00:00 - Intro
01:04 - Start of nmap
02:30 - Discovering an Apache Tomcat Errror message despite the webserver being Apache
03:15 - Looking at Orange Tsai's 2018 Blackhat talk on Path Normalization
03:55 - Explaining the attack and how to bypass apache blocking access to /manager by using /..;/ or ;name=Stuff
05:20 - Attempting to deploy a WAR File to see that path is blocked by the max upload size being 1 byte
06:55 - Testing for log4j in Tomcat, discovering a callback
07:55 - Finding a twitter post that combines JNDI-Injection-Exploit-Kit and Ysoserial to do deserialization attacks with Log4shell/log4j
08:20 - Explaining whats different about ysoserial modified and why it lets us do reverse shells
09:20 - Running YsoSerial-Modified to generate a CommonsCollections5 payload
11:00 - Running JNDI Injeection Exploit Kit to setup the LDAP Server
13:00 - Running the exploit and getting a reverse shell, then looking at port 21 since it was filtered earlier
15:30 - FTP is running as root and written in Java. Testing for Log4j!
18:15 - Using JD-GUI to examine the FTP Server source to discover credentials are stored in environment variables!
19:30 - Explaining why we are going to use Wireshark to view these environment variable leaks
20:30 - Creating a log4j payload that sends us the ftp_user environment variable, then ftp_password
24:25 - Using log4j to extract the java class path which may be helpful in creating serialized payloads
25:50 - Using log4j to extract the java version
27:00 - Using log4j to extract OS Information
Support the originator by clicking the read the rest link below.
