00:00 - Intro
00:54 - Start of nmap, checking websites seeing old copyrights
04:10 - Discovering the HTTP Redirect on /login is pretty big, so its likely an EAR Vulnerability
08:15 - Discovering a LFI that enables us to read source code, chaining it with the proc directory and using wfuzz to discover additional python files
10:50 - While our wfuzz runs testing against a login endpoint to discover an XSS in another webapp
14:30 - Going over the Python Source code
18:35 - Discovering Hibernate Query Injection (HQL) on the login page on port 8080
20:30 - Going over HQL (Hibernate) Injection Using boolean injection to login but need the browser fingerprint of the user
24:00 - Using our XSS to execute the fingerprint function and sending it to our server
27:50 - Logging into the application with our custom fingerprint and boolean injection, getting a JWT with a Serialized Base64 Encoded Java Object
34:00 - Examining the Backups Directory and finding Java Sourcecode to the app on port 8080
42:00 - Going over the javacode we have to discover we can probably craft a deserialization payload to gain code execution
51:20 - Opening up Eclipse and building our java project which we'll use to create a deserialization gadget
1:12:40 - We can now compile our java project, lets creating the first serialized object which tells the server we are an admin
1:16:20 - Creating the second part of the Java Payload which puts the malicious code into our username
1:24:40 - Our exploit didn't work right awy, going over it again and finding some mistakes
1:31:48 - Got our reverse shell, discovering a binary cmatch which lets is exfil files one byte at a time
1:36:40 - Creating a python script to use cmatch to bruteforce the file one byte at a time
1:49:30 - Downloading the Java App that runs on port 8080 to see the database credentials, which can decrypt the SSH Key retrieved from cmatch
1:58:50 - Discovering a flask backup that is a new version of the Webapp on port 80 that has improved authentication
1:59:50 - Explaining the flaw of this webapp, it puts the secret after user controlled data, which enables us to bruteforce this one byte at a time
2:01:50 - Poorly explaining the bruteforcing the secret of AES ECB one byte at a time
2:06:10 - Using the XSS from earlier to steal cookies, which gives us an unprivileged user on the dev app
2:09:08 - Using curl on the /profile endpoint to set a new username and show we can have the server give us a new cookie which lets us bruteforce the secret
2:16:20 - Creating a python script to bruteforce the secret the server appends to our username before encrypting
2:31:35 - Running our script to bruteforce the data
2:33:50 - Creating a new username with the secret, which will trick the server into thinking we are an admin
2:37:20 - Now that we are logged in, the server runs as root so we can just get the root ssh key
2:39:00 - Going over the HQL a little more to show we could have extracted the fingerprint
Support the originator by clicking the read the rest link below.
