00:00 - Introduction 00:45 - Start of nmap, discovering an open FTP Server, downloading the jar file. 04:45 - Using JadX to decompile the jar and then look at it in VSCode with Snyk, have to install Maven to see CVE's based upon libraries 11:00 - Looking into Apache CXF CVE's 15:40 - Using SoapUI to analyze the WSDL for us and make the request 19:15 - Showing we need to use the multipart/related functionality of HTTP in order to exploit this 23:20 - Have a File Disclosure, bruteforcing /proc/$pid/cmdline to get a list of running processes (which has hoverfly credentials). Then showing we could read directories from a File Disclosure which is somewhat unique to java. But this eliminates a lot of the bruteforce. 29:00 - Discovering a CVE within Hoverfly that gets us RCE 33:00 - Shell as dev_ryan 35:30 - Enabling commandline in SSH so we can do ~C in order to setup the SSH Tunnel to 7777 without exiting ssh 37:40 - Finding the secret syswatch uses to sign cookies, then giving ourself access to the applicaiton 42:10 - Finding command injection with syswatch, have to evade the filter, can use characters but not uppercase which breaks base64. Using xxd so we can have a hex cradle to get a shell 52:00 - Script we can execute as cron blocks symlinks but does not traverse them, doing a double symlink can evade the next filter and we can read files as root, reading the SSH Private Key.
Trust cues for videos