https://stream.echo6.co/videos/watch/28dd2f6f-4a27-4113-bc96-f54b7e869cd4 00:00 - Introduction talking about how this box is about finding CVE's and building an exploit based upon exploit 00:50 - Start of nmap 03:00 - Running gobuster and showing the importance of using multiple wordlists. 05:00 - Attempting to register an account, which shows the endpoint /api/register but /api/ returns a 404 06:10 - Showing that raft-small-words wordlist won't discover .git but commons.txt will because commons has .git/HEAD 08:25 - Running Git-Dumper to extract the source then looking at the code 09:00 - Showing the vulnerable code and how secure the code appears at first glance without knowing specifics about the library 10:00 - Googling MySQLJS Sql Injection and showing how you would have found this exploit 11:30 - Showing how you could have found it blindly, passing an object into the SQL Query and doing SQL Injection on NodeJS with MySQL 19:00 - Logging in and finding OpenWebAnalytics version 1.7.3, finding a CVE and writeup for the vulnerability 22:30 - Showing the piece missing from the writeup that tells us how we can retrieve the cache file that can be used to reset a password 24:40 - Going over the code, and figuring out how the filename is generated. 28:30 - FIXED PART, sorry cut out a piece on how I traced the function back to how it generates the filname 31:29 - Resetting the admin account from the exposed cache file 35:39 - Exploiting the Mass Assignment Vulnerability to write to a configuration file, to increase log verbosity, file name of log, and then poisoning the log 46:09 - Reverse shell returned 48:39 - Downloading a custom password generator that appears to be a compiled python executable. 51:24 - Running Pyinsxtractor to extract the pyc files out of the exe and then using Docker to match the python version which will allow uncompyle to convert pyc to py files 56:19 - Starting the docker and copying our password generator into it 57:29 - Showing the vulnerable password generation function, it is just using millisecond as a seed 57:49 - Building a script to generate all possible passwords, turns out it fails because Windows and Linux randomization is different 1:00:29 - Running pdf2john to generate a hash for the pdf file 1:02:19 - Running the script on windows to generate different passwords, then cracking ethans password with john 1:05:39 - Looking at SetUID Files, finding PINNS from CRI-O which is a binary related to Kubernetes 1:07:39 - There's no man page for the PINNS binary, so looking at the source code to change the kernel parameter for core dumps 1:11:00 - Creating an exploit script, poisoning the core dump parameter, and generating a dump to execute our script and getting root Mon, 13 Apr 2026 20:40:50 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/28dd2f6f-4a27-4113-bc96-f54b7e869cd4 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.