https://stream.echo6.co/videos/watch/06f5a4e6-4d36-42eb-9c2b-f5097f2d2804 00:00 - Intro 01:00 - Running nmap finding a filtered port with some open ones 03:30 - Running GoBuster to always have something running in the background 05:00 - Playing with the Upload Form 07:20 - Playing with the Upload from URL to see what library connects back to us (SSRF) 09:30 - The Upload From URL has a blacklisted address, playing with it to discover what is blacklisted 10:55 - Bypassing the URL Blacklist in the SSRF by changing the case of words 11:45 - Running a virtualhost bruteforce within gobuster to discover vhost 13:10 - Bypassing the URL Blacklist in the SSRF by creating a webserver that will send a redirect 16:50 - Using the SSRF to download admin.forge.htb and discovering ftp creds and another SSRF 18:20 - Using the SSRF to use FTP 19:20 - Encoding the IP Address as hex to bypass a blacklist 22:10 - When specifying a directory in the FTP with SSRF need a trailing slash explaining why 23:10 - Downloading id_rsa and then logging into the machine 24:10 - The user can sudo run a python script, which stands up a debugger on a random port 26:13 - Doing a nested tmux so we can run the python script and then use netcat to connect 28:50 - Getting root 30:55 - Explaining how to harden the blacklist to prevent the easy bypassing 34:30 - Looking at how admin.forge.htb added FTP Support 36:50 - Thinking there's an RCE but there isn't, shlex is a good filter 44:30 - Getting frusterated, lets break this down and see whats stopping our RCE 45:40 - Playing with Shlex to discover it is what prevents the RCE Wed, 15 Apr 2026 09:24:26 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/06f5a4e6-4d36-42eb-9c2b-f5097f2d2804 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.