00:00 - Introduction
01:00 - Start of nmap
03:00 - Discovering the Forgot Password lets us enumerate valid emails
04:00 - Using ffuf to enumerate subdomains via virtual host
06:55 - Discovering .git on the dev subdomain, using git-dumper to download the repo
08:20 - Discovering cached files in the .git, one of which has a credential
10:08 - Logged into Ghost, finding the version which shows its vulnerable to CVE-2023-40028
12:20 - Manually performing the Ghost File Disclosure exploit
15:00 - Using the public exploit script to leak the ghost config which gives us an SSH Credential
18:15 - Going over the clean_symlink.h script we can run with sudo, which is vulnerable 3 different ways
19:40 - Showing the Command Injection vulnerability, because of how the script did the if/then logic in bash
20:20 - Showing we can bypass the filter by pointing a symlink to another symlink
26:10 - Showing the race condition, where we can change the contents of the symlink after it checks if it is malicious