HackTheBox - Ethereal
00:50 - Begin of Recon, Downloading FTP and inspecting websites
10:23 - Recap of what we saw on the recon. Limited pages that provide paths for exploitation, Server Hostname, and FTP
11:30 - Sending MD5Hashes to VirusTotal to get file age
15:45 - Downloading PasswordBox sourcecode to examine pbox.dat and discover a password manager.
21:00 - Use Hydra to try to bruteforce ethereal.htb:8080, find blind command injection in page by running various ping commands but no way to view output.
25:45 - Using nslookup to exfil the results of commands executed.
33:15 - Creating Python Script to automate exploitaiton of this program. Using Scapy, BeutifulSoup, and Requests.
55:23 - Script working! Now to make the output a bit more pretty using tokens to sepereate spaces
01:02:00 - Running commands to get interesting information about the page
01:05:20 - Enumerating the Firewall via netsh
01:09:10 - Using OpenSSL to get a reverse shell on windows
01:17:25 - Reverse shell returned.
01:19:40 - Creating a malicious shortcut via powershell
01:22:40 - Using OpenSSL To transfer files
01:28:00 - Getting reverse shell as Alan, then using OpenSSL to convert files to base64 to make exfil easier
01:32:30 - Creating and signing a malicious MSI with WiX.
01:48:15 - First attempt failed, creating a less complicated MSI File by just having it execute our shortcut
01:53:00 - Getting reverse shell as SYSTEM - Cannot read EFS Files
01:55:20 - Having our MSI not run as SYSTEM by changing impersonation in WiX
01:58:30 - Shell as Rupal returned.