00:00 - Intro the important thing about this box is recon
01:28 - Start of nmap discovering an nginx server header
04:25 - The SSL Certificate leaks an important hostname
09:50 - Running an SNMPWalk which has a bunch of important information, notably the HTML Directory
13:30 - Discovering the SeedDms51x Directory, trying to enumerate version (Failing)
22:00 - Creating a python script to help with bruteforcing
29:30 - Script done, looking at SNMP to get other usernames
29:40 - Brutefocing michelle's password to get in and seeing the SeedDMS Version
33:30 - The SeedDMS Patch used htaccess, server is nginx so its still vulnerable. Uploading a shell
42:30 - Grabbing the MySQL Password from SeedDMS Config and trying it against other services. Gain access to cockpit which gives access to michelle user
48:50 - The SNMP is executing a program every time snmp is ran, we can trick SNMP to execute our code to get root
56:20 - Start of Explaining SELinux
60:00:40 - SELinux Using audit2why to show us why reverse shells were blocked from reverse shells
68:00:50 - SELinux Checking why SNMP could not read /root/root.txt
1:21:11 - Explaining more about the SNMP vectors of this box
Support the originator by clicking the read the rest link below.
