https://stream.echo6.co/videos/watch/dabb8e5c-1618-4576-8ee9-5b23a2f76378 00:00 - Introduction 00:40 - Start of nmap 03:40 - Trying to identify what is running the webapp (WonderCMS), discovering a themes directory in source and burpsuite 04:36 - Taking a string that looks unique in the CSS and searching GitHub to discover where it exists in an open-source repo 05:45 - Showing several ways we could of dirbusted the themes directory to discover this file 08:45 - Discovering a public POC for the XSS Attack 14:07 - Showing the pathname is not being set correctly in the public poc, fixing it then getting a callback 18:50 - We see the webserver downloaded our shell but the poc didn't send it to us directly, manually triggering the callback 21:00 - Extracting the WonderCMS Password and cracking it 24:48 - Discovering a few ports listening on localhost, checking /etc to try and figure out the service listening on 8080 26:00 - Forwarding port 8080 back to our box, then discovering a webapp that has a command injection flaw 31:40 - Discovering our shell dies quickly, adding a nohup to our reverse shell to make it more stable 34:00 - Showing why our reverse shell is not stable, it hangs the webserver which causes it to restart 37:30 - Showing an alternate way to getting the shell, just editing sudoers file to add our user (we could also add a cron to send a reverse shell, ssh key, etc) 40:10 - Going over the XSS, showing the Reflective Injection and why it only triggers from admin 43:50 - Manually exploiting this XSS by writing our own javascript to install the theme 55:20 - Showing we could have just stolen PHPSESSID, then we can use our browser to install the module instead of performing a CSRF attack to do it Wed, 15 Apr 2026 11:34:49 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/dabb8e5c-1618-4576-8ee9-5b23a2f76378 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.