00:00 - Intro
01:00 - Start of nmap
02:22 - Taking a look at the SSL Certificates and website to find blog/forum
04:57 - Running WPScan, explaining why i like aggressive scanning
09:00 - Finding public vulnerability in Asgaros Forms (Blind Time Based SQLi)
10:45 - Running SQLMap to confirm the injection
21:00 - Examining the Wordpress Database structure, so we can run SQLMap to dump very specific things
25:20 - Cracking wordpress credentials to find out we can't use any because of MFA
30:10 - Using our SQL Injection to dump a list of activated plugins in wordpress
32:00 - Finding an exploit in the Download From Files plugin, converting it to ignore SSL Validation Errors
35:45 - Uploading a malicious phtml (php) file to get a shell on the box
41:00 - Examining how MFA is enabled on SSH/SU by looking at PAM files
42:10 - Discovering the 10.11.12.13 network can bypass MFA, which our host is on.
45:10 - Using find to show files created between two dates
48:20 - Discovering backups are created in /backups and explaining why we cannot view other users processes (hidepid)
48:50 - Looking in the */local/bin directories to discover an obfuscated shell script (sh.x)
51:30 - Running the script and then examining the /proc/pid directory to find the shell script unobfuscated in the cmdline
52:50 - Explaining wildcard injection
56:00 - Exploiting the wildcard injection in rsync
57:30 - Showing how we could of used the SQL Injection to leak all the secrets in the MFA Plugin and generate our own codes
59:10 - Looking at the MiniOrange MFA Source Code, the uninstall.php shows a lot of good information
1:03:45 - Showing how to do a "pretty print" or format output better in a MySQL Command (using G instead of ;)
1:06:45 - Failing to generate a QR Code that we can use google authenticator to login with
1:12:44 - Going back to the source code to find another way to generate MFA Codes
1:15:45 - Fixing our generator script to decrypt the secret which we can paste to oauthtool and get a MFA Code
Support the originator by clicking the read the rest link below.
