00:00 - Intro
01:00 - Begin of nmap
03:25 - Browsing to the website and doing some light fuzzing
06:10 - Adding the uri_hex (url encoder) to our wfuzz to fuzz special characters
07:55 - Taking a look at port 8080, discovering gitbucket and registering an account
09:20 - Exploring the infra repository on gitbucket, going over its Ansible Scripts
12:30 - Taking a look at the Seal Market Repository and discovering NGINX has mutal auth configured
14:00 - Discovering tomcat credentials in a previous commit
15:45 - Going over an Orange Tsai SSRF Talk from 2018, showing the Tomcat SSRF when behind NGINX
17:00 - Testing the SSRF Exploit to discover we can hit protected pages
18:00 - Logging into tomcat, then showing another SSRF
19:25 - Using MSFVenom to generate a malicious war file to exploit tomcat
21:00 - Reverse shell returned, uploading pspy to discover a cron running a playbook
23:00 - Going over the playbook to show how we can exploit this playbook to copy an ssh private key with a symlink
26:00 - Creating the symlink to extract the SSH Key
28:30 - SSH in with Luis, discovering we can run ansible with sudo, then creating a malicious playbook to run a reverse shell
Support the originator by clicking the read the rest link below.
