HackTheBox - Napper

00:00 - Introduction 00:55 - Start of nmap, showing -vv will cause the output to contain TTL 04:40 - Checking out the website 05:23 - Doing a VHOST Bruteforce to discover the internal domain and discovering credentials on a blog post 07:30 - Checking out the NAPListener blog post, which gives us a way to enumerate for the NAPLISTENER Implant 10:30 - Showing the Backdoor code to discover how it works 12:30 - Building a DotNet Reverse Shell and renaming the method to Run, then using Mono (mcs) to compile 14:45 - Converting the DLL to base64 and getting NAPLISTENER to execute it 19:20 - Discovering a draft blog post talking about them getting rid of laps and building a custom solution that uses elastic 24:00 - Setting up a tunnel with Chisel so we can talk to Elastic 25:55 - Using curl to enumerate Elastic 30:20 - Reversing the Golang binary with Ghidra 42:30 - Creating a Golang Binary to grab a document (seed), then using search to grab the blob, and decrypting it with AES-CFB 47:30 - Connecting to Elastic, using a Proxy 56:00 - Grabbing the Seed with the Golang Elastic Library 1:03:00 - Grabbing the Blob with Golang Elastic Library 1:09:45 - Using the Seed to generate our 16 byte key 1:13:53 - Creating a decrypt function 1:16:30 - Getting the PlainText then using RunasCS to get a reverse shell as the Backup User, which is administrator