UHC - Altered

00:00 - Intro 00:55 - Start of nmap 01:35 - Enumerating the web page, finding a way to validate potential users 02:50 - Examining the data the website stores in our browser 05:20 - Attempting type juggling, finding out its not vulnerable 06:20 - Before we WFUZZ, just playing with PHP to see how it handles numbers. 08:15 - Running WFUZZ with the range payload to bruteforce all possible pin code, find out we get blocked. 10:15 - Searching for ways to bypass rate limits, testing out the X-FORWARDED-FOR header 12:15 - Using WFUZZ with two wordlists in the zip mode, so we can fuzz with pin codes and change the ip address to bypass the ratelimit (FUZ2Z) 17:30 - Logged into the application, discovering the secret parameter which prevents us from tampering with the request 19:45 - Doing type juggling to bypass the tamper detection and finding SQL Injection 20:15 - Extracting information out of the database with union injections with group_concat and concat 26:40 - Nothing interesting in the database, dropping a webshell but first we have to view the nginx config to find where the website is 30:30 - Using the INTO OUTFILE command to write a shell to /srv/altered/public/ 33:55 - Reverse shell returned 35:15 - Explaining some basics around dirty pipe and why people use /etc/passwd 38:50 - Using the DirtyPipe exploit that resets root's password to aaron 39:50 - In order to use the "su" command, we need to beat wordle with a custom dictionary... Failing to play wordle 42:50 - Using a DirtyPipe exploit to overwrite a SetUID Binary, which bypasses our wordle game 45:10 - Extra: Revisiting wordle, but now we have the dictionary it uses, so we can cheat and win the game 49:30 - Extra: Fumbling around in the source code, learning some things but failing to enforce authentication on the GetProfile Endpoint.