00:00 - Introduction
00:55 - Start of nmap
01:58 - Poking at the web page, examining the request, playing with server headers
02:25 - Discovering an error message, googling it and finding out it is tied to Sping Boot
03:45 - Start of FFuf, using a raw request so we can ffuf like we can sqlmap
04:45 - Going over the results of FFUF
05:40 - Matching all error codes with FFUF which is very important, going over the special characters
08:15 - The curly braces return 500 in FFUF, big indication it is going to be SSTI
09:20 - Using HackTricks to get a Spring Framework SSTI payload and getting command execution
13:05 - Using curl to download a shell script and then execute it because we are having troubles getting a reverse shell
15:30 - Going back to just show the Match Regex feature of FFUF to search for banned characters
17:00 - Searching the file system for files owned by logs, discovering redpanda.log. Using a recursive grep to find out what uses this
19:50 - Examining the Credit Score java application and seeing what it does with the RedPanda.log file
22:00 - Discovering the Credit Score application gets the Artist variable via ExifData in an image
24:10 - With the Artist, the Credit Score application opens an XML File and writes. This is like an Second Order XXE Injection
25:50 - Downloading an image, so we can change the exif metadata
27:30 - Using Exiftool to modify the artist
29:30 - Building the malicious XML File
33:20 - Putting a malcious entry in the log, waiting for the cron to hit and then checking if we got root key
35:15 - Showing why our user had the group of logs. On boot the service was started with sudo and assigned us that group
Support the originator by clicking the read the rest link below.
