01:15 - Begin of recon
02:54 - Checking SNMP with snmpwalk
03:29 - Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decrypted value
04:18 - Getting more SNMP Information with snmp-check
07:35 - Going over UDP Ports discovered by snmp-check
10:55 - Running ike-scan
11:55 - Examining ike-scan results to build a IPSEC Config
13:50 - Installing Strongswan (IPSEC/VPN Program)
14:19 - Adding the PSK Found earlier to /etc/ipsec.secrets
15:30 - Begin configuring /etc/ipsec.conf
20:08 - Starting and debugging ipsec
21:55 - Explaining why we add TCP to strongswan config
24:00 - Starting IPSEC, then using NMAP through IPSEC.
(You may want to run WireShark here and see all traffic is encrypted thanks to ipsec)
25:55 - Enumerating SMB Quickly (SMBMap/cme)
26:50 - Enumerating FTP, discovering we can upload files
27:20 - Checking HTTP, hunting for our uploaded file. Then uploading files that may lead to code execution
29:44 - Grabbing an ASP Webshell from Github/tennc/webshell
32:08 - Webshell has been uploaded
32:30 - Explaining a weird MTU Issue you may run into due to the nested VPN’s
35:40 - Back to playing with the web shell, getting a reverse shell with Nishang
38:03 - Explaining RLWRAP
38:40 - whoami /all shows SEImpersonation, so we run JuicyPotato to privesc
44:35 - JuicyPotato fails with the default CLSID, changing it up to get it working.
46:30 - Doing the box again with Windows
47:15 - Setting up the IPSEC Connection through Windows Firewall
50:00 - Installing a DotNet C2 (The Covenant)
54:20 - Covenant/Elite open, starting a Listener then a Powershell Launcher
01:00:10 - Grunt activated. Running Seatbelt, then compiling Watson and reflectively running it
01:05:00 - Grabbing the Sandbox Escaper ALPC Privesc
01:08:03 - Being lazy and compiling a CPP Rev Shell in Linux because it wasn’t installed on Windows
(bunch of flailing, then reverting the machine)
01:25:35 - Box is reverted, trying the ALPC Exploit again