00:00 - Introduction
01:00 - Start of nmap
03:20 - Enumerating the Link_Share for Directory Traversal, coming up with nothing
05:10 - Discovering XSS in the Contact Us Form
07:30 - Playing with the XSS, we keep getting extra URL Encoded data turns out its not XSS but instead the admin is clicking links
10:50 - Sending only a link, discovering they click it. Now we need to find XSS in a page so manipulate their browser. Playing with the Markdown converter
13:45 - Creating an XSS Payload that will navigate to a page and send us the page and discovering a messages page
22:30 - The page shows us there is a messages.php file, showing other ways to see this. Then finding a file disclosure vulnerability
30:00 - Downloading the HTPASSWD from our File Disclosure vulnerability, then cracking it
34:14 - SSH into the box as Albert, looking for any databases we can exfil
37:55 - Discovering there is a PHP Webserver running as root in /opt/website-monitor and we can write files to the config. Dropping a php script to get root
Support the originator by clicking the read the rest link below.
