Description
00:00 - Introduction
00:45 - Start of nmap, discovering an open FTP Server, downloading the jar file.
04:45 - Using JadX to decompile the jar and then look at it in VSCode with Snyk, have to install Maven to see CVE's based upon libraries
11:00 - Looking into Apache CXF CVE's
15:40 - Using SoapUI to analyze the WSDL for us and make the request
19:15 - Showing we need to use the multipart/related functionality of HTTP in order to exploit this
23:20 - Have a File Disclosure, bruteforcing /proc/$pid/cmdline to get a list of running processes (which has hoverfly credentials). Then showing we could read directories from a File Disclosure which is somewhat unique to java. But this eliminates a lot of the bruteforce.
29:00 - Discovering a CVE within Hoverfly that gets us RCE
33:00 - Shell as dev_ryan
35:30 - Enabling commandline in SSH so we can do ~C in order to setup the SSH Tunnel to 7777 without exiting ssh
37:40 - Finding the secret syswatch uses to sign cookies, then giving ourself access to the applicaiton
42:10 - Finding command injection with syswatch, have to evade the filter, can use characters but not uppercase which breaks base64. Using xxd so we can have a hex cradle to get a shell
52:00 - Script we can execute as cron blocks symlinks but does not traverse them, doing a double symlink can evade the next filter and we can read files as root, reading the SSH Private Key.