HackTheBox - Conceal

01:15 - Begin of recon 02:54 - Checking SNMP with snmpwalk 03:29 - Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decrypted value 04:18 - Getting more SNMP Information with snmp-check 07:35 - Going over UDP Ports discovered by snmp-check 10:55 - Running ike-scan 11:55 - Examining ike-scan results to build a IPSEC Config 13:50 - Installing Strongswan (IPSEC/VPN Program) 14:19 - Adding the PSK Found earlier to /etc/ipsec.secrets 15:30 - Begin configuring /etc/ipsec.conf 20:08 - Starting and debugging ipsec 21:55 - Explaining why we add TCP to strongswan config 24:00 - Starting IPSEC, then using NMAP through IPSEC. (You may want to run WireShark here and see all traffic is encrypted thanks to ipsec) 25:55 - Enumerating SMB Quickly (SMBMap/cme) 26:50 - Enumerating FTP, discovering we can upload files 27:20 - Checking HTTP, hunting for our uploaded file. Then uploading files that may lead to code execution 29:44 - Grabbing an ASP Webshell from Github/tennc/webshell 32:08 - Webshell has been uploaded 32:30 - Explaining a weird MTU Issue you *may* run into due to the nested VPN's 35:40 - Back to playing with the web shell, getting a reverse shell with Nishang 38:03 - Explaining RLWRAP 38:40 - whoami /all shows SEImpersonation, so we run JuicyPotato to privesc 44:35 - JuicyPotato fails with the default CLSID, changing it up to get it working. 46:30 - Doing the box again with Windows 47:15 - Setting up the IPSEC Connection through Windows Firewall 50:00 - Installing a DotNet C2 (The Covenant) 54:20 - Covenant/Elite open, starting a Listener then a Powershell Launcher 01:00:10 - Grunt activated. Running Seatbelt, then compiling Watson and reflectively running it 01:05:00 - Grabbing the Sandbox Escaper ALPC Privesc 01:08:03 - Being lazy and compiling a CPP Rev Shell in Linux because it wasn't installed on Windows (bunch of flailing, then reverting the machine) 01:25:35 - Box is reverted, trying the ALPC Exploit again