00:00 - Intro
01:05 - Start of nmap and checking the website
04:10 - Looking at the web console which shows the page making a request to Products-Ajax.php then playing with the parameters
10:05 - If the hash parameter is missing the application errors and leaks the secret key and identifying how it signs
14:00 - Using SQLMaps Eval parameter to automate the secure hash generation (Calculated Parameter Bypass)
19:30 - Logging into the application with a password from the database and discovering a LFI
23:50 - Creating a python script to automate the LFI Exploitation
32:00 - Script done attempting to perform RFI
34:50 - Another Stack Trace, identifying a race condition in their check for examining malicious php files
35:40 - Using SMB to steal the hash of the user running the webserver
40:50 - Exploiting the race condition with inotify to get the server in order to execute our PHP Code
48:40 - Reverse shell returned! Finding the GoLang Program
53:00 - Opening the binaries in Ghidra (prior to installing the golang plugin)
55:40 - Installing GoTools to make reversing goland suck less
01:01:30 - Start of reversing the client binary, explaining some golang oddities
01:12:00 - Running the programs on our local windows machine to identify if we reversed it correctly
01:14:15 - Back to Ghidra and reversing server.exe to see what it does to clean files
01:19:50 - Using IO Ninja Pipe Monitor to snoop in on the pipes
01:27:50 - METHOD 1: Stealing the flag by cleaning, copying off, then decrypting locally
01:35:50 - METHOD 2: Creating symlinks to trick the server in copying root.txt to a directory we own
01:50:15 - METHOD 3: Tricking server.exe into writing into system32, then using WerTrigger to elevate privileges
0 Comments