00:00 - Introduction
01:11 - Start of nmap
03:00 - Discovering the demo subdomain, which is a Flask website
04:00 - Quickly playing with the File Download, Upload, and Rename -- Looking for low hanging fruit, not finding any
07:00 - Playing with the URL Fetch looking for a good SSRF, Discovering the site is likely in Docker
09:00 - Running FFUF with our SSRF to identify ports listening on the Host and Docker
11:30 - Talking about the two different 403's and why its important that one is coming from Flask and the other NGINX
15:00 - Talking about a URL Parsing bug between NGINX and PYTHON/WERKZEUG where strip is removing some special characters after NGINX letting us bypass the denylist
18:36 - Viewing the Metrics Page and getting information about MinIO Discovering it is out of date and exploiting CVE-2023-28432 to get the credentials
23:00 - Downloading the MinIO Client, then interacting with the filesystem manually
26:40 - Searching all fileversions on MinIO then finding an older copy of .bashrc which contains an hashicorp vault API Key
34:40 - Downloading and running the Hashicorp Vault Binary to interact with the service
37:20 - Showing how to identify all of our privileges, then creating an OTP for SSH and logging in
40:00 - Showing how this Vault Binary works by proxying the traffic
41:20 - Showing another way to do this step, by manually enumerating the API which exposes additional endpoints and the benefits of using a tool like Postman to manually enumerate API's
53:22 - Shell as askyy returned, discovering we can run vault-unseal with a few flags the d flag will output debug information to a file in our CWD but we can't read it
57:30 - Using libfuse to create a virtual mount on a directory we control, using memfs to log writes to this directory, so we can read what root writes
Support the originator by clicking the read the rest link below.
