https://stream.echo6.co/videos/watch/db1bfda5-6773-4222-8466-1b63d5bb8444 00:00 - Intro 01:08 - Start of nmap, discovering a webserver and filtered port 04:15 - Discovering a hostname in the 404 not found message in the mailto section 05:25 - Gobuster VHOST Discoery finds the subdomain db.admirer-gallery.htb which is adminer. Playing with the application and raw SQL Commands 07:25 - Trying to write files with INTO OUTFILE, also testing the secure file priv default directory for MySQL which is the most reliable 09:30 - Going to google and finding this version of adminer is vulnerable to a SSRF, but having trouble with this because the login for adminer is different 11:45 - Intercepting the login request, finding a hardcoded password that doesn't really help us 13:00 - Installing adminer in a docker container, so we can play with the application locally which helps us understand the SSRF Exploit 15:30 - Finding a python3 http server redirect example to use for our SSRF 17:00 - Performing the SSRF Vulnerability failing to extract local files 18:10 - The CSRF is annoying, configuring burpsuite to replace variables in our post automatically so we don't need to manually intercept. 20:00 - Having the SSRF access localhost:4242 (the filtered port from nmap), we see the OpenTSDB application, finding an exploit 21:15 - Exploit fails, it complains about an invalid metric. Googling to find OpenTSDB API Documentation and finding an endpoint to list metrics 24:30 - Updating the exploit to use the http.stats.web.hits metric and getting RCE 29:10 - Reverse shell returned 33:40 - Finding database credentials in server.php, which also are jennifers credentials. 36:00 - Enumerating Apache configuration files, discovering one webserver runs as devel 39:20 - Discovering a PHP Object Injection vulnerability in a OpenCats which is a webserver running on localhost, jennifer can login. We can't write to the web directory thoe 42:30 - Discovering devel can write to /usr/local/etc/ and fail2ban is installed, which has an RCE with whois 45:00 - Running strace on whois to discover it looks at /usr/local/etc/whois.conf 47:00 - Using phpgcc to test our file write to see what the file looks like 48:40 - Looking at an example whois configuration file 49:20 - Explaining our payload and doing some weird regex termination to get this to work 50:10 - Looking at the whois source code to see it only reads the first 512 bytes of the configuration file 52:00 - Creating the whois configuration file, which starts with ]* to terminate the regex, then puts 500 spaces to get rid of the appended data by the exploit 55:30 - Creating our payload for the fail2ban whois exploit and getting root Wed, 15 Apr 2026 11:48:02 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/db1bfda5-6773-4222-8466-1b63d5bb8444 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.