00:00 - Introduction
01:00 - Start of nmap
02:30 - Discovering Discovering the LaTeX Equation Generator Page
04:10 - Attempting to get code execution, discovering a WAF. Building a wordlist and using FFUF to identify potentially dangerous commands that aren't blocked
07:45 - Discovering lstinputlisting is not blocked, which will let us read files
10:45 - Using FFUF to bruteforce subdomains, show the automatic calibration, so you don't need to manually specify filters
13:25 - Looking for the Apache Config for the Dev subdomain, as it likely has a htpasswd file we can get a password from
15:25 - Showing the alternate path to get RCE, Bypassing the filter by encoding characters in hex with ^^
18:50 - Talking about the catcode command and a failed path at evading a filter with this, but it pointed me towards superscript
21:40 - Looking at the wikibooks latex page and seeing ^ is superscript by default, so we don't need the catcode
22:20 - Testing the bypass with a valid command to make sure it works
24:00 - Writing a file
27:35 - I failed at typing my PHP Shell, standing up my own PHP Server so I can see the error
29:30 - PHP Script is written, getting a reverse shell grabbing the htpasswd and kracking
33:30 - Copying LinPeas and disabling FAST mode, so it looks for unique processes
36:30 - Discovering a cron that is running GNUPLOT
37:50 - Looking at GNUPLOT commands and discovering it has a SYSTEM Command
42:00 - We aren't getting a reverse shell, running the command ourself to see STDERR and discovering commands are case-sensitive
43:00 - Root shell returned, just playing with GNUPLOT to show we can write to a file
Support the originator by clicking the read the rest link below.
