00:00 – Introduction
01:00 – Start of nmap
03:00 – Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 – Attacking the PHP Image Upload Form, discovering we can upload phar files
13:48 – Uploading a php shell, discovering there are disabled functions blocking system
17:15 – Using dfunc bypass to identify proc_open is not disabled and then getting code execution
23:00 – Reverse shell returned on the linux host
26:00 – Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password
29:20 – Talking about Man Pages and how they are organized to identify $y$ is yescrypt
33:40 – Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit
36:00 – Building a malicious EPS File with a powershell reverse shell
43:40 – PRIVESC 1: Uploading a shell in XAMPP and getting system
52:30 – PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password
1:01:50 – While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen
1:10:08 – PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password
[ad_2]
source
