00:00 - Introduction
01:02 - Start of nmap and discovering NFS, which is hosting source code to the webserver
05:50 - Showing off the NFSClient Golang binary by Mubix, does not work here because NFS is Read-only
07:40 - Viewing the website for the first time, so we have an idea of what source code we are looking at
09:00 - Looking at the source code, Snyk doesn't give us anything
11:45 - Looking at database queries and finding a Mass Assignment Vulnerability
13:30 - Discovering we need to assign ourselves to Admin
14:45 - Using a line break, to bypass the check against the Key, allowing us to pass in the Role
17:48 - Showing another way to set our Role To Admin through SQL Injection in the Value
21:52 - Viewing the Administration page, discovering how the export function works
25:00 - We can place PHP Code in NICKNAME for our user, which then the export function writes to a php file which then executes
30:12 - Running LinPEAS, discovering a SetUID Binary (execute_query)
36:00 - Examining execute_query in Ghidra, discovering a File Disclosure Vulnerability
42:00 - Grabbing the SSH Key for Jack
44:27 - Jack can sudo run /opt/monitor.sh, and set the environment. We can use LD_PRELOAD to hijack dynamically compiled binaries.
50:15 - Showing the intended way by setting a proxy to CURL, allowing us to change the data the server sends and trigger an XXE
Support the originator by clicking the read the rest link below.
