00:00 - Introduction
01:00 - Start of nmap
03:00 - Seeing JSESSIONID and NGINX trying the off by slash exploit to get access to /manager, doesn't work here
04:30 - Dirbusting with FFUF because the lack of 404's messed with gobuster
07:40 - Discovering the OfBiz Version, looking for exploits
09:00 - Going over the Authentication Bypass in OfBiz
12:40 - Downloading YSOSERIAL and building a Docker so we don't have to worry about Java Versions
14:30 - Building a ReverseShell Payload that works with YSOSERIAL
18:40 - Reverse shell returned! Looking at OfBiz and finding out it uses the Derby Database
22:30 - Copy the Derby Database then using IJ from Derby-Tools to dump the data
26:40 - The hash in the database is a URL Base64 Encoded, decoding it reveals it has a length of 40 which is normal for Sha1Sum. Decoding it then cracking with hashcat
Support the originator by clicking the read the rest link below.
