00:00 - Intro
01:00 - Running nmap, doing all ports and min-rate
02:30 - Poking at the website to discover a static site
04:25 - Starting up a gobuster to do some recon in the background
05:30 - Discovering log_submit, and finding out it is vulnerable to XXE (XML Entity Injection)
08:00 - Verified it is vulnerable to XXE, attempting to extract a file
09:50 - Chaining a PHP Filter to convert files to base64, which lets us avoid bad characters and leak source
11:15 - Start of coding out a program to automate this LFI
17:45 - XXE LFI POC Done, improving it by adding the cmd module
20:50 - Reading source code of pages, getting nothing
21:35 - Finding db.php from out gobuster, leaking the source and getting a password
22:05 - Grabbing /etc/passwd in order to build a userlist to password spray
22:45 - Using CrackMapExec (cme) to perform a password spray over SSH and discovering creds
23:35 - With shell on the box we can do sudo against a python file, doing some manual code analysis
31:00 - Switching to VSCode to debug our exploit script
38:30 - Exploit file works, copy it to our target and run it to get a root shell
39:44 - Taking a step back and Verifying the bad characters in our XXE
Support the originator by clicking the read the rest link below.
