00:00 - Introduction
01:00 - Start of nmap
02:15 - Registering an account and discovering the chat, examining source and seeing a database solidity contract
04:45 - Testing for XSS, discovering it within the username
06:00 - The /api/info page exposes the JWT, which lets us exfiltrate it even if HTTPONLY is set
07:10 - Using FeroxBuster to enumerate the API with different methods
10:00 - Discovering XSS in the Report feature, and get a hit from the admin, create a JS Payload to exfiltrate the admin token
16:00 - We are now the admin, which has access to a new endpoint that interacts with the blockchain via the json-rpc API playing with endpoints
19:00 - Playing with eth_getAccount
19:30 - Playing with eth_getBlockByNumber, then viewing information on the chain. Enumerating all blocks will start revealing credentials
25:30 - Shell on the box as Keira, can run forge as paul which we can exploit two ways
26:15 - Exploiting forge with path injection since the sudo has no env_reset set
29:10 - Exploiting forge with the build flag that has command injection
31:00 - Paul can run pacman as root, which we can exploit a few ways. First we create a hook on any package operation that runs a command
35:40 - We could also just build a package that drops a new file, creating a malicious cron
40:30 - Creating a package that just runs a command
Support the originator by clicking the read the rest link below.
