00:00 - Intro
01:00 - Start of nmap
03:45 - Discovering the /status/ page which gives us some information on how to use the Proxy
13:30 - Start of coding our own proxy
23:30 - Downloading the source code to the chat application
26:45 - Modifying our proxy to forward all requests to chat.reponse.htb and adding a webserver to it
39:00 - Web Proxy is up! But we need to replace some URL's to send everything through our proxy
42:50 - Adding POST Request support
52:00 - Post request working! Can login with Guest and talk to Bob over the chat
55:30 - Discovering the login request also sends a LDAP Server, we can point the login request to a ldap we control
59:00 - Using ChatGPT to Give us the hex to a successful LDAP Bind, so we can login after poisoning the LDAP Server
1:04:30 - Logged in with admin!
1:06:15 - Building a Cross Site Protocol Forgery payload to connect to the FTP Server, showing it work against us
1:15:40 - Sending bob the malicious payload and using FTP on his behalf
1:19:40 - Going over scan.sh
1:25:50 - Doing some LDAP Requests to see how its all setup
1:34:02 - Having the scan.sh scan our box by adding details into the LDAP Database
1:37:10 - Setting up an HTTPS Server on port 443, so it can scan it
1:39:00 - Using DNSMasq to setup a DNS Server on port 8053, and having IPTables redirect DNS Requests from the target to that port
1:45:00 - Starting a SMTPD Server, then creating a malicious certificate so we can exploit the NSE Script and extract an ssh key
1:53:00 - Going over the Incident Report, then looking at the PCAP
1:56:15 - Starting to parse the meterpreter packets, showing it in wireshark
2:00:50 - Using Scapy to extract the meterpreter tcp stream to a file
2:05:30 - Starting a python script to parse the meterpreter data
2:10:30 - Extracting the TLV for unencrypted packets
2:14:13 - Using Bulk_Extractor which extracts the AES Key from the core dump, its able to identify it via Key Expansion
2:19:30 - Decrypting the TLV, then adding definitions for TLV Types
2:45:00 - Writing the file to disk
2:49:50 - Discovering a small portion of the SSH Private key in a screenshot, after decoding it, we see the Q variable in it! Use RsaCTFTool to rebuild the private SSH Key
Support the originator by clicking the read the rest link below.
