https://stream.echo6.co/videos/watch/f18734d5-19fd-4408-b5a7-29efb9005a76 01:17 - Start of nmap, showing having valid hostnames will give more information 03:54 - Error message on source.cereal.htb leaks a path 06:30 - Showing .git doesn't exist in DirectyList but does in Raft 08:02 - Using Git-Dumper to download the .git directory and view the source 09:30 - Looking at Git History shows where deserialization happens and a hard coded JWT 12:08 - Using the hard coded JWT To build our own token in dotnet. 21:00 - Trying to use our JWT to access authenticated pages 25:42 - Going through the React JavaScript to see the token is stored in our browsers local storage 29:40 - Our browser keeps clearing the storage lets just intercept a request in BurpSuite and do what we need 32:15 - Start of the Desrialization, BadWords Filter to prevent ySoSerial, but we can manually create our own deserialization payload 33:20 - Finding the name of our JSON Library then finding a blackhat talk on abusing it, to build our payload 40:11 - More examining javascript to find routes that leaks pages of the pplication 42:15 - Using npm audit to find an XSS Vulnerability on /admin due to an out of date plugin react-marked-markdown 46:10 - Testing the XSS Vulnerability with a simple payload 49:00 - Putting it all togather, writing notes on how we are going to build the exploit 51:15 - Start of exploit script making python requests not care about SSL, then building our JWT with pyJwt 57:00 - Testing out bad character evasion with Base64 by using a benign XSS Payload first 1:06:20 - Adding stage 1 to our script to send the deserialization payload 1:08:22 - Changing our payload to use XMLHttpRequest to force the browser to make a request to perform the deserialization which bypasses the RestrictIP Policy 1:13:08 - Our script did not work, troubleshooting it 1:17:57 - Script worked, lets now host a ASPX File for it to download 1:19:20 - Using our webshell to download the SQLite Database 1:22:45 - Our Powershell One-Liner to convert the database to b64 just fails. Lets copy the database to the web directory so we can download it without encoding it 1:25:00 - Showing IIS isn't allowing us to download files that end in .db 1:27:45 - Showing odd behavior with SSH not prompting us for password due to it treating PubKey as login attempts. Fix is tell SSH to not us pubkey 1:33:00 - Discovering port 8080, forwarding that port and discovering GraphQL. Installing GraphQL Playground 1:37:20 - Using GraphQL Playground to dump data out of the database, then use a mutation to trigger the SSRF 1:39:30 - Downloading GenericPotato so we can use this SSRF to steal the Token 1:44:20 - Running Generic Potato in HTTP Mode triggering the SSRF and getting a root shell Wed, 15 Apr 2026 11:33:44 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/f18734d5-19fd-4408-b5a7-29efb9005a76 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.