https://stream.echo6.co/videos/watch/d20599ae-72b6-4c92-b1b3-0e25bd6cc6e6 ** See Pinned Comment for Root Shell. 00:00 - Introduction 01:00 - Start of nmap 03:40 - If you want to learn more about Varnish check out Forgot 04:00 - Looking at the Git Repo, discovering the Infra stack HAProxy, Varnish, Flask 08:45 - Discovering Margo's password in an old commit 10:00 - Testing if we can put a line break in the URL to bypass HAProxy's ACL (like in Skyfall) 12:04 - Using H2CSmuggler to use an HTTP2 upgrade to bypass the HAproxy ACL 16:50 - Poisoning the cache and placing an XSS Payload in the UTM_Source Tracker 23:30 - Got an Admin Cookie, using it to access the logs page via h2csmuggler 27:45 - Looking at the logs, showing there's an ecdsa key that margo uses 29:45 - Googling the URL we downloaded the logs from discovering its copyparty which has a file disclosure exploit 33:00 - Having a hard time enumerating what user is running copyparty, guessing each user and finding an SSH Key 36:00 - Looking at the custom LogService binary which is an Apache Thrift service 40:30 - Creating a go program to make an Apache Thrift Request 46:50 - Creating our payload that will perform the command injection. See pinned comment if you have problems here. Mon, 13 Apr 2026 22:58:14 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/d20599ae-72b6-4c92-b1b3-0e25bd6cc6e6 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.