https://stream.echo6.co/videos/watch/a8abff39-1ac4-42ad-91db-3ab51362d645 00:00 - Introduction 01:00 - Start of nmap 03:20 - Discovering beta.only4you.htb 03:55 - Downloading the source, scanning with Snyk and discovering a File Disclosure vuln 05:15 - Demonstrating that os.path.join in python will do unexpected things if a path begins with slash 07:30 - Failing to get /proc/self/environ, not sure why we failed here 09:20 - Grabbing the nginx configuration to discover where the websites are stored, using the File Disclosure Vuln to leak source of main website 11:15 - Discovering a vulnerability when sending mail 12:10 - Talking about how we will bypass the bad character check, the Re.Match will only match the start, not entire string 16:10 - Getting code execution from the contact form 18:45 - Reverse shell returned, looking for databases, and discovering a few ports listening on localhost 22:30 - Uploading Chisel so we can access ports 3000 and 8001 25:40 - Start of Neo4j Injection, discovering we are in a contains statement 30:00 - Going to HackTricks and discovering we can use LOAD CSV to leak data out of band 32:25 - Leaking the labels, then grabbing users and hashes 38:30 - Logging in with John, discovering we can use sudo with pip to download a tar off GOGS 40:25 - Creating a malicious python package for us to download, then uploading to gogs 44:10 - Showing that the pip download command will execute setup.py and getting root Thu, 16 Apr 2026 09:58:08 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/a8abff39-1ac4-42ad-91db-3ab51362d645 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.