00:00 - Intro
01:15 - Begin of nmap
03:30 - Examining the Message, pointing out the endpoint does not need authentication
06:15 - Using FFUF to fuzz the API End Point and show importence of Content-Type
12:00 - Starting SQLMAP then manually fuzzing this application
14:30 - SQLite Boolean Injection, with CASE IF/THEN/ERROR
20:00 - SQLite Boolean Injection, Enumerating Usernames
24:00 - SQLite Boolean Injection, Start of Dumping Password
26:10 - SQLite Boolean Injeciton, Optimization chat about UNICODE and SUBSTR
29:40 - Start of coding out python script to dump the hash
41:20 - This hash looks weird... Tons of troubleshooting
45:12 - Explaining the issue, we are hitting the 140 character limit... Switching script up to do SUBSTR
51:55 - Script completed to dump hashes.
53:15 - Static source code analysis, find its vulnerable to Hash Length Extension Attack
59:50 - Using HashPumpy to perform the Hash Length Extension Attack
1:11:30 - We base64'd the signing portion wrong
1:13:30 - Now we have access to /admin, can use its API to read files and directories, showing Sched_debug and /proc/net/tcp,udp,environ to get important information
1:23:30 - Finding a RW SNMP Community string and then using snmp-shell to get code execution
1:29:00 - Generating a SSH Key then copying it slowly to the box
1:35:00 - Doing a Local Port Forward with the Debian-SNMP User
1:37:20 - Binary Exploitation with Note_Server: Going over Source and recompiling with ggdb flag
1:41:00 - Binary Exploitation: Setting up PwnTools so we can interact with the binary
1:46:40 - Binary Exploitation: Defeating ASLR by leaking an address
1:56:20 - Binary Exploitation: Leaking LibC and Getting Code Execution
2:05:30 - Binary Exploitation: Creating offset's for our remote server to get it working
3 июл 2024