https://stream.echo6.co/videos/watch/f54eafe5-2a5b-4983-869a-e83bd73aa109 00:00 - Intro 01:04 - Start of nmap 03:00 - Examining the web page, noticing every URL with admin gets redirected to a django login 05:00 - Creating an account and looking at the page to discover CTF Challenges 06:15 - CHALLENGE 1: Phished List, a protected excel spreadsheet. Remove protection to see hidden cells 11:50 - Submitting a writeup, discovering an old version of Firefox talks to us 14:00 - Checking for Tab Nabbing vulnerability and explaining it 17:30 - Creating a phishing page by mirroring the page with wget and then using PHP to log submitted credentials 29:30 - Phishing worked, got the admin's password. Login to Django to see another website (Sentry) 33:00 - Creating an error message in Sentry to get an error message, which contains a secret key used to encrypt the cookie 36:10 - Grabbing a django deserialization payload then installing django on python2 to use the payload 40:15 - Changing the payload in the exploit to a reverse shell, avoiding any bad characters for URL and getting a reverse shell 41:30 - Setting up the reverse shell in a way that works with ZSH, just need to do stty raw -echo; fg on one line 46:13 - Logging into Sentry Postgres Databae then enumerating tables and dumping the users table and cracking karl's password 52:25 - Discovering Karl can execute the authenticator binary with sudo, strings shows it is a rust binary. Copy it back to our box 56:55 - Examing the binary in Ghidra 58:55 - Discovering a call to Crypto::AES::CTR, using the rust docs to figure out what our variables are 1:01:22 - Showing that AES-CTR does not have defined block sizes 1:05:00 - Using GDB to help our analysis, showing how to setup break points around what our decompiler shows 1:10:36 - Examining memory to confirm our static analysis was correct 1:11:15 - Grabbing the encrypted blob the program is comparing against to get the password and getting root 1:15:40 - CHALLENGE 2: PSE, an dotnet binary that runs a uses PS2EXE to run powershell to encrypt a string 1:21:20 - CHALLENGE 3: Get Lucky, a small binary that rolls a dice. We exploit it mainly in GDB but after recording, probably could have done LD_PRELOAD, im not sure 1:34:50 - CHALLENGE 4: RevMe.exe, just open the binary in DNSpy and grab the flag, also show doing this with strings if we change the encoding 1:37:10 - CHALLENGE 5: Authentication, another Rust binary. Just have to find the correct spot to set a break point and see the password in memory 1:44:40 - CHALLENGE 6: PwnMe, a simple challenge that we can use GDB to find the password 1:49:30 - CHALLENGE 7: Easy Encryption, a simple XOR Challenge where we can use known plaintext (or bruteforce) to recover the key 1:53:29 - CHALLENGE 8: Triple Wamy, another XOR Challenge where we have to just do the XOR's backwards to get the flag Wed, 15 Apr 2026 13:30:25 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/f54eafe5-2a5b-4983-869a-e83bd73aa109 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.