00:00 - Introduction
01:00 - Start of nmap
02:00 - Taking a look at the web page, finding users on the site, and using FFUF to VHost Enumeration due to talking about a store
04:25 - Fingerprinting the websites, dev looks to be PHP and the main page appears to be Vue
07:55 - Exploring the vue app in Firefox Dev Tools, discovering some routes in the webpack which lead to an API
11:50 - An JWT error message is displayed when accessing some API Pages, removing the token and bypassing authentication
13:10 - Explaining why the web application skips authentication when a cookie is not present, and showing how similar it was to the OMIGod Vulnerability
15:40 - Extracting all users from the page and then using curl to save the hashes to a file. Use CrackStation to crack hashes and get a cred
21:20 - Logged in as Christopher.Jones, checking the Online Store Status link which is vulnerable to SSRF
23:45 - Using FFUF to fuzz for all possible ports and using a bash trick to create a wordlist based upon a range of numbers without creating a file
29:40 - Discovering some API Documentation on a page on port 3002
31:10 - The API all-leave page uses awk, and we can abuse this binary to perform a file disclosure vulnerability if we can poison user names.
33:40 - Using hashcat to crack our JWT
35:30 - Creating a python script to generate JWT's which allow us to exploit awk and exfil files off the server
42:00 - Python script completed, leaking some files and discovering a unique file in a users .bashrc
48:00 - Having trouble exporting the backup file, and modifying our script to write binary files which allow us to download the tar.gz backup
54:00 - Discovering bean's credentials in his xpad directory and logging in
56:20 - Running a process list on the box shows inotify is watching an interesting file that is only writable by www-data
59:40 - Looking for system() calls in the PHP app and discovering a sed command. We can exploit this like we did awk to get code execution without any bad characters. Having trouble getting this to work.
01:11:10 - Taking it slower, discovering our mistake and getting code execution
01:14:00 - Reverse shell as www-data. Modifying the file and trying to find out what happens
01:18:10 - Running PSPY, since it will be more thorough than our PS Commands and discover we can inject into the mail command
01:24:30 - Got our command execution working and shell returned as root
01:25:30 - Getting shell as www-data was unintended, showing the intended way of doing this which involves the leave-request page and symlinks
01:32:00 - Cannot poison our JWT and get code execution because of bad characters
01:38:30 - There were directories chmod'd to 777 that the application wrote to. We can use symlinks here to point to other files and have the webserver write to another file
01:40:50 - Showing why we need to create a new product to place our malicious payload
01:44:00 - Reverse shell returned the intended way, and then showed we definitely needed the ! which is a bad character
01:47:40 - Extra content! Showing a more in-depth look at why removing the cookie bypassed auth. By loading the code locally and running it in VS so we can properly debug and step through it
01:49:30 - Explaining and showing why the application should have had an authentication function so there was less duplicate code in each function, which makes it easier to patch
Support the originator by clicking the read the rest link below.
