https://stream.echo6.co/videos/watch/06b4ad9b-5100-4339-ae86-bd589d9ba4f6 00:00 - Introduction 01:00 - Start of nmap 06:55 - Discovering LFI in the page parameter but we cannot immediately exploit it 10:00 - Discovering admin and playing with ping, deciding its not vulnerable and moving on 15:06 - Uploading a zip file to the ticket, then using the phar wrapper with our LFI to include it 19:50 - Shell returned on the box, python doesn't exist using script to fix our tty 23:00 - Editing our session file on the box, so we can change users without having to change the database 27:50 - Obtaining the HAR File from a ticket, showing Google's web app that visualizes the file 31:50 - Examining the HAR File from command line, which I think is easier 36:30 - Discovering old SSH CA Files in msainristil's directory, checking the SSH Config to see it has TrustedUserCaKeys which lets this CA Sign Public Keys 38:50 - Using SSH-Keygen to sign a public key with a CA specifying root as the principal then logging in 43:00 - Discovering a bash script which uses a web API to sign certificates with another CA, creating a ticket that lets us on as support 45:55 - The host server has AuthorizedPrincipalsFile configured, explaining how this works with TrustedUserCAKeys and ssh 50:00 - Logging in as ZZINTER and discovering they can run a bash script as sudo, which has a File Disclosure vulnerability due to lack of quotes around a comparison 51:40 - Explaining how this works, by doing a couple characters manually 57:50 - Creating a program in golang to dump the CA File 1:09:15 - Running the program, grabbing the CA then creating a root key Wed, 15 Apr 2026 10:01:00 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/06b4ad9b-5100-4339-ae86-bd589d9ba4f6 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.