00:00 - Introduction
00:50 - Start of nmap
02:45 - Using FFUF to fuzz for virtual hosts (sub domains)
05:00 - Discovering the LMS Sub Domain which hosts Chamilo, talking about enumerating versions of opensource applications
07:00 - Start of talking about pulling MD5's of every file in a .git, so we can see when a file got introduced
11:15 - The bash one-liner for searching git for an MD5 is done, looking at when the date of commit was.
12:30 - Turning our one-liner into a bash function then putting it in BashRC
15:30 - Hunting for an exploit, finding python script to see how it works. Just using curl to upload the file to make sure we understand what the python script is doing
18:25 - Shell returned, looking for the configuration, finding a user has the same password as the database password
23:15 - The MTZ User can run a bash script with sudo, looking at it and discovering it is vulnerable to symlinks
24:30 - Creating a symlink to sudoers, running sudo to give us write access, then allowing us to run sudo all
27:30 - Showing that we cannot replace SetUID Binaries because the SetUID permission gets removed when being written to by non-file owner
29:30 - Showing that cron will refuse to run tasks if the permissions are too open, modifying cron to allow us write then removing our access to get rce
33:40 - Showing we cannot edit symlinks if we cannot go into the directory the target file exists
Support the originator by clicking the read the rest link below.
