00:00 - Intro
00:57 - Start of nmap
02:40 - Registering an account
02:55 - Enumerating valid usernames based upon error message
05:30 - Using ffuf to match regex to enumerate valid usernames
07:10 - Poking at the web applicaiton trying IDOR/SSTI and failing
08:50 - Looking at the cookie given by the application and discovering it is a Flask Session Cookie
10:45 - Trying to crack the Flask Session with Hashcat. It fails because I think the payload is too long for hashcat.
16:50 - Using Flask-Unsign to crack the session
18:45 - Using flask-unsign to forge a cookie that says we are the Blue User
22:30 - Logged into the application as Blue, get the ftp_admin password
25:10 - Unzipping the source code that came from the ftp server and using diff to compare the two versions
27:50 - Failing to exploit a command injection vulnerability in the export note function
32:40 - Going deeper in the export note function to discover it uses a node library md-to-pdf which is vulnerable to RCE
43:10 - Running LinPEAS
48:20 - Start of the Raptor Exploit, we pulled a bad version so it isn't immediately going to work for us
55:20 - Running Show Variables like '%plugin%' which will tell us where we should drop the raptor_udf library file
1:00:30 - Using a different version of raptor which has a do_system_init function, this one lets us execute code
Support the originator by clicking the read the rest link below.
