00:00 - Introduction
01:00 - Start of nmap
02:45 - Discovering an exploit for Craft CMS, it doesn't work out of the box because of a typo on exploit-db looking into this exploit
06:00 - Walking through the Exploit Script
11:45 - Getting a shell on the box with the script that was on Github
14:45 - Logging into the CraftCMS Database, finding the password
17:30 - There is a backup of the database in the storage directory, which contains an old password for Matthew
22:45 - Linpeas shows us configurations for ZoneMinder, which lets us into another table of the database
25:20 - Setting a port forward so we can access ZoneMinder, then updating the password so we could login (not needed but fun to do)
29:20 - Showing an unauthenticated exploit in ZoneMinder
31:40 - The ZoneMinder user can run zoneminder scripts with sudo
33:30 - Finding a command injection in ZMUPDATE, getting shell as root
42:20 - Showing ZoneMinder lets you set the LD_PRELOAD which is another way to get root
55:50 - Showing the intended way to exploit ZoneMinder to get a shell as the ZM User, authenticated RCE
Support the originator by clicking the read the rest link below.
