https://stream.echo6.co/videos/watch/f5e3775f-aac4-49b2-b55b-e458f2183337 00:00 - Introduction 01:00 - Start of nmap 03:55 - Playing around with the website, booking a table and then registering an account 08:40 - Taking a look at the Save to iCalendar functionality and finding a File Disclosure vulnerability 12:15 - Finding the application source code via the /proc/self/cwd directory 14:15 - The JWT does RSA manually, using a weak exponent, showing we can factor this with RsaCtfTool 18:40 - Showing JWT.IO doesn't work with weak RSA Keys, showing an alternative tool 26:10 - Looking at cron jobs, finding all of the source code 28:20 - The DBMonitor Cron looks like it will execute code if we create specific files in the /data/scripts directory 33:50 - Using INTO OUTFILE with our SQL Injection to write files and exploit the DBMONITOR Cron to get a shell 41:30 - Shell returned looking at the database, then exploiting another cron because we can write a file 45:20 - Looking at the commit history of an Mercurial HG repo and finding a password 49:05 - We can run HG PULL as dev, showing there are multiple places we can put a HGRC file and create a repo with a hook that will execute a script on pull 57:05 - We can run rsync as root, but the standard gtfobin doesn't work 1:00:00 - Showing the chown flag doesn't remove setuid bits in RSYNC, which lets us make setuid files 1:03:00 - BEYOND ROOT: Showing the changes to the box (secure_file_priv and AppArmor) that allows MySQL To Write files 1:08:49 - Showing the CHOWN removes SetUID but Rsync does not when changing owners Fri, 17 Apr 2026 10:22:55 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/f5e3775f-aac4-49b2-b55b-e458f2183337 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.