UHC - Pressed

Name: UHC - Pressed
Uploaded: 2022-02-05T21:24:48Z
Channel: IppSec
Description: 00:00 - Intro 01:07 - Running nmap, discovering wordpress 01:40 - Manually looking at the wordpress site, finding a post that has some dynamic content o...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 01:07 - Running nmap, discovering wordpress 01:40 - Manually looking at the wordpress site, finding a post that has some dynamic content on it... This is weird 03:00 - Attempting to poison the browser table with php/ssti/etc user agents 06:00 - Starting wpscan with enumerating all plugins 08:20 - WPScan found a backup of the configuration file 10:00 - Changing the year on the password of the configuration file and discovering MFA 11:30 - Talking about the "Discover Backup" argument of gobuster, which does find another wp-config.php backup file 13:53 - Explaining what the XMLRPC I…

Watch on YouTube ↗ (saves to browser)

Chapters (23)

Intro

1:07 Running nmap, discovering wordpress

1:40 Manually looking at the wordpress site, finding a post that has some dynamic c

3:00 Attempting to poison the browser table with php/ssti/etc user agents

6:00 Starting wpscan with enumerating all plugins

8:20 WPScan found a backup of the configuration file

10:00 Changing the year on the password of the configuration file and discovering MF

11:30 Talking about the "Discover Backup" argument of gobuster, which does find anot

13:53 Explaining what the XMLRPC Interface to wordpress

16:30 Showing the system.listMethods function on the XMLRPC to list all the methods

18:50 Switching over to the Python Wordpress XMLRPC Library to play with this interf

21:35 Showing how to dump users, then examine properties of a user

24:40 Attempting to use this library to upload files, discover we can only upload im

28:15 Dumping the posts, and discovering the table we found earlier was using the ph

33:40 Creating a PHP File that will write another PHP Shell and lock it down to an I

38:40 Had an issue with my webshell, running it locally to discover what the issue w

42:45 Got RCE! However, reverse shells aren't working enumerating the firewall

45:15 Explaining why I am going to use my Forward Shell

46:45 Grabbing my Forward Shell Skeleton code, modifying it and getting RCE

50:00 Forward shell works! That took next to no time and I explained a lot of it

53:20 The date on pkexec is old, it's probably vulnerable. Compiling a POC and uplo

58:00 Another PwnKit method, if I didn't have a Forward Shell having pwnkit chmod /r

1:03:10 Going over the WPScan enumerate all plugins

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →