00:00 - Introduction
00:55 - Start of nmap, showing -vv will cause the output to contain TTL
04:40 - Checking out the website
05:23 - Doing a VHOST Bruteforce to discover the internal domain and discovering credentials on a blog post
07:30 - Checking out the NAPListener blog post, which gives us a way to enumerate for the NAPLISTENER Implant
10:30 - Showing the Backdoor code to discover how it works
12:30 - Building a DotNet Reverse Shell and renaming the method to Run, then using Mono (mcs) to compile
14:45 - Converting the DLL to base64 and getting NAPLISTENER to execute it
19:20 - Discovering a draft blog post talking about them getting rid of laps and building a custom solution that uses elastic
24:00 - Setting up a tunnel with Chisel so we can talk to Elastic
25:55 - Using curl to enumerate Elastic
30:20 - Reversing the Golang binary with Ghidra
42:30 - Creating a Golang Binary to grab a document (seed), then using search to grab the blob, and decrypting it with AES-CFB
47:30 - Connecting to Elastic, using a Proxy
56:00 - Grabbing the Seed with the Golang Elastic Library
1:03:00 - Grabbing the Blob with Golang Elastic Library
1:09:45 - Using the Seed to generate our 16 byte key
1:13:53 - Creating a decrypt function
1:16:30 - Getting the PlainText then using RunasCS to get a reverse shell as the Backup User, which is administrator
Support the originator by clicking the read the rest link below.
