00:00 - Intro
01:00 - Start of nmap
02:00 - Running GoBuster, discovering the redirects have filesizes
03:00 - Showing the Execute After Read vulnerability (EAR) by using BurpSuite to hit / and discovering the page
04:00 - Using grep to show us only what we want (oP)
06:30 - Using BurpSuite to intercept the response to the request so we can disable the redirect (EAR). Then using the webform to create an account (IDOR)
08:00 - Examining the website source, using grep to look for places with user input
11:30 - Testing the logs.php page for shell injection, then getting a reverse shell
13:30 - Going into the webconfig to get database creds, then dump and crack creds
19:50 - Testing local users with the passwords from the database to get m4lwhere's creds
20:25 - Checking sudo to see something is weird, the env_reset/secure_path is not there. (this is configured in /etc/sudoers)
22:10 - Explaining Path Injection, then taking advantage of a script in sudo not using absolute paths
25:30 - Going back to explain things, weird behavior of the webserver always hanging. Maybe it was trying to send me a webshell? idk
28:00 - Fuzzing parameters of accounts.php to create accounts. But first discovering how important the Content-Type header is!
30:50 - Using WFUZZ to fuzz the confirmation parameter
35:20 - Explaining how the EAR Vulnerability happened in the code and how to fix it
Support the originator by clicking the read the rest link below.
