** See Pinned Comment for Root Shell.
00:00 - Introduction
01:00 - Start of nmap
03:40 - If you want to learn more about Varnish check out Forgot
04:00 - Looking at the Git Repo, discovering the Infra stack HAProxy, Varnish, Flask
08:45 - Discovering Margo's password in an old commit
10:00 - Testing if we can put a line break in the URL to bypass HAProxy's ACL (like in Skyfall)
12:04 - Using H2CSmuggler to use an HTTP2 upgrade to bypass the HAproxy ACL
16:50 - Poisoning the cache and placing an XSS Payload in the UTM_Source Tracker
23:30 - Got an Admin Cookie, using it to access the logs page via h2csmuggler
27:45 - Looking at the logs, showing there's an ecdsa key that margo uses
29:45 - Googling the URL we downloaded the logs from discovering its copyparty which has a file disclosure exploit
33:00 - Having a hard time enumerating what user is running copyparty, guessing each user and finding an SSH Key
36:00 - Looking at the custom LogService binary which is an Apache Thrift service
40:30 - Creating a go program to make an Apache Thrift Request
46:50 - Creating our payload that will perform the command injection. See pinned comment if you have problems here.
Support the originator by clicking the read the rest link below.
