https://stream.echo6.co/videos/watch/913e1236-8c94-4c8e-baad-05ea314991ff 00:00 - Intro 01:00 - Start of nmap 06:40 - Discovering the Skipper Proxy header, discovering an SSRF CVE 08:40 - Using FFUF with this SSRF to scan local ports, discover port 5000. Using BurpSuite to add the proxy as our header and discover an internal web service 13:40 - Discovering an SQLite Injection 17:10 - Dumping the SQLite Table Schema from our injection, then grabbing data to get the password 22:20 - Showing an alternate way to get the password, decompiling DLL to discover hardcoded credentials 28:00 - Looking at the Admin Dashboard, finding a File Disclosure vulnerability 32:00 - Manipulating a File Upload request, showing we can't just change the filename because we break the serialization, grabbing the Blazor Traffic Processor so we can edit the requests 38:40 - Creating a malicious DLL, by copying the Logs.dll obtained from file disclosure and putting a reverse shell in it, having a bunch of annoying issues 56:50 - Reverse shell returned 1:03:25 - We can run Procmon with sudo, there's a expect script running nano. Dumping the Write syscall to examine the screen of nano 1:15:10 - Writing a python script to dump the SQL Database procmon creates so we can parse the arguments to get the output 1:24:30 - Something odd happened. Apparently, if you don't filter the write syscall then you won't get any repeat data. When I solved the box, I never examined the output of a non-filtered query, so this is new to me. 1:33:30 - Rewriting the python script in golang Mon, 13 Apr 2026 23:06:47 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/913e1236-8c94-4c8e-baad-05ea314991ff All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.