https://stream.echo6.co/videos/watch/816d1abc-8fa0-42cd-adcf-c4f98f606fcf 00:00 - Intro 00:51 - Start of nmap 02:30 - Finding some vulnerable-looking parameters 03:50 - Testing some basic things for LFI, finding a WAF blocking ../. Double encoding it to get passed 07:11 - Start of writing a script to abuse this LFI and crawl/download all the php source 10:30 - Making the script recursive, so it will check pages downloaded for new links 16:50 - Making the script save the files 19:40 - Opening the code in Visual Studio Code, and showing off Snyk's static code anlysis to highlight a Unserialization vuln 22:20 - Identifying how the site generates activation codes upon registration identifying an insecure use of SRAND(). Generating our own activation code 25:30 - Exploiting the PHP Unserialization by finding a vulnerable gadget (wakeup) which will save a file 27:45 - Building a deserialization object to download a file off our server and write it to the web directory 32:08 - EDIT: Talking about webserver hardening (allow_url_fopen in php) and how it would slow down this attack 35:00 - EDIT: Poisoning our PHP Session with PHP Code as our username, then building an object to copy that to the server so don't need to use a remote host 41:38 - Getting a shell on the box, dumping credentials from postgres 44:55 - Attempting to crack the passwords, failing, checking the source code to identify there is a hidden salt. Then cracking the passwords 51:25 - Passwords cracked logging in as bill 55:10 - Using pspy to identify a script runs to renew certificates 57:15 - Going over the bash script and identifying a command injection vulnerability. 1:01:45 - Failing for a bit because I didn't change the certificate time, then changed too much at once which caused me more problems 1:06:04 - Finding the CheckEnd parameter, setting our days equal to one but our payload doesn't work 1:08:15 - Putting the payload in $(), and getting root to the box 01:10:20 - Just making sure we fully understood why our first attempts failed Wed, 15 Apr 2026 09:23:16 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/816d1abc-8fa0-42cd-adcf-c4f98f606fcf All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.