https://stream.echo6.co/videos/watch/5a9d83a5-109f-42ed-ae57-7b1cd8b35034 00:00 - Introduction 01:00 - Start of nmap, discovering two different OS's 02:30 - Running Gobuster to bruteforce VHOST 03:30 - Discovering XSS but nothing we can really do with it 04:00 - Enumerating Gitea, discovering a repo with some source code 05:40 - Opening the code with VS Code and Snyk. Discovering a RCE Vulnerability but requires login 07:30 - Discovering an EAR (Execute After Read) Vulnerability on Authentication 09:10 - Start of building our Javascript payload to exploit NoSQL Injection, download the internal page 12:40 - Explaining the NoSQL Injection, then testing with a login bypass 16:30 - Discovering what happens on invalid logins 20:40 - Getting the length of the password 25:30 - Bruteforcing the password with boolean logic 30:00 - Logging in via ssh with the credentials we got from the nosql injection, looking at the local linux mail to get 2FA Link 33:20 - Logged into the dashboard, can hit the RCE Endpoint now to get a shell as www-data which gets us matthews creds 40:20 - Discovering a keepass file, running PS enough we can see KPCLI Runs 41:30 - Running STRACE against KPCLI to intercept syscalls 42:40 - Specifying we only want to see READS, and can intercept keys sent to KeePass and get the password 46:10 - Going into the Mongo docker container and running mongodump to dump all the users Wed, 15 Apr 2026 11:15:50 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/5a9d83a5-109f-42ed-ae57-7b1cd8b35034 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.