00:00 - Introduction 00:45 - Start of nmap 04:45 - Uploading a zip file to the extension, looking at the output discovering a new subdomain 09:45 - Going to Gitea, looking at source code, see a flask app listening on localhost and a bash script vulnerable to bash arithmetic injection, explaining how it works 13:00 - Trying to create a malicious extension that reaches back to us, using the examples provided on the website as a starting point 18:45 - Creating a Background Worker, and giving it the webrequest permission lets us make a request on startup. Now have it try to trigger the RCE 23:30 - Shell on the box, discover the __pycache__ directory gives everyone read/write access. Explaining pyc headers 32:50 - Using DD to copy the header over top of our pyc file, which will trick python into thinking it doesn't need to recompile the pyc file 37:30 - Getting Code execution as root
Trust cues for videos
