https://stream.echo6.co/videos/watch/98b2b493-a4fd-4ff2-b165-5318d7a123d9 00:00 - Introduction 00:57 - Start of nmap 02:45 - Checking out the API Documentation 04:00 - Interacting with the API Server 05:15 - Showing the file_url, parameter and showing we can access local files 06:36 - Building a webserver in Flask to make some middleware to exploit this SSRF, allowing us to easily download files from the webserver 09:50 - Our middleware works! Can download files off the server. 11:15 - Downloading the apache2 configuration to find where all the webserver files are hosted 14:30 - Using gobuster against our middleware to discover any hidden webfiles, have to edit our middleware to return 404 if it didn't return a file 16:45 - Running gobuster against our code now that it gives 404... Its going slow, switching to a different wordlist and finding a .git repository 17:50 - Git-Dumper fails because our middleware isn't setting content-type correctly. Have to fix that 19:50 - Opening the source code from the .git repo up in Visual Studio code and Snyk shows us there is an LFI 21:00 - Getting Unacceptable URL when trying to exploit this. Removing http:// fixes that showing parse_url in php fails to return the hostname when there is no wrapper 22:30 - Getting RCE on a include() statement without poisoning a file on the server with PHP Gadgets 26:58 - EDIT: Showing there is also a URL Parsing bug on handler.php and we can change the domain that script goes to by inserting an "@" 31:52 - With a shell on the box, discover we can use git with sudo. Inserting a POST-COMMIT hook 35:00 - Generating a ed25519 ssh key, because the public key is extremely small... It's also more secure than RSA 38:10 - Cannot make a git commit because we can't write to the directory. But since we can write to .git we can add files outside of the working directory and commit 45:15 - Shell as SVC, discovering we can write to systemd, creating a malicious service to get root Wed, 15 Apr 2026 09:48:33 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/98b2b493-a4fd-4ff2-b165-5318d7a123d9 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.