00:00 - Introduction
01:00 - Start of nmap
02:30 - [MasterRecon] Examining CSRF Cookie to discover it is likely Django
07:50 - Using FFUF to bruteforce ID's of uploaded files, can discover valid ID's but not view the ID itself
14:00 - Accidentally deleting something important when FUZZING, always be careful of what you are doing with tools
16:45 - Discovering the /block endpoint allows us to view any file, discovering a file with credentials which lets us log into the server
23:00 - Setting up a SSH Tunnel to access port 3000, which is Gitea. Discovering an old commit that has the password to decrypt backups
32:00 - Logging into the box as Tom, discovering the DoodleGrive Binary, opening it up in Ghidra
38:45 - Looking at the Sanitize_String command, to see what characters we cannot use
41:40 - Exploiting DoodleGrive via SQL Injection with the EDIT command, this is easy to exploit because SetUID's preserve environment variables
47:40 - Got root, our path is messed up which makes the shell hard to use, however fixing the path is easy
50:45 - Exploiting DoodleGrive via LOAD_EXTENSION, by dropping a library and using char() to avoid the sanitize string function
54:00 - Our SQL Extension C Code
1:02:36 - Failing to use WriteFile() guessing this is because of the size of our input, may incorrectly say buffer overflow here.
1:16:20 - Exploit DoodleGrive via Binary Exploitation! Explaining the Overflow and Format String Vulnerability we will use
1:19:30 - Creating a python script to find where the Canary exists in memory via the Format String Exploit (%i$lx)
1:23:30 - Proving this is the canary by stepping through the program in GDB use $fs_base to examing fs
1:25:30 - Finding where we can overwrite the canary with pattern create
1:27:55 - Creating a python script to exploit this binary
1:43:40 - Converting our pwntools script to use SSH so we can exploit the binary on the target
Support the originator by clicking the read the rest link below.
