00:00 - Introduction
01:00 - Start of nmap
03:00 - Discovering the Forgot Password lets us enumerate valid emails
04:00 - Using ffuf to enumerate subdomains via virtual host
06:55 - Discovering .git on the dev subdomain, using git-dumper to download the repo
08:20 - Discovering cached files in the .git, one of which has a credential
10:08 - Logged into Ghost, finding the version which shows its vulnerable to CVE-2023-40028
12:20 - Manually performing the Ghost File Disclosure exploit
15:00 - Using the public exploit script to leak the ghost config which gives us an SSH Credential
18:15 - Going over the clean_symlink.h script we can run with sudo, which is vulnerable 3 different ways
19:40 - Showing the Command Injection vulnerability, because of how the script did the if/then logic in bash
20:20 - Showing we can bypass the filter by pointing a symlink to another symlink
26:10 - Showing the race condition, where we can change the contents of the symlink after it checks if it is malicious
Support the originator by clicking the read the rest link below.
