00:00 - Introduction
01:00 - Start of nmap, showing 5985 isn't in the top1000 so doing a full port scan
04:40 - Taking a look at the MedDigi website
07:07 - Taking a look at the Signup Request seeing AcctType
09:30 - Changing the AcctType to 2 and getting a different privilege
14:00 - VHost enumeration shows the portal.meddigi.htb domain, using our pre-existing session from the main page on this domain to bypass login
17:52 - Discovering SSRF in the Prescriptions page
19:40 - Discovering the File Upload requires a PDF but checks the magic bytes so we can make a PDF Header on our file and upload ASPX Web Shells
25:30 - Going back to the SSRF and discovering we can use time-based queries to identify ports listening on localhost
28:30 - Using FFUF to filter by duration to show us the requests that don't take a long time
38:22 - Discovering port 8080 shows our upload location, then navigating to it and getting a shell
42:22 - Finding DLL's the webserver uses, they are dotnet so copying them to a windows box so we can use dnspy and finding a password
45:40 - Using netexec to try the password against all users, then logging in as devdoc
53:00 - Looking at the ReportManagement.exe, opening it up in Ghidra
56:50 - Using chisel to forward port 100 to our box so we can access ReportManager
59:30 - Strings shows that externalupload.dll is right next to the Libraries string
1:00:15 - Looking at imports, see CreateProcessW, then going to where the binary calls that process
1:03:30 - Doing Dynamic Analysis with ProcMon, creating all the directories/files the program wants
1:18:50 - Eventually see it looking for files in the Libraries Directory when doing the upload command
1:21:45 - When externalupload.dll exists, we can see it doing a CreateProcess call, creating a DLL that sends a reverse shell
1:26:30 - When the DLL is in the libraries and we run upload, we get a shell
Support the originator by clicking the read the rest link below.
