UHC - Altered

00:00 - Intro
00:55 - Start of nmap
01:35 - Enumerating the web page, finding a way to validate potential users
02:50 - Examining the data the website stores in our browser
05:20 - Attempting type juggling, finding out its not vulnerable
06:20 - Before we WFUZZ, just playing with PHP to see how it handles numbers.
08:15 - Running WFUZZ with the range payload to bruteforce all possible pin code, find out we get blocked.
10:15 - Searching for ways to bypass rate limits, testing out the X-FORWARDED-FOR header
12:15 - Using WFUZZ with two wordlists in the zip mode, so we can fuzz with pin codes and change the ip address to bypass the ratelimit (FUZ2Z)
17:30 - Logged into the application, discovering the secret parameter which prevents us from tampering with the request
19:45 - Doing type juggling to bypass the tamper detection and finding SQL Injection
20:15 - Extracting information out of the database with union injections with group_concat and concat
26:40 - Nothing interesting in the database, dropping a webshell but first we have to view the nginx config to find where the website is
30:30 - Using the INTO OUTFILE command to write a shell to /srv/altered/public/
33:55 - Reverse shell returned
35:15 - Explaining some basics around dirty pipe and why people use /etc/passwd
38:50 - Using the DirtyPipe exploit that resets root's password to aaron
39:50 - In order to use the "su" command, we need to beat wordle with a custom dictionary... Failing to play wordle
42:50 - Using a DirtyPipe exploit to overwrite a SetUID Binary, which bypasses our wordle game
45:10 - Extra: Revisiting wordle, but now we have the dictionary it uses, so we can cheat and win the game
49:30 - Extra: Fumbling around in the source code, learning some things but failing to enforce authentication on the GetProfile Endpoint.

Support the originator by clicking the read the rest link below.