Рет қаралды 28,243
00:00 - Intro
00:50 - Nmap
02:40 - Starting GoBuster on the root and images
05:00 - Finding Auth Bypass via SQL Injection on login then throwing it to SQLMap
09:00 - Creating a basic PHP Shell, then attempting to upload it
12:30 - Grabbing the magic bytes off a JPG, then prepending it to our shell
16:00 - File uploaded, hunting for an LFI and doing more SQLMap
18:20 - Turns out we don't need the PHP Extension (.htaccess allows anything)
26:20 - Reverse Shell returned
27:50 - Grabbing the username and password out of Website Configuration
36:10 - Using VirusTotal to identify when a file was created
37:20 - Examining the .htaccess to see why we could execute code (should have a $ at the end)
39:30 - Using MsqlDump to dump the database and get a password out of it, su to the theseus user
46:00 - Found a SetUID Binary (sysinfo) then using strace to see what it does
48:00 - Using the -f argument with strace to follow forks and see the exec() calls
51:00 - Using Path Injection since absolute paths were not used in exec() and getting a root shell
55:00 - Showing SQLMap did complete with the increased level/risk