HackTheBox - Nest

00:00 - Intro 01:00 - Showing why we should run NMAP as root or sudo. 04:40 - Running nmap to see only SMB is open, start a full port scan and move on 05:45 - Enumerating SMB (Port 445) with CrackMapExec, SMBClient, and SMBMap to explore how each program works 08:20 - Running SMBClient to mount the share 09:20 - Installing CIFS-Utils so we can mount SMB and run commands like find against the share 11:30 - Discovering a password, doing a credential spray and getting some odd results 17:20 - Mounting the shares with as TempUser to discover we have access to more files 22:00 - Using iconv to cat a windows text file because it showed a bunch of bad characters 25:00 - Viewing the NotepadPlusPlus files to see the path of a file in the Secure$ Directory, we can get into this folder 27:00 - Downloading the source-code to RUScanner in the User share 29:30 - Switching to Windows so we can use Visual Studio to compile the RUScanner application and decrypt the password 32:20 - Dropping the config in bin/debug and setting a breakpoint on the line of code which decrypts the password to view the output 35:55 - Using CrackMapExec to validate these are valid credentials, then exploring the fileshares again 39:50 - Exploring the application on port 4386 and showing why we need to use TELNET and not NC or NETCAT 42:30 - Playing with the various options on port 4386 44:58 - Using SMBClient to mount the Users directory as C.SMITH so we can use "allinfo" to see an ADS (Alternate Data Stream) Exists, then downloading the hidden password 50:00 - Using the custom program on port 4386 and using the DEBUG Options to download the configuration file with an encrypted LDAP Password 52:30 - Using DNSPY to decompile HqkLdap.exe 56:00 - Editing the application to print the password 58:20 - Running HqkLdap to get the decrypted password, which is the administrator password 59:20 - Using psexec to get a shell on the box as the SYSTEM user