HackTheBox - RedPanda
00:00 - Introduction
00:55 - Start of nmap
01:58 - Poking at the web page, examining the request, playing with server headers
02:25 - Discovering an error message, googling it and finding out it is tied to Sping Boot
03:45 - Start of FFuf, using a raw request so we can ffuf like we can sqlmap
04:45 - Going over the results of FFUF
05:40 - Matching all error codes with FFUF which is very important, going over the special characters
08:15 - The curly braces return 500 in FFUF, big indication it is going to be SSTI
09:20 - Using HackTricks to get a Spring Framework SSTI payload and getting command execution
13:05 - Using curl to download a shell script and then execute it because we are having troubles getting a reverse shell
15:30 - Going back to just show the Match Regex feature of FFUF to search for banned characters
17:00 - Searching the file system for files owned by logs, discovering . Using a recursive grep to find out what uses this
19:50 - Examining the C
5 months ago 00:10:23 1
8 months ago 00:00:00 1
9 months ago 00:04:06 1
10 months ago 00:32:44 18
10 months ago 00:34:38 2
10 months ago 01:27:34 5
10 months ago 00:37:18 6
10 months ago 00:41:25 5
10 months ago 01:46:13 2
10 months ago 01:12:42 4
10 months ago 00:26:29 1
10 months ago 02:06:46 2
10 months ago 00:54:43 11
10 months ago 02:05:30 1
10 months ago 00:33:44 1
10 months ago 00:27:16 1
11 months ago 00:30:39 1
11 months ago 11:21:04 1
1 year ago 05:30:24 3
1 year ago 01:02:06 17
1 year ago 00:16:21 18
1 year ago 02:09:39 15
1 year ago 00:29:19 2
1 year ago 00:39:17 7
