00:00 - Intro
01:00 - Start of nmap
02:25 - Looking at the website, looks like there's different behavior for extensions
05:10 - Registering and logging into an account
06:30 - An unintended way to login, IDOR within the Forgot Password logic, can change usernames
09:15 - Uploading a new product, test XSS, File Upload
12:00 - Using FFUF with a raw http request to test for potential extensions
18:10 - Using SHTML to test for Server Side Inclusion SSI and leaking web.config
21:15 - Going over the web.config, pulling out sensitive things
26:30 - Decrypting the .aspx Forms Ticket and forging a new one that states we are admin
36:50 - The Admin page allows us to generate PDF's, testing for XSS
38:20 - Attempting to redirect the save to pdf function with a meta tag
42:50 - Redirecting to localhost:8000 and discovering the swagger api for encrypt/decrypt
46:00 - Creating a webform to autosubmit data and allow us to decrypt a string.
51:00 - Creating a YSOSERIAL Gadget with our ViewState and ViewStateUserKey protecting it
1:02:00 - Reverse shell returned
1:04:00 - Discovering port 8009 is open, setting up a tunnel via SSH and discovering its a different version of the website
1:07:54 - The ViewState is protected by AutoGenerate for the key, we cannot do deserialization here
1:09:20 - Checking out the Password Reset feature and we can edit the token to reveal a Padding Oracle error message
1:12:15 - Showing the command injection if we can forge tokens
1:14:05 - Using padbuster to create a token that will allow us to perform command injection
1:24:00 - ALTERNATE PRIVESC: Using JuicyPotatoNG, attempting to run it says privileged process failed to communicate with COM Server. Need to run with -s to find a suitable port
Support the originator by clicking the read the rest link below.
