00:00 - Introduction
01:00 - Start of nmap
02:00 - Taking a look at the website
04:00 - Testing the Get a Quote feature for XSS
06:30 - Weaponizing the img src xss test by adding fetch to attempt to exfil the cookies
10:00 - Looking at the dashboard and seeing what features are available
13:00 - Discovering SSTI in the QR Code Feature, can do basic SSTI but any complex fails without any evasion
18:30 - Explaining the SSTI Evasion with Jinja2/Python
25:45 - Shell returned on the machine, discovering Consuela's password in MYSQL
29:45 - Consuela can run qpdf as rood, looking at the man page and discovering it can attach files
Support the originator by clicking the read the rest link below.
