HackTheBox - Attended

00:00 - Intro 01:15 - Showing a tmux keybinding to 03:06 - Setting up an IPTables rule to log new connections 05:00 - Using SWAKS to send an email 07:15 - Starting up a python SMTP Server so we can see the email coming back to us 12:23 - Finding a VIM RCE and verifying it works by using ping 16:25 - Testing a python2 web cradle within the VIM Exploit 20:00 - Explaining how our C2 is going to work and why what we are doing it uniquely 23:50 - Quick high level overview of the C2 Program we are creating 24:50 - Start coding the C2 34:20 - Demoing the C2 Keeping the HTTP Request alive until a command is sent 39:00 - Updating our Client/Implant to work with the new C2 41:45 - Updating the Web Cradle with our improved agent and getting a shell as Guly 44:10 - Discovering an SSH Config, updating it to put our web cradle in ProxyCommand to get shell as Freshness 59:15 - Start of analyzing the AuthKeys binary 1:09:10 - Installing OpenBSD 1:15:16 - Getting GEF on OpenBSD to help with reversing 1:17:30 - Back to analyzing the binary, examining the registers after Base64 1:22:10 - Using Pattern Create with a large string to crash the program and find out what registers we control 1:25:50 - Controlling RIP and dealing with an annoying python3 oddity that makes me use Python2 1:31:10 - Start of talking about ROP Chains and looking up the Execve Syscall information 1:32:39 - Comparing OpenBSD to Linux Syscall numbers and realizing why linux segfaulted (different codes!) 1:35:00 - Using Ropper to print gadgets 1:36:30 - Start of RAX Gadget, finding SHR and NOT 1:39:00 - Showing the start of base64 decode is hard coded at a memory address 1:40:52 - Explaining how to create any number with just the NOT and SHR instructions. 1:48:10 - Start of RDI Gadget (movss and cvtss1si) 1:54:40 - Start of creating our exploit program and prove we can set RAX 2:04:15 - Adding the ability to set RDI which requires putting some data on the stack 2:13:30 - Explaining our writing to the stack 2:29:0