00:00 - Introduction
01:00 - Start of nmap
03:20 - Discovering beta.only4you.htb
03:55 - Downloading the source, scanning with Snyk and discovering a File Disclosure vuln
05:15 - Demonstrating that os.path.join in python will do unexpected things if a path begins with slash
07:30 - Failing to get /proc/self/environ, not sure why we failed here
09:20 - Grabbing the nginx configuration to discover where the websites are stored, using the File Disclosure Vuln to leak source of main website
11:15 - Discovering a vulnerability when sending mail
12:10 - Talking about how we will bypass the bad character check, the Re.Match will only match the start, not entire string
16:10 - Getting code execution from the contact form
18:45 - Reverse shell returned, looking for databases, and discovering a few ports listening on localhost
22:30 - Uploading Chisel so we can access ports 3000 and 8001
25:40 - Start of Neo4j Injection, discovering we are in a contains statement
30:00 - Going to HackTricks and discovering we can use LOAD CSV to leak data out of band
32:25 - Leaking the labels, then grabbing users and hashes
38:30 - Logging in with John, discovering we can use sudo with pip to download a tar off GOGS
40:25 - Creating a malicious python package for us to download, then uploading to gogs
44:10 - Showing that the pip download command will execute setup.py and getting root
Support the originator by clicking the read the rest link below.
