00:00 - Introduction
01:00 - Start of nmap
03:15 - Fuzzing the API port port 3000 with ffuf
09:00 - Discovering the Gitea Domain and seeing a repo which discloses HA Proxy 2.2.16 is in use
11:50 - Exploring CVE-2021-40346 an integer overflow in HA Proxy which enables HTTP Smuggling
18:00 - Putting a 3rd request in to make the HTTP Smuggle reliable and grabbing the source code to app.js
28:45 - Taking a look at the APP.JS source code and discovering a Hash Length Extension attack
38:14 - Performing the Hash Lenght Extension attack and then using FFUF to find the length of the secret
45:00 - Have another File Disclosure, chaining it with the /proc symlink to read an SSH key to get shell on the box
52:45 - Discovering port 9999
58:00 - Opening the PHP Library up in Ghidra and discovering an integer overflow
1:04:00 - Creating a C Program to explain the integer overflow
1:11:50 - Setting up a test environment so we can debug the PHP Library and see how it behaves
1:17:15 - Getting a breakpoint to work and stepping through things in lverifier.so
1:21:00 - Creating a pattern so we can see where we write data to
1:24:22 - Creating a python script to build our payload
1:35:50 - Running into an issue, discovering the first parameter doesn't terminate where we thought and the fopen call fails. Playing with the exploit to find a way to terminate fopen (linebreak)
1:46:45 - Burpsuite wasn't URL Encoded a linebreak, doing it ourselves and then getting shell
Support the originator by clicking the read the rest link below.
