00:00 - Intro
01:00 - Start of nmap
02:20 - Registering and logging in and examining what a regular user can do
03:30 - Playing with the file upload capability
04:20 - Discovering there is a JWT in our HTTP Request, examining it to see it is RS256 and has a claim
07:55 - Explaining how we are going to exploit the Claim Misuse vulnerability in this JWT
09:45 - Creating a JWT Header that will have a modified URL for the claim, website says its an invalid key but doesn't reach out to us
12:20 - Using the redirect functionality on the web page to allow us to place the websites domain in our JKU Claim
15:10 - Modifying the JWK File to place our own RSA Key and generating one with ssh-keygen and openssl
18:00 - Showing us pulling N and E out of the RSA Key
21:30 - Converting the SSH Public key into a Certificate
24:24 - Updating the JWT to change our name to admin and finding a LFI Vulnerability
27:27 - Attempting to use WFUZZ to bypass the filter
33:40 - Giving up fuzzing wtih wfuzz
35:10 - Explaining why I'm going to try testing for unicode normalization and what it is, grabbing a payload from HackTricks
37:10 - Exploring /proc/self/ and hunting for the location of the webapp
39:02 - Finding the python application by using the /proc/self/cwd directory, then grabbing db.yaml and getting SSH Credentials
42:20 - Discovering a TREPORT Binary, which is a compiled python file
43:45 - Discovering the TREPORT Binary uses curl, which is weird
45:20 - Discovering the TREPORT Binary will allow us to use the file wrapper if we bypass the filter
46:50 - Bypassing the space filter in the TREPORT Binary using brace expansion in bash and having curl write the flag to /tmp
49:00 - Downloading a SSH Key and allowing us to login as root
50:00 - Examining the Web Application to show the Unicode Normalization Vulnerability
56:30 - Looking at the user table, to discover admin doesn't exist
57:58 - Finding out the login form was supposed to display errors but didn't because of a lacking some Jinja2 Templating Code
1:01:20 - Flailing around fixing the template to display error messages
Support the originator by clicking the read the rest link below.
