https://stream.echo6.co/videos/watch/2059a721-b0a3-4cf0-b2d1-343cb5811421 00:00 - Intro 01:05 - Start of nmap 02:50 - Noticing there is weird behavior on /vpn, it doesn't direct to the folder /vpn/ probably reverse proxy [MasterRecon] 04:20 - Corrupted GZIP, using zcat to view it and fixgz to repair 08:30 - Building a Python Script to generate TOTP for MFA (the NTPDate failed because i didn't use -q. Nmap would have worked with -sV) 14:20 - Talking about things I would be monitoring for on Login Forms [Detection] 16:45 - Talking about a common issue when layering VPN's (MTU). Won't fix it right now, since I want to display the weird behavior later 20:15 - VPN Connection established, looking at routes. Adding additional routes that don't exist 28:30 - Going over the NMAP ran from the second VPN 30:40 - Fully understanding the weird behavior from /vpn earlier on. It is indeed a reverse proxy. [MasterRecon] 32:00 - Exploiting the fact that XDEBUG is enabled on info.php 41:40 - Running Chisel to create a pivot rhrough web to access mysql 42:10 - The Multiple VPN MTU Issue explained, demonstrating i can't send big packets because of chunking 48:00 - Finishing with setting up the chisel tunnel 51:45 - Switching up chisel to look at PKI. 53:34 - Running PHuiP-FPizdaM to exploit PHP-FPM/7.1 57:23 - Changing up our Chisel so we can send a reverse shell through the web box 1:01:45 - Looking at the ersatool source code to find a printf/format string vulnerability 1:04:15 - Verifying we have the format string vuln and some really basic talk about it 1:07:30 - Exploring the memory around our leaked address to defeat ASLR and edit the variable we want 1:10:30 - Start of a pwntools script to exploit format string 1:15:48 - Pwntools successful leak and calculating offset to the string we want to manipulate... cleaning up the script a little 1:19:05 - Explaining how we are going to write to an address and why the null byte is a small problem 1:27:15 - Overwriting the ERSA_DIR variable 1:33:55 - Tons of funny failing trying to verify this exploit worked 1:38:00 - Updating and explaining our chisel tunnel since we are proxying a lot of traffic bidirectionally through this web box 1:45:30 - Using cat to transfer a file over /dev/tcp, the trick is to base64 encode 1:50:50 - Using socat to have a binary (ersatool) listen on a TCP Port, so we can use pwntools to exploit it 1:52:45 - Updating pwntools to use a TCP Socket 1:55:50 - We can't execute out of /dev/shm, updating script to use /tmp 2:11:00 - Getting a reverse shell Mon, 13 Apr 2026 22:54:09 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/2059a721-b0a3-4cf0-b2d1-343cb5811421 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.