https://stream.echo6.co/videos/watch/0a26c7fb-0ce3-423c-a440-a55bb5e5c673 00:00 - Intro 01:04 - Start of nmap 02:30 - Discovering an Apache Tomcat Errror message despite the webserver being Apache 03:15 - Looking at Orange Tsai's 2018 Blackhat talk on Path Normalization 03:55 - Explaining the attack and how to bypass apache blocking access to /manager by using /..;/ or ;name=Stuff 05:20 - Attempting to deploy a WAR File to see that path is blocked by the max upload size being 1 byte 06:55 - Testing for log4j in Tomcat, discovering a callback 07:55 - Finding a twitter post that combines JNDI-Injection-Exploit-Kit and Ysoserial to do deserialization attacks with Log4shell/log4j 08:20 - Explaining whats different about ysoserial modified and why it lets us do reverse shells 09:20 - Running YsoSerial-Modified to generate a CommonsCollections5 payload 11:00 - Running JNDI Injeection Exploit Kit to setup the LDAP Server 13:00 - Running the exploit and getting a reverse shell, then looking at port 21 since it was filtered earlier 15:30 - FTP is running as root and written in Java. Testing for Log4j! 18:15 - Using JD-GUI to examine the FTP Server source to discover credentials are stored in environment variables! 19:30 - Explaining why we are going to use Wireshark to view these environment variable leaks 20:30 - Creating a log4j payload that sends us the ftp_user environment variable, then ftp_password 24:25 - Using log4j to extract the java class path which may be helpful in creating serialized payloads 25:50 - Using log4j to extract the java version 27:00 - Using log4j to extract OS Information Wed, 15 Apr 2026 13:29:40 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/0a26c7fb-0ce3-423c-a440-a55bb5e5c673 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.