01:00 - Begin of intro
02:17 - Examining port 80 and 443
03:15 - Using gobuster to discover directories
04:20 - /remote discovered, nothing to do here
05:25 - /mvc discovered
06:15 - SQL Injection everywhere
09:15 - Attempt to perform union injection on search
10:15 - Having trouble, send to SQLMap look at other places in the applicaiton
12:20 - SQLMap having trouble with search SQL, change to ITEM
16:50 - Attempting XP_CMDSHELL (Fails)
19:50 - Using XP_DIRTREE to read files off SMBShare
23:30 - Use Responder to steal the authentication attempt of XP_DIRTREE
25:00 - Cracking the NetNTLMv2 Hash
26:00 - Logging into /remote with cracked credentials
26:40 - Discovering unifi video is installed, this has a known privesc
29:30 - Attempting to use Meterpreter. (Fail: AV)
32:15 - Grabbing and compiling a DotNet Reverse Shell
35:15 - Actually compiling the reverse shell
38:58 - Using xcopy to copy our reverse shell to the victim
39:00 - Attempting to find Unifi Service name so we can restart it. End up searching registry due to permission issues.
42:10 - Restarting Unifi Service so it executes TaskKill.exe
# Box Done
44:25 - Start of Bypassing AppLocker Bypass by copying executable into a directory under Windows
45:50 - Escaping powershell constrained mode with PSBypassCLM
60:25 - Showing the Powershell History file which contained a hint at Unifi