00:00 - Intro
01:00 - Start of nmap
02:50 - Taking a look at the website
03:30 - Testing the webhook to see the app will send us information about a web page
04:20 - Trying to access port 3000, getting blocked by a filter trying to include 127.0.0.1 and 0x7f000001
06:20 - Playing with the webhook to see if it will send us the entire page
07:10 - Having our webserver redirect to localhost, to see if this bypasses the filter and getting the web page on port 3000
10:20 - The application on port 3000 is gogs 0.5.5 which is from 2014!
12:15 - Setting up a local instance of GOGS so we can build a payload to exploit this
15:40 - Playing with a union injection, then looking at the database to see number of columns in the user table
19:30 - Have a basic Union Injection payload, grabbing multiple fields from the SQLite Database
23:30 - Checking how the password is encoded by examining gogs source
26:10 - Testing out cracking our hash
30:05 - Passing our SQL Injection payload through SSRF to attack the target and get a user password
40:00 - Using Pspy to see a cron job running as root that uses artisan to execute a web function
44:00 - Exploring the web source to discover the webserver uses file_get_contents on monitored url
46:30 - Poisoning the MySQL Database to have the monitored URL retrieve and send a file
Support the originator by clicking the read the rest link below.
