00:00 - Introduction
01:00 - Start of nmap
03:55 - Playing around with the website, booking a table and then registering an account
08:40 - Taking a look at the Save to iCalendar functionality and finding a File Disclosure vulnerability
12:15 - Finding the application source code via the /proc/self/cwd directory
14:15 - The JWT does RSA manually, using a weak exponent, showing we can factor this with RsaCtfTool
18:40 - Showing JWT.IO doesn't work with weak RSA Keys, showing an alternative tool
26:10 - Looking at cron jobs, finding all of the source code
28:20 - The DBMonitor Cron looks like it will execute code if we create specific files in the /data/scripts directory
33:50 - Using INTO OUTFILE with our SQL Injection to write files and exploit the DBMONITOR Cron to get a shell
41:30 - Shell returned looking at the database, then exploiting another cron because we can write a file
45:20 - Looking at the commit history of an Mercurial HG repo and finding a password
49:05 - We can run HG PULL as dev, showing there are multiple places we can put a HGRC file and create a repo with a hook that will execute a script on pull
57:05 - We can run rsync as root, but the standard gtfobin doesn't work
1:00:00 - Showing the chown flag doesn't remove setuid bits in RSYNC, which lets us make setuid files
1:03:00 - BEYOND ROOT: Showing the changes to the box (secure_file_priv and AppArmor) that allows MySQL To Write files
1:08:49 - Showing the CHOWN removes SetUID but Rsync does not when changing owners
Support the originator by clicking the read the rest link below.
