00:00 - Introduction
01:00 - Start of nmap
03:30 - Discovering SQLPad
06:20 - Discovering a SSRF in SQLPad when adding connections. Sending to FFUF, use a time filter to show timeouts
10:01 - Finding the SQLPad Version (6.10.0), which has a template injection vulnerability getting a shell
14:25 - Shell returned, extracting the SQLPad database
17:45 - Cracking the shadow file of the docker container to get michaels password
21:05 - Shell as Michael, discovering headless chrome is running forwarding ports to access it
26:55 - Logging into froxlor, getting RCE as root by changing PHP-FPM Configuration
32:40 - Doing the box the intended way, getting Froxlor Cookie via XSS
44:30 - Changing the Web1 users password so we can FTP Into the box
49:00 - Cracking the Keepass database to get root ssh key