00:00 - Introduction
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files
13:48 - Uploading a php shell, discovering there are disabled functions blocking system
17:15 - Using dfunc bypass to identify proc_open is not disabled and then getting code execution
23:00 - Reverse shell returned on the linux host
26:00 - Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password
29:20 - Talking about Man Pages and how they are organized to identify $y$ is yescrypt
33:40 - Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit
36:00 - Building a malicious EPS File with a powershell reverse shell
43:40 - PRIVESC 1: Uploading a shell in XAMPP and getting system
52:30 - PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password
1:01:50 - While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen
1:10:08 - PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password
Support the originator by clicking the read the rest link below.
