https://stream.echo6.co/videos/watch/3d249bd7-3a89-44ec-91c9-a60bde048d99 00:00 - Introduction 00:50 - Start of nmap 04:00 - Running a VHOST Scan to discover CRM Subdomain 04:50 - Discovering Dolibarr is running at version 17.0.0 which is vulnerable to CVE-2023-30253 05:30 - Discovering default credentials of admin:admin work then running the exploit 07:30 - Using BurpSuite to act as a Transparent/In-Line proxy so we can proxy the exploit script without editing it, so we can understand what it does 12:45 - Manually stepping through the exploit to understand exactly what it does 19:15 - Reverse shell returned, dumping the local database 22:50 - Just trying the MySQL Password with Larissa and finding password re-use 25:20 - Discovering a SetUID Binary called Enlightenment_sys getting the version from dpkg and finding it vulnerable to CVE-2022-37706 and getting root 30:00 - BEYOND Root: Understanding how the Enlightenment_sys privesc works and doing source code analysis 35:00 - Discovering why the exploit uses /tmp///net 38:35 - Looking at how the command injection happens 40:55 - Looking at why we couldn't use www-data to exploit this binary Wed, 15 Apr 2026 11:47:36 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/3d249bd7-3a89-44ec-91c9-a60bde048d99 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.