Scan is a free open-source security tool for modern DevOps teams. With an integrated multi-scanner ased design, Scan can detect various kinds of security

00:00 - Intro
01:10 - Start of nmap and poking at website.  Browser Developer Window shows WebSockets + Hostname
06:50 - Setting up full portscan and gobuster while we poke at the box, to always have recon running
09:10 - Ussing ffuf to fuzz for emails (Forgot to set header here, we look at it later)
11:20 - Playing with the websockets in BurpSuite, discovering SQL Injection
21:40 - Creating a python program to aid our SQL Injection
29:15 - SQL Injection: Enumerating information_schema to pull out table information
35:45 - Going back to test our previous ffuf to find out i forgot the header flag
42:00 - Using ffuf to fuzz parameters for the passwordreset php script and trying the token from Sql Injection
44:00 - Enumerating our SQL Users permissions and then including files
49:20 - RelayD configuration shows a new domain crossfit-club.htb, failing to sign up with an account
57:40 - Using grep to extract /api/ endoings from javascript files
1:03:00 - Discover the signup endpoint, only administrators can create…

An in-depth look at Prototype Pollution vulnerabilities and how to mitigate them.

As mentioned in the [first part](https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/) of this series,Oversecured spent two weeks finding security bugs in Samsung’s built-in apps.

I made a web hacking challenge for the Cyber Security Challenge Germany (cscg) 2021.

Grab the files: https://github.com/LiveOverflow/ctf-screenshotter
Cyber Security Challenge Germany: https://www.cscg.de/

00:00 - Introduction to screenshotter app
00:58 - Setup the challenge
01:38 - First overview of functionality
03:07 - Review application architecture
03:51 - The chrome service
04:19 - The main app service
05:07 - Chrome service IP leak
06:22 - The app secret
06:54 - Methodology: go for complex features
09:22 - The flagger/admin service
11:30 - First attack idea: XSS
11:55 - Reviewing flask templates
13:09 - Useless self-XSS?
13:38 - Bypass demo restriction
15:45 - Using the Chrome SSRF?
17:00 - Leak websites of other users
18:31 - THE EXPLOIT!
22:04 - Outro

-=[ ❤️ Support ]=-

→ Support: https://liveoverflow.com/support
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/…

Вам когда-нибудь хотелось странного? Например запустить drozer в docker-контейнере и достучаться с него до эмулятора на том же хосте? Казалось бы задача предельно простая и понятная. Запускаем эмулятор, на нем drozer-agent, пробрасываем порты, заводим контейнер говорим drozer console connect —server <locahost ip> и.... ничего не происходит. При этом если попытаться таким образом подключиться на девайс, который висит на другом ip, то все будет хорошо. Давайте разбираться и чинить. Эта проблема возникает потому…

00:00 - Intro
01:05 - Start of nmap and checking the website
04:10 - Looking at the web console which shows the page making a request to Products-Ajax.php then playing with the parameters
10:05 - If the hash parameter is missing the application errors and leaks the secret key and identifying how it signs
14:00 - Using SQLMaps Eval parameter to automate the secure hash generation (Calculated Parameter Bypass)
19:30 - Logging into the application with a password from the database and discovering a LFI
23:50 - Creating a python script to automate the LFI Exploitation
32:00 - Script done attempting to perform RFI
34:50 - Another Stack Trace, identifying a race condition in their check for examining malicious php files
35:40 - Using SMB to steal the hash of the user running the webserver
40:50 - Exploiting the race condition with inotify to get the server in order to execute our PHP Code
48:40 - Reverse shell returned!  Finding the GoLang Program
53:00 - Opening the binaries in Ghidra (prior to installing the golang…

00:00 - Intro
00:50 - Start of nmap
02:20 - Running GoBuster before we start poking at the site
03:33 - Discover the x-powered-by header says its a weird php version, going to google
04:05 - Finding a blog post about php-8.1.0-dev being backdoored
04:30 - Looking at the backdoor
05:55 - Failing to use the backdoor because of a bad header
08:24 - Finding the issue, the backdoor uses the header User-Agentt (note the two t's)
10:00 - Shell returned
11:25 - Discovering we can run knife with sudo, and finding a GTFOBin

In this blogpost I want to disclose some interesting security issues that I found while researching on Xiaomi's assets, which got me to...

00:00 - Intro, box is playable on HackTheBox!
01:09 - Start of nmap and enumerating the page on port 80
03:45 - Discovering Port 8080
07:00 - Using ffuf to fuzz and discover SSTI
09:50 - Showing wfuzz doesn't need nearly as many parameters
10:30 - Reading up on GoLang SSTI
11:40 - Using GoLang {{ . }} to dump all variables and get password
11:54 - Logging in to get the Source Code and finding the DebugCmd Function
13:00 - Showing RCE through the GoLang SSTI
16:00 - The Docker is an internal docker, showing a bunch of hints towards AWS
17:20 - Using the aws commands to list buckets and upload a webshell via S3
21:30 - Getting a reverse shell
25:00 - Examining the NGINX Configuration -- LocalStack (used for s3) hack to enable authentication
26:26 - The "Command on" flag is for port 8000 in nginx config, googling it to see its a backdoor (NginxExecute)
28:28 - The backdoor isn't working, running strings against the module to see system.run was changed to ippsec.run and getting RCE as root
29:40 - Converting the…