6 Address but its not too useful here
07:30 - Using FFUF to fuzz all open ports on localhost to discover port 5000 is open which is an API Server
11:25 - Looking at the messages endpoint, which discloses a password for dev which we can SSH With
17:10 - Discovering a git directory, searching git commits for the word prod and getting another password
19:40 - The Prod user can run a python script which is using the python git library, which has an RCE CVE. We can use the Shell Extension in the URL to execute code
Support the originator by clicking the read the rest link below.