HackTheBox - Conceal

Name: HackTheBox - Conceal
Uploaded: 2019-05-18T15:07:10Z
Channel: IppSec
Description: 01:15 - Begin of recon 02:54 - Checking SNMP with snmpwalk 03:29 - Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decrypted va...

IppSec · Beginner ·🔐 Cybersecurity ·6y ago

01:15 - Begin of recon 02:54 - Checking SNMP with snmpwalk 03:29 - Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decrypted value 04:18 - Getting more SNMP Information with snmp-check 07:35 - Going over UDP Ports discovered by snmp-check 10:55 - Running ike-scan 11:55 - Examining ike-scan results to build a IPSEC Config 13:50 - Installing Strongswan (IPSEC/VPN Program) 14:19 - Adding the PSK Found earlier to /etc/ipsec.secrets 15:30 - Begin configuring /etc/ipsec.conf 20:08 - Starting and debugging ipsec 21:55 - Explaining why we add TCP to strongswan config 24:00 - S…

Watch on YouTube ↗ (saves to browser)

Chapters (31)

1:15 Begin of recon

2:54 Checking SNMP with snmpwalk

3:29 Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decry

4:18 Getting more SNMP Information with snmp-check

7:35 Going over UDP Ports discovered by snmp-check

10:55 Running ike-scan

11:55 Examining ike-scan results to build a IPSEC Config

13:50 Installing Strongswan (IPSEC/VPN Program)

14:19 Adding the PSK Found earlier to /etc/ipsec.secrets

15:30 Begin configuring /etc/ipsec.conf

20:08 Starting and debugging ipsec

21:55 Explaining why we add TCP to strongswan config

24:00 Starting IPSEC, then using NMAP through IPSEC.

25:55 Enumerating SMB Quickly (SMBMap/cme)

26:50 Enumerating FTP, discovering we can upload files

27:20 Checking HTTP, hunting for our uploaded file. Then uploading files that may l

29:44 Grabbing an ASP Webshell from Github/tennc/webshell

32:08 Webshell has been uploaded

32:30 Explaining a weird MTU Issue you *may* run into due to the nested VPN's

35:40 Back to playing with the web shell, getting a reverse shell with Nishang

38:03 Explaining RLWRAP

38:40 whoami /all shows SEImpersonation, so we run JuicyPotato to privesc

44:35 JuicyPotato fails with the default CLSID, changing it up to get it working.

46:30 Doing the box again with Windows

47:15 Setting up the IPSEC Connection through Windows Firewall

50:00 Installing a DotNet C2 (The Covenant)

54:20 Covenant/Elite open, starting a Listener then a Powershell Launcher

1:00:10 Grunt activated. Running Seatbelt, then compiling Watson and reflectively runn

1:05:00 Grabbing the Sandbox Escaper ALPC Privesc

1:08:03 Being lazy and compiling a CPP Rev Shell in Linux because it wasn't installed

1:25:35 Box is reverted, trying the ALPC Exploit again

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →