Support me on Patreon! https://patreon.com/ippsec

00:52 - Start of Recon, discovering CentOS Version via HTTPD Version
02:15 - Checking out the HTTP Page
03:32 - Checking out login.php
05:15 - Identifying a Secure Token is used, most likely STOKEN
07:05 - Failing to enumerate usernames through BruteForce
09:45 - Fuzzing the login form with special characters to identify a blacklist
11:45 - Trying Double URL Encoding to bypass the BlackList
12:55 - Explaining Double URL Encoding
14:45 - Discovering this is most likely a LDAP Injection
16:50 - Explaining how a LDAP Query Works
19:15 - Identifying the LDAP Query Structure with a Null Byte
20:40 - Injecting the WildCard (*) to enumerate usernames
24:00 - Using Wfuzz to extract the username
26:00 - Enumerating LDAP Attributes that are utilized
30:26 - Creating a python script to extract the Pager Attribute
41:38 - Script complete, lets extract the token
43:45 - Using STOKEN to generate the OTP and logging in
46:00 - Disabling NTP so we can math the server time
46:44 - Discovery of that second half of the original LDAP Query at 16 minutes.
47:33 - Using a Null Byte to remove the GROUP Check.
50:33 - Running Commands
50:25 - Reverse Shell Returned
53:17 - Checking for the LDAP Bind password, then SSHing into the box
55:00 - Going over the /backup directory
58:20 - Using ListFiles to have 7za print our the contents of root.txt