https://stream.echo6.co/videos/watch/45d90dcc-9f37-40b5-b6a1-e272798fb83a 00:00 - Introduction 01:00 - Start of the nmap 04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz 06:00 - Just testing for SSTI 06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing 08:20 - Discovering we can append to the string, then trying for executing code with print to test for eval statements 10:00 - Getting a reverse shell 15:00 - Reverse shell returned 17:00 - Looking at apache virtualhosts to discover a hidden vhost that is running gitea 19:00 - Finding creds in the .git folder which lets us run sudo 22:00 - Inspecting the docker containers to discover passwords in environment variables which lets us log into gitea as administrator and view the script we are running as sudo 25:30 - Discovering the system-checkup.py script is not using an absolute path, so we can execute a shell script in our CWD as root Mon, 13 Apr 2026 13:33:43 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/45d90dcc-9f37-40b5-b6a1-e272798fb83a All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.