https://stream.echo6.co/videos/watch/c16fe230-feaf-497c-8e34-49fda12b7436 00:00 - Introduction 01:00 - Start of nmap 03:15 - Fuzzing the API port port 3000 with ffuf 09:00 - Discovering the Gitea Domain and seeing a repo which discloses HA Proxy 2.2.16 is in use 11:50 - Exploring CVE-2021-40346 an integer overflow in HA Proxy which enables HTTP Smuggling 18:00 - Putting a 3rd request in to make the HTTP Smuggle reliable and grabbing the source code to app.js 28:45 - Taking a look at the APP.JS source code and discovering a Hash Length Extension attack 38:14 - Performing the Hash Lenght Extension attack and then using FFUF to find the length of the secret 45:00 - Have another File Disclosure, chaining it with the /proc symlink to read an SSH key to get shell on the box 52:45 - Discovering port 9999 58:00 - Opening the PHP Library up in Ghidra and discovering an integer overflow 1:04:00 - Creating a C Program to explain the integer overflow 1:11:50 - Setting up a test environment so we can debug the PHP Library and see how it behaves 1:17:15 - Getting a breakpoint to work and stepping through things in lverifier.so 1:21:00 - Creating a pattern so we can see where we write data to 1:24:22 - Creating a python script to build our payload 1:35:50 - Running into an issue, discovering the first parameter doesn't terminate where we thought and the fopen call fails. Playing with the exploit to find a way to terminate fopen (linebreak) 1:46:45 - Burpsuite wasn't URL Encoded a linebreak, doing it ourselves and then getting shell Mon, 13 Apr 2026 15:19:43 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/c16fe230-feaf-497c-8e34-49fda12b7436 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.