00:00 - Introduction
01:07 - Start of nmap
04:00 - Discovering the application is flask based upon 404 page, showing Werkzeug source to show where the error comes from
08:30 - Noticing the cookie is odd but since input is escaped, it doesn't look that insecure
10:40 - Discovering XSS in the Report Submission form and stealing cookies and get a moderator cookie
17:20 - In the Moderator Panel, set to high priority, xss again to get administrator
22:00 - Playing with the Report URL on the Create Report Page
31:50 - Discovering Python URLLib 3.11 has a URL Parsing vulnerability CVE-2023-24329
34:11 - Getting /etc/passwd, then grabbing the source to the application and discovering FTP Creds, use SSRF to interact with FTP
40:20 - Shell returned, grabbing the SQLite Database and getting a password
48:50 - Downloading the source to runner1 off the FTP Server
54:20 - Using hashcat bruteforce to crack the AUTH_KEY since we know all but the last 4 characters
56:30 - Discovering Suricata is running, looking at logs to get the credential lopez uses to login to ftp
1:04:30 - Playing with Runner2, figuring out the JSON it wants
1:09:40 - Exploiting the command injection because its using system() when installing a role
1:13:20 - Getting code execution another way! Using an ansible vulnerability CVE-2023-5115
1:22:20 - A completely unintended exploit, using the Selenium Grid container
1:24:20 - Escaping the Firefox process/Kiosk by having PDF's open Bash
1:26:20 - We are root on the container, low privilege on the host - In this scenario we can privesc on the host by sharing the disk from the container.
Support the originator by clicking the read the rest link below.
