https://stream.echo6.co/videos/watch/125a3aac-6693-49fd-ae33-11427d53f304 00:00 - Intro 01:00 - Start of Nmap 03:30 - Enumerating for virtual hosts with ffuf to find the api.mentorquotes.htb page 05:30 - Talking about FastAPI, attempting to utilize the endpoints but Authentication is required. Create an account 07:00 - Logging into the endpoint, discovering how to send authentication to the endpoints. Don't really gain anything 10:40 - Using ffuf to search for extra endpoints and discover /admin/ but can't do anything 14:00 - Running NMAP again with UDP to discover SNMP 17:10 - EDIT: Showing the minrate with nmap to scan UDP much quicker 18:30 - Using SNMP Walk 19:40 - Using SNMP-BRUTE to bruteforce other community strings 20:45 - EDIT: Showing Hydra and OneSixtyOne fail to enumerate the second community string 23:05 - Using SNMPBruteWalk to dump the SNMP Database, showing how much faster it is than SNMPWalk 25:00 - SNMP Shows running processes and arguments, there was a password passed via STDIN and we can get the password and login as James on FastAPI 28:15 - Accessing the Admin Endpoint, and figuring out what parameters it expects via error messages 30:50 - Discovering command injection in the backup endpoint 35:19 - Shell returned! 37:30 - Editing the User Endpoint in FastAPI to dump password hashes. Talking about Pydantic 40:45 - EDIT: Showing how we could background out reverse shell with nohup so we don't hang the webserver 47:15 - Cracking the hashes and getting svc's password and then logging into the server via SSH 53:00 - Doing some light forensics looking for files edited on the box shortly after linux was installed 56:45 - Finding a password in the snmpd password which gets us root 01:01:10 - Editing LinPEAS to add an extra regex to pull passwords out of SNMPd configuration 01:04:30 - Rebuilding the LinPEAS Shell script and then running LinPEAS to discover we now detect the password in SNMPD 01:06:40 - Forwarding PostGres to our server with chisel so we can dump the database 01:12:20 - Enumerating PostGres manually to dump users, then showing how to run code on postgres servers 01:16:30 - Setting up the FastAPI Environment on our local box, copying files from the docker 01:18:30 - Doing some light edits on the FastAPI Code, so we can run it within an IDE and set breakpoints 01:24:14 - Start of adding auth to the /user/ endpoint. 01:30:15 - Fixing our /auth/login endpoint to accept our new login request 01:37:20 - Getting the browser to accept our bearer token 01:45:30 - Fixing up the /user/ endpoint to work with our bearer token 01:50:20 - Getting the user decorator to return the User Object which makes it easy for our code to identify our group Mon, 13 Apr 2026 23:05:36 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/125a3aac-6693-49fd-ae33-11427d53f304 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.