HackTheBox - Vault

01:08 - Begin of Recon 03:08 - Begin of GoBustering 07:15 - Discovery of an image upload script 08:39 - Attempting to bypass the upload filter 12:46 - Reverse Shell to ubuntu Returned. Examining Web Source 15:28 - ALTERNATIVE: Checking out the host name pollution, setting host header to localhost 19:27 - Resume of poking around the host, discover passwords and other hosts in /home 23:14 - Uploading a static-compiled nmap to the box (static-binaries is a github repo) 24:57 - SSH Local Port Forward and Dynamic, to let our Kali box communicate with the next hop. 27:27 - Discovery of a page that lets us create ovpn (openvpn) configs and test the VPN 28:45 - Think i broke the box here, sent unicode to the box.... It stops responding on web. 32:55 - Machine reverted, getting back to where I started. 34:50 - Trying this again, and get a shell on ubuntu -- Lets do a Reverse Port Forward to get a shell on our kali box. 36:12 - Shell returned to Kali Box, explaining how to use socat if SSH Forward cannot listen on all ports. 38:58 - Exploring the DNS Server box. 39:26 - Finding a password in /home/dave/ssh 40:15 - Discovering Vault's IP Address in /etc/hosts 41:20 - Perfoming a NMAP on the vault box, discover two ports closed 41:50 - Doing a NMAP with the source port of one of the above ports to test for a lazy firewall, discover SSH on port 987 43:20 - ALTERNATIVE: Bypassing the firewall by using IPv6 49:47 - How to set the source port with SSH via ncat 50:45 - Discovering root.txt.gpg on Vault, it is encrypted with RSA Key D1EB1F03 51:35 - Dave has the above RSA Key, use SCP to send the file back to Ubuntu 54:45 - The file has been copied, using gpg to decrypt the file. 55:39 - MAJOR UNINTENDED WAY: Discovering SPICE ports are listening on localhost:5900-5903, this is like VNC 57:05 - Using Remote-Viewer to connect to the SPICE Port and getting physical access to the machine. 57:42 - Rebooting Vault by sending the Ctrl+Alt+delete key 58:00 - Editing grub to get a root shel