Рет қаралды 17,240
00:00 - Introduction
00:31 - Begin of nmap
01:10 - Nmap shows it is BSD, going over some command differences
02:00 - Running GoBuster to find other PHP Scripts
04:30 - Looking at the includes directory and finding source code
10:14 - Reversing the Check_Auth binary with Ghidra, to see it doesn't decompile well
12:00 - Using VirusTotal to find out if this an old binary
13:20 - Using Cutter to decompile this binary, to see it does a better job than Ghidra!
17:50 - Finding some BSD Exploits related to authentication
20:00 - Putting SCHALLENGE as the username, causes a different error message. Then doing some code analysis around $_REQUEST
24:50 - Abusing the $_REQUEST() feature to overwrite the username file with a valid user and grab their SSH Key
26:10 - Showing how OpenBSD has some different command line switches
31:00 - Going back to the earlier CVE, since it showed a privesc aswell and explaining CVE-2019-19520
40:45 - EXTRA: Looking at the PHP Code to explain the $_REQUEST exploit again