Sorry accidentally cut out a piece in the middle.
00:00 - Introduction talking about how this box is about finding CVE's and building an exploit based upon exploit
00:50 - Start of nmap
03:00 - Running gobuster and showing the importance of using multiple wordlists.
05:00 - Attempting to register an account, which shows the endpoint /api/register but /api/ returns a 404
06:10 - Showing that raft-small-words wordlist won't discover .git but commons.txt will because commons has .git/HEAD
08:25 - Running Git-Dumper to extract the source then looking at the code
09:00 - Showing the vulnerable code and how secure the code appears at first glance without knowing specifics about the library
10:00 - Googling MySQLJS Sql Injection and showing how you would have found this exploit
11:30 - Showing how you could have found it blindly, passing an object into the SQL Query and doing SQL Injection on NodeJS with MySQL
19:00 - Logging in and finding OpenWebAnalytics version 1.7.3, finding a CVE and writeup for the vulnerability
22:30 - Showing the piece missing from the writeup that tells us how we can retrieve the cache file that can be used to reset a password
24:40 - Going over the code, and figuring out how the filename is generated.
28:30 - FIXED PART, sorry cut out a piece on how I traced the function back to how it generates the filname
31:29 - Resetting the admin account from the exposed cache file
35:39 - Exploiting the Mass Assignment Vulnerability to write to a configuration file, to increase log verbosity, file name of log, and then poisoning the log
46:09 - Reverse shell returned
48:39 - Downloading a custom password generator that appears to be a compiled python executable.
51:24 - Running Pyinsxtractor to extract the pyc files out of the exe and then using Docker to match the python version which will allow uncompyle to convert pyc to py files
56:19 - Starting the docker and copying our password generator into it
57:29 - Showing the vulnerable password generation function, it is just using millisecond as a seed
57:49 - Building a script to generate all possible passwords, turns out it fails because Windows and Linux randomization is different
1:00:29 - Running pdf2john to generate a hash for the pdf file
1:02:19 - Running the script on windows to generate different passwords, then cracking ethans password with john
1:05:39 - Looking at SetUID Files, finding PINNS from CRI-O which is a binary related to Kubernetes
1:07:39 - There's no man page for the PINNS binary, so looking at the source code to change the kernel parameter for core dumps
1:11:00 - Creating an exploit script, poisoning the core dump parameter, and generating a dump to execute our script and getting root
Support the originator by clicking the read the rest link below.