00:00 - Introduction
01:00 - Start of nmap
04:20 - Discovering the website is built with Django via Wappalyzer or the 404 page
07:40 - Looking at the Subscription Page, discovering we can change the hostname of the payment processor which is like a SSRF Vulnerability
11:30 - Making a request to the Payment Processor to see how it responds, building a flask app to mimic the behavior changing the denied message to approved
19:00 - Had some trouble on our first account, creating a second account to upgrade our subscription
21:30 - Manipulating the QR Code to add an XSS Payload to steal the cookie
32:10 - Getting Morty's password from the Django Admin panel and cracking it, then SSH into the box
35:50 - Looking at the Harvest Binary, opening it up in Ghidra, and dumping dangerous functions with a python script
40:10 - Cleaning up some functions in Ghidra
52:00 - Playing with the Buffer Overflow, doesn't seem to work with NC switching to python
1:02:30 - Writing an ssh key from the buffer overflow
1:06:40 - SSH as alex, looking at mail, cracking a zip and htpasswd file
1:12:10 - Using Docker Registry Grabber to download the docker file
1:16:30 - Looking at the Django source code, finding out it uses pickle serializer. Creating a malicious cookie
1:29:30 - Getting a shell by creating a malicious Django (version 4) cookie
1:34:00 - Abusing cap_sys_module in the docker container to load a kernel module as root and get a shell
Support the originator by clicking the read the rest link below.
