00:00 - Intro
01:00 - Running nmap finding a filtered port with some open ones
03:30 - Running GoBuster to always have something running in the background
05:00 - Playing with the Upload Form
07:20 - Playing with the Upload from URL to see what library connects back to us (SSRF)
09:30 - The Upload From URL has a blacklisted address, playing with it to discover what is blacklisted
10:55 - Bypassing the URL Blacklist in the SSRF by changing the case of words
11:45 - Running a virtualhost bruteforce within gobuster to discover vhost
13:10 - Bypassing the URL Blacklist in the SSRF by creating a webserver that will send a redirect
16:50 - Using the SSRF to download admin.forge.htb and discovering ftp creds and another SSRF
18:20 - Using the SSRF to use FTP
19:20 - Encoding the IP Address as hex to bypass a blacklist
22:10 - When specifying a directory in the FTP with SSRF need a trailing slash explaining why
23:10 - Downloading id_rsa and then logging into the machine
24:10 - The user can sudo run a python script, which stands up a debugger on a random port
26:13 - Doing a nested tmux so we can run the python script and then use netcat to connect
28:50 - Getting root
30:55 - Explaining how to harden the blacklist to prevent the easy bypassing
34:30 - Looking at how admin.forge.htb added FTP Support
36:50 - Thinking there's an RCE but there isn't, shlex is a good filter
44:30 - Getting frusterated, lets break this down and see whats stopping our RCE
45:40 - Playing with Shlex to discover it is what prevents the RCE
Support the originator by clicking the read the rest link below.
