https://stream.echo6.co/videos/watch/60955712-ccbd-4f5f-adf6-3a1ab485873f 00:00 - Into 01:04 - Start of nmap talking about seeing two ports having the same HTTP Banner 03:20 - Checking out the webpage to discover source code and some docs 04:00 - Always RTFM, Playing with the API to Register a user, login, and check out privilege level. 05:50 - Renaming our burp repeater tab by just double clicking on the number 07:30 - Trying to login with a name instead of email 10:10 - Testing our login token to find out it uses JWT's in a non-standard way 10:50 - Analyzing the source code to see the token is used in a header called "auth-token" 12:40 - Looking at git commit history to see there is a hard coded secret in an older commit and forging a token 13:40 - Changing our tokens user, going back to the source code and seeing "theadmin" is a hardcoded administrative user 14:30 - Talking about the importance of rotating secrets in a web application 16:30 - Analyzing the private.js which shows a logs endpoint that is vulnerable to RCE 17:50 - Testing command injection and getting a reverse shell 22:00 - Noticing we are a user on the box, seeing our shell is /bin/bash, dropping a SSH Key for a second way into the box 23:40 - Checking NGINX Configuration to see if there is any difference between the two websites (port 80 and 3000), there isnt. 25:20 - Running LinPEAS, discovering a custom SetUID Binary called count 30:00 - Running the custom count binary against /etc/shadow, discovering it can read files as root, but not write files as root 31:57 - Examining the source code, to discover it allows for dump files to be created 33:15 - Failing to kill the linux process with the correct signal 34:50 - Pulling up the man page to kill and listing all signals, then killing the process with a Segfault (11) 36:40 - Using apport-unpack to extract the crash report into readable files 37:23 - Examining the coredump to discover the file read is there! Then doing the same thing with an SSH Key to get root on the box 40:00 - Showing how file descriptors (/proc/pid/fd) work and failing to pull the ssh key, because the key isn't readable by us. 41:30 - Failing to dump the the heap memory with DD as a regular user 44:10 - Back the examining the fd's in proc, showing if we had permission to read the file, that we could bypass the directory permission by cat'ing the file handle 48:00 - Dumping the heap of the process as the root user to show we can extract the file from the processes memory Wed, 15 Apr 2026 09:25:51 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/60955712-ccbd-4f5f-adf6-3a1ab485873f All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.