https://stream.echo6.co/videos/watch/7ca975c3-d707-4214-afc3-59dededce8a3 00:00 - Introduction 01:00 - Start of nmap 02:00 - Start of gobuster 04:00 - Discovering an upload form, looking for where things get uploaded 05:50 - The upload gives us ExifTool output, including the version number to show it is vulnerable to CVE-2022-23935 08:11 - You should really watch "The Perl Jam" 08:40 - Showing the weird syntax of perl's file open and how | leads to RCE 16:15 - Back to the box, exploiting and getitng a shell 20:00 - Reverse shell returned, looking at the uploaded files 22:35 - Running LinPEAS to discover a cron 27:00 - There's an outlook email message with an attachment. Copying it then converting to eml format and extracting the file 32:45 - The file was an windows event log. Using Chainsaw to search through the logs 38:30 - Using Chainsaw and JQ to parse the Successful and Failed logins 42:25 - In the failed logins field, there's a password as a username and logging in as smorton 44:35 - There's a binary on this box, copying it to us and opening in Ghidra 45:30 - Start of reversing, just showing strings and finding out where the get loaded in the program 47:00 - Running the binary in GDB and showing how arguments work, then renaming and retyping variables to have decompiled output make more sense 51:30 - Retyping done, renaming a few variables to make things easier to read 53:45 - Cleaning up the curl_easy_setopt, code by creating an enum in C then using Ghidra to "Parse C Source" 59:20 - Now that the code is cleaned up, it is obvious the program executes perl scripts... Funny thing is the perl binary can execute non-perl scripts 1:01:05 - Showing there is also a race condition in the binary because the curl downloads to CWD and even thoe its owned by root we can rename it and take control over the file Wed, 15 Apr 2026 09:23:10 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/7ca975c3-d707-4214-afc3-59dededce8a3 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.