ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 01:15 - Start of NMAP ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 04:10 - Signing into Zabbix as Guest ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 05:30 - Getting potential usernames from inside Zabbix and guessing creds ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 06:30 - Running Searchsploit and looking for vulnerabilties ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 07:20 - Analyzing the "API" Script from SearchSploit as we have API Creds ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 10:15 - Modifying the "API" Script ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 11:15 - Showing a shortcut to skip the Container to Host Lateral Movement. ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 15:35 - Shell on the Container. ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 17:25 - Searching for Zabbix MySQL Password ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 18:35 - Dumping the Zabbix User Database ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 20:00 - Logging into Zabbix as Admin, discover ZBX Agent on Host. Testing if port is accessible ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 23:30 - Running commands on the Zabbix Agent (Host OS) from Zabbix Server (Guest OS) ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 29:53 - Getting a Reverse Shell on Zabbix (use nohup to fork) ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 32:40 - Running LinEnum on Zabbix Host ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 35:15 - Examining home directories to find Zapper Creds ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 36:42 - Examining the "Zabbix-Service" SetUID ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 39:00 - PRIVESC #1: Running ltrace to discover it is vulnerable to $PATH Manipulation ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 42:00 - PRIVESC #2: Weak permissions on Purge-Backups Service ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 48:30 - Extra Content: Building a Zabbix API Client from Scratch! ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 48:55 - "Pseudo Terminal" Skeleton Script via Cmd module ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 50:00 - Adding Login Functionality ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 56:08 - Making the script login upon starting ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 57:50 - Adding functionality to dump users ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 64:00 - Adding functionality to dump groups ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 65:25 - Adding functionality to add users ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 70:45 - Adding functionality to modify users GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 01:00 - Begin of intro GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 02:17 - Examining port 80 and 443 GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 03:15 - Using gobuster to discover directories GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 04:20 - /remote discovered, nothing to do here GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 05:25 - /mvc discovered GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 06:15 - SQL Injection everywhere GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 09:15 - Attempt to perform union injection on search GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 10:15 - Having trouble, send to SQLMap look at other places in the applicaiton GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 12:20 - SQLMap having trouble with search SQL, change to ITEM GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 16:50 - Attempting XP_CMDSHELL (Fails) GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 19:50 - Using XP_DIRTREE to read files off SMBShare GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 23:30 - Use Responder to steal the authentication attempt of XP_DIRTREE GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 25:00 - Cracking the NetNTLMv2 Hash GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 26:00 - Logging into /remote with cracked credentials GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 26:40 - Discovering unifi video is installed, this has a known privesc GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 29:30 - Attempting to use Meterpreter. (Fail: AV) GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 32:15 - Grabbing and compiling a DotNet Reverse Shell GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 35:15 - Actually compiling the reverse shell GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 38:58 - Using xcopy to copy our reverse shell to the victim GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 39:00 - Attempting to find Unifi Service name so we can restart it. End up searching registry due to permission issues. GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 42:10 - Restarting Unifi Service so it executes TaskKill.exe GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 44:25 - Start of Bypassing AppLocker Bypass by copying executable into a directory under Windows GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 45:50 - Escaping powershell constrained mode with PSBypassCLM GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 60:25 - Showing the Powershell History file which contained a hint at Unifi YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 01:30 - Begin of Recon YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 02:25 - Enumerating OpenBSD Patch Date via SSH Version YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 04:00 - Examining port 80... Use Wireshark to see why NMAP gets a response but firefox does not YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 06:30 - Invalid Requests, will cause HTTP Service to send error message YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 07:00 - Using ldapsearch to enumerate ldap, use wireshark to see how the nmap script works YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 21:30 - Using SMBMap to PassTheHash and enumerate fileshares and download Putty Key YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 23:20 - Using PuttyGen to convert Putty Key to an RSA Key YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 24:55 - Testing out ssh_enumusers to see if that would have worked to get valid usernames YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 26:30 - Logged in as Alice, use LinEnum YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 28:40 - Examining doas configuration (like Sudo -l) YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 30:00 - Examining HTTPD Configuration to see why we couldn't hit the webserver earlier YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 32:30 - Examining SSHD Configuration to see SSH is configured to allow CA Signed Keys YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 34:40 - Getting hashes from SSH Keys to know what publics go to which privates YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 37:00 - Playing with the SSHAUTH webservice to enumerate what principals go to which users YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 41:45 - Signing a SSH Key using DoAs to sign a key with the root Principal YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 45:30 - Testing the key, explaining how this all works YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 47:30 - Unintended privesc, Xorg exploit LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 00:39 - Basic Web Page Discovery LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 03:30 - Examining Cookies - Pt1 (Burp Sequencer) LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 05:05 - Fuzzing Usernames (2nd Order SQL Injection) LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 07:15 - Examining Cookies - Pt2 LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 07:40 - Cookie Bitflip LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 12:45 - Oracle Padding Attack - Pt1 LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 15:30 - Rooting the Box LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 22:50 - Oracle Padding Attack - Pt2 HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 01:00 - Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 03:50 - Checking FTP Server for hidden files HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 04:30 - Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 08:20 - Creating a bunch of files varying in length to narrow likely ciphers down. HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 14:35 - Encrypting all of the above files and checking their file sizes HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 22:45 - Decrypting file, obtaining a password HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 24:25 - Begin looking at Drupal, running Droopescan HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 25:12 - Manually examining Drupal, finding a way to enumerate usernames HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 25:50 - Placing invalid emails in create account, is a semi-silent way to enumerate usernames HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 28:15 - Logging into Drupal with Admin. HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 29:25 - Gaining code execution by enabling PHP Plugin, then previewing a page with php code HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 32:30 - Reverse Shell Returned HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 33:25 - Running LinEnum.sh - Discover H2 (Database) runs as root HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 37:00 - Hunting for passwords in Drupal Configuration HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 39:25 - Finding database connection settings. SSHing with daniel and the database password (not needed) HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 40:10 - Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk’s Loopback. Only need to do one of those, just showing its possible without daniel HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 44:30 - Accessing Hawk’s H2 Service (8082) via the loopback address HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 50:00 - Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console. HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 51:45 - Logging into H2 by using a non-existent database, then testing code execution HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 52:50 - Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service. HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 59:50 - Reverted box, cleaning up environment then getting reverse shell HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 62:45 - Discovering could have logged into the database with Drupal Database Creds. POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 00:25 - TMUX and Connecting to HTB POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 02:00 - Virtual Host Routing Explanation POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 02:40 - File Enumeration (Dirb) POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 03:59 - Discover of Web App POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 05:45 - Starting SQLMap in the Background POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 09:30 - Uploading a PHP Shell POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 14:01 - Python PTY Reverse Shell (Tab Autocomplete!) POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 19:25 - MOTD Root (Method 1) POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 23:50 - Dirtyc0w Root (Method 2) CRONOS | https://www.youtube.com/embed/CYeVUmOar3I ^ HAIRCUT | https://www.youtube.com/embed/9ZXG1qb8lUI ^ 01:45 - GoBuster HAIRCUT | https://www.youtube.com/embed/9ZXG1qb8lUI ^ 04:40 - Exploiting exposed.php HAIRCUT | https://www.youtube.com/embed/9ZXG1qb8lUI ^ 11:40 - Getting Shell HAIRCUT | https://www.youtube.com/embed/9ZXG1qb8lUI ^ 20:09 - Screen Privesc OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 1:38 - Go to HTTPFileServer OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 2:56 - Explanation of Vulnerability OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 4:49 - Testing the Exploit OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 6:25 - Getting rev tcp shell with Nishang OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 11:54 - Shell returned OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 13:15 - Finding exploits with Sherlock OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 15:15 - Using Empire Module without Empire for Privesc OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 21:00 - Start of doing the box with Metasploit OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 22:36 - Reverse Shell Returned (x32) OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 24:45 - MSF Error during PrivEsc OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 25:35 - Reverse Shell Returned (x64) OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 26:19 - Same PrivEsc as earlier, different result OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 28:47 - Examining how Rejetto MSF Module works with Burp SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 01:05 - Begin of recon SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 02:45 - Checking out the website SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 03:50 - Using wfuzz to enumerate usernames SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 05:45 - Logging in with an account we created SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 07:23 - Checking out Change Password and noticing it does this poorly SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 09:25 - Using the contact form, to see if tyler will follow links SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 14:14 - Changing Tyler's password by sending him to the ChangePassword Page SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 15:00 - Logged in and find SMB Share with credentials. SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 16:15 - Found a webshare but not sure the directory it executes from. Begin hunting for a different webserver. SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 17:48 - Port 8808 found via nmap'ing all ports. Creating a php script to gain code execution SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 19:15 - Downloading netcat for windows to use as a Reverse Shell SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 21:14 - Playing with Bash on Windows SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 22:35 - Finding the administrator password in ~/.bash_history SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 23:45 - Alternate way to find the .bash_history file SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 25:36 - Unintended way to bypass the CSRF. SQL Injection + bad Static Code analysis FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 01:15 - Begin of Recon FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 04:25 - Bruteforcing valid users FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 11:15 - Manually finding SQL Injection FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 13:13 - Using --string with SQLMap to aid Boolean Detection FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 15:41 - PHP Type Confusion ( == vs === with 0e12345) [Type Juggling] FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 18:35 - Attempting Wget Exploit with FTP Redirection (failed) FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 26:39 - Exploiting wget's maximum file length FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 33:30 - Reverse Shell Returned FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 36:19 - Linux Priv Checking Enum FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 41:00 - Checking web crap for passwords FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 44:00 - Grabbing the screenshot of tty FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 49:00 - Privesc via Yossi being in Disk Group (debugfs) FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 50:15 - Grabbing ssh root key off /dev/sda1 FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 52:15 - Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll) FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 67:42 - Manually exploiting the SQL Injection! with Python OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 00:45 - Pulling up Web Page. OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 01:10 - Searchsploit OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 02:40 - Enumerating Version (Download Versions, Hash Static Files) OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 08:20 - Default cred /backend -- Upload Shell OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 09:51 - User Reverse Shell OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 12:10 - Transfering file over nc OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 14:45 - Begin "fuzzing" Binary OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 16:15 - GDB Analysis OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 18:46 - Get a full reverse shell with tab autocomplete. OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 19:00 - Showing ASLR changing address OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 20:20 - Disable ASLR on Exploit Dev Machine OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 21:15 - Start of exploit development for ovrflw binary (Pattner_Create) OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 27:27 - Start of Return to LibC attack - Getting Addresses OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 37:20 - Grabbing memory locations off October Machine OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 41:00 - Convert script to Bruteforce ASLR BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 01:15 - Begin Recon with Reconnoitre BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 03:15 - Examining findings from Reconnoitre BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 06:50 - Decompiling java Jar Files with JAD BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 08:18 - Using JD-GUI BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 10:33 - Running WPScan BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 12:10 - Manually enumerating wordpress users BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 12:43 - SSH To the box and PrivEsc BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 15:30 - Rabbit hole, gaining access through FTP BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 17:09 - Finding Wordpress DB Password BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 18:33 - Switching to WWW-DATA by using phpMyAdmin + Wordpress BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 20:10 - Generating a PHP Password for Wordpress BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 21:50 - Gaining code execution with Wordpress Admin access BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 25:40 - Shell as www-data BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 26:40 - Enumerating Kernel Exploits with Linux-Exploit-Suggester BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 30:10 - Attempting CVE-2017-6074 Dccp Kernel Exploit (Unstable AF) DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 00:40 - Begin of the box DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 03:20 - Checking the HTTP Ports out DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 04:38 - Using wfuzz to bruteforce a login on port 80 DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 08:15 - Begin examining port 8080, use wfuzz to bruteforce a cookie DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 11:30 - Using wfuzz to enumerate the WAF and determine bad characters DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 14:40 - Doing a SSRF Like attack with wfuzz and enumerating open ports on localhost. DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 16:50 - Begin examining port 11211 (MemCache) DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 18:00 - Dumping data from Memcache DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 23:50 - Using CVE-2018-15473 to enumerate valid users over SSH DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 27:35 - Cracking the users hash and logging into the box DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 29:00 - Using R2 to analyzing rabbit hole application "try_harder" DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 33:30 - Going through LinEnum DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 38:30 - Using r2 to examine myexec to find password DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 40:13 - Using r2 to examine libseclogin.so DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 41:30 - Examining ld.so.conf.d to identify if we can use ldconfig to hijack a library DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 42:10 - Creating a malicious library to hijack seclogin() DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 45:10 - Lets bypass the login by hijacking printf() NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 01:50 - Start of Recon NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 04:58 - documents and secret rabbit hole enumeration NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 08:13 - Using wfuzz on the secret rabbit hole to find argument for download.php NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 13:40 - Begin of Web Application Enumeration, some XSS Found NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 18:23 - Throwing bad characters in username and finding Second-Order SQL Injection. NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 23:50 - Begin of Union Injection to dump the database via second order sql injection NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 39:36 - Dumping users and passwords from SysAdmin table and using Hydra to bruteforce SSH NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 43:54 - Enumerating SFTP (Using SSHFS to Dump a File Listing) NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 53:00 - Converting 64-Bit SFTP Exploit to 32-Bit NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 71:46 - Reverse Shell Returned, some stuff and finding Set-GID Binary NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 82:55 - Reversing SLS binary with Radare2 (r2) NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 107:53 - Exploiting SLS Binary with new line character (Get to Decoder User) NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 111:47 - Begin of Kernel Exploitation (CVE-2017-1000112) NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 116:00 - Kernel Exploit Compiled (silly mistake before) NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 119:52 - Creating a new lsb-release file so exploit can identify kernel NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 127:03 - Recap of Box NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 129:56 - Creating a Tamper Script to do Second-Order SQL Injection ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 01:10 - Begin of recon ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 03:00 - Poking at DNS - Nothing really important. ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 04:00 - Examining what NMAP Scripts are ran. ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 06:35 - Lets just try out smbclient to list shares available ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 07:25 - Using SMBMap to show the same thing, a great recon tool! ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 08:30 - Pillaging the Replication Share with SMBMap ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 09:20 - Discovering Groups.xml and then decrypting passwords from it ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 13:10 - Dumping Active Directory users from linux with Impacket GetADUsers ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 16:28 - Using SMBMap with our user credentials to look for more shares ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 18:25 - Switching to Windows to run BloodHound against the domain ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 26:00 - Analyzing BloodHound Output to discover Kerberostable user ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 27:25 - Performing Kerberoast attack from linux with Impacket GetUsersSPNs ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 29:00 - Cracking tgs 23 with Hashcat ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 30:00 - Getting root on the box via PSEXEC WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 01:15 - Begin of Recon WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 02:00 - Looking at what Filtered means in Nmap WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 05:00 - Start of looking at webpage (GoBuster) WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 06:30 - Manual HTTP Enumeration WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 09:50 - Start of exploiting with BurpSuite WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 17:00 - SSH Key Found, logging in with nobody WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 19:12 - Discovering a second SSH Server WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 23:36 - Using the same SSH Key to login to the second SSH Server as monitor WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 24:38 - Escaping rBash by modifying an executable file in our current $PATH WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 28:13 - Running LinEnum.sh to search for PrivEscs WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 30:50 - Enabling ThoroughTests in LinEnum to see what else it will check WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 36:30 - Looking into capabilities permission sin linux WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 39:00 - Begin of second way to escape rBash and setup a SSH Tunnel for fun NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 00:00 - Intro NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 01:58 - Begin Recon (NMAP) NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 04:19 - GoBuster HTTP + HTTPS NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 06:35 - Accessing Pages NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 07:05 - Using Hydra against HTTP + HTTPS Web Forms NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 11:30 - Logging into HTTP and hunting for vulns NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 17:00 - Second Hydra attempt against HTTPS NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 17:57 - Logging into HTTPS (phpLiteAdmin) NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 20:17 - Chaining Exploits to get Code Execution NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 26:38 - Reverse Shell Returned NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 28:00 - LinEnum.sh Script Review NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 31:30 - Watching for new Processes NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 37:00 - Found the error in script :) NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 39:30 - Getting reverse root shell NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 41:51 - Intended Route to get User NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 46:12 - Reviewing Knockd configuration NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 49:33 - Doing the PortKnock JOKER |https://www.youtube.com/embed/5wyvpJa9LdU ^ 00:27 - Port Enumeration JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 02:54 - UDP Port Review JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 03:40 - TFTP Enumeration JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 06:30 - Cracking Squid PW JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 08:00 - FoxyProxy Setup JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 09:45 - Burp Setup JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 14:45 - Running Commands JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 21:20 - Reverse Shell JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 22:30 - PrivEsc to Alekos #1 JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 28:00 - PrivEsc to Alekos #2 JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 30:37 - Root #1 (SymLink) JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 30:48 - Root #2 (Tar Checkpoint) JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 44:45 - Root #3 (Remove Development) ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 00:00 - Intro ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 00:12 - Enumerate with nmap ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 00:40 - Going to the webpage ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 01:50 - Using SearchSploit to find ColdFusion Exploits ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 02:40 - Attempt to exploit through MSF. Debug why it failed. ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 03:50 - Setting up a Burp Redirect listener ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 04:55 - Examining request send by MSF Exploit ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 06:35 - Getting a reverse shell ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 07:50 - Using Unicorn to create a Powershell Meterpreter Loa der ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 11:35 - Reverseshell returned ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 12:10 - Using the MSF post module local_exploit_suggestor ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 15:29 - Privesc via MS10-092 MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 00:49 - Nmap MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 01:31 - Examining some odd behavior. Nmap different result than browser. MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 04:00 - Getting to /admin and testing for Zone Transfer MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 05:40 - Testing SSH Default Raspberry Pi Creds MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 06:11 - Escalate to root 'sudo su' MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 07:10 - Recovering the deleted root.txt MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 08:38 - GrepFu MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 10:40 - Downloading /dev/sdb via SSH MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 12:48 - Running Binwalk against it MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 13:18 - Trying to recover with TestDisk MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 14:37 - Trying to recover with PhotoRec VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 00:25 - Start of Recon, identifying end of life OS from nmap VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 03:20 - Running vulnerability scripts in nmap to discover heartbleed VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 04:16 - Going to the HTTP Page to see what it looks like VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 06:30 - Begin of Heartbleed - Grabbing Python Module VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 07:13 - Explaining Heartbleed -- XKCD ftw VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 10:15 - Explaining and running the exploit VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 13:40 - Exporting large chunks of memory by running in a loop VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 14:10 - Finding an encrypted SSH Key on the server VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 15:35 - Examining heartbleed output to discover SSH Key Password VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 17:45 - SSH as low priv user returned VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 21:55 - Finding a writable tmux socket to hijack session and find a root shell VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 23:50 - Alternative Privesc, DirtyC0w BEEP | https://www.youtube.com/embed/XJmBpOd__N8 ^ 1:35 - Method 1: LFI + Password BEEP | https://www.youtube.com/embed/XJmBpOd__N8 ^ 16:03 - Method 2: Turning LFI into RCE BEEP | https://www.youtube.com/embed/XJmBpOd__N8 ^ 37:46 - Method 3: Code exec via call BEEP | https://www.youtube.com/embed/XJmBpOd__N8 ^ 54:00 - Method 4: Shellshock BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 0:20 - Recon BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 3:40 - Start of WP Hacking BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 10:30 - Logged into WP BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 15:00 - Login to SuperSecretForum BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 25:00 - Cracking the SSH Key BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 27:15 - Begin of getting root.txt (RSA Cracking) EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 00:24 - Recon with Sparta EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 02:00 - Enumerating SSL Certificate EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 03:55 - Manually View SSL Certificate EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 04:35 - VirtualHostRouting Explanation EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 07:42 - SQL Injection - Auth Bypass EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 13:00 - Dumping the Database with SQLMap EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 16:45 - Begin of Web Exploit (Regex //e) EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 23:00 - Getting a Shell EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 27:10 - Begin PrivEsc (CronJob) NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 00:18 - Start of Recon NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 01:15 - Finding hidden directory via Source NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 02:15 - Downloading NibbleBlog to help us with finding version information NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 03:59 - Identifying what vresion of NibblesBlog is running NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 04:42 - Using SearchSploit to find vulnerabilities NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 05:36 - Examining the Exploit NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 06:08 - Explanation of exploit NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 07:25 - Attempting to find valid usernames for NibblesBlog NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 09:13 - Finding usernames in /content/private NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 10:15 - Using Hydra to attempt to bruteforce NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 14:08 - Oh crap. Hydra not good idea we're blocked... NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 15:40 - Using SSH Proxies to hit nibbles from another box (Falafel) NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 18:20 - Guessing the password NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 20:10 - Logged in, lets attempt our exploit! NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 22:46 - Code Execution achieved. Lets get a reverse shell NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 24:53 - Reverse shell returned. NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 26:00 - Running sudo -l examine sudoer, then finding out why sudo took forever to return NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 26:50 - Privesc via bad sudo rules NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 32:10 - Alternative PrivEsc via RationalLove NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 00:45 - Begin of NMAP NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 03:00 - GoBuster (Fails) NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 08:15 - Screw GoBuster, BurpSpider FTW NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 09:12 - Examing Routes File to find more pages NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 10:10 - Finding Credentials and downloading backup NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 14:45 - Cracking the zip with fcrackzip NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 16:45 - Finding more credentials (SSH) within MongoSource NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 21:50 - Privesc to Tom User NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 35:04 - Analyzing Backup Binary File NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 36:49 - Using strace to find binary password NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 40:25 - Finding blacklisted characters/words NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 50:00 - Unintended method one, abusing CWD NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 52:20 - Unintended method two, wildcards to bypass blacklist NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 54:45 - Unintended method three, command injection via new line NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 59:15 - Intended root Buffer Overflow ASLR Brute Force ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 01:26 - Start of Recon ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 03:25 - Notice SSH configured for Pub Key Only. Hint at what to grab later! ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 03:50 - Grabbing test.txt off ftp server via anonymous auth ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 04:07 - Determining if I want to go down the "Exploit VSFTPD" rabbit hole ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 05:54 - Viewing test.txt and hosts.php ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 06:48 - Figuring out how hosts.php works and discovering XXE ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 08:58 - Start of XXE Discovery ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 10:16 - Making the XXE Output /etc/passwd ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 11:33 - Encoding output in Base64 in order to view PHP Files ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 12:58 - Using Burp Intruder to BruteForce Files ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 16:20 - Creating a program to bruteforce home directories ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 26:41 - Program Finished. Finding SSH ID_RSA Key ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 28:15 - Low Priv Access Granted ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 30:24 - LinEnum.sh shows Wordpress CHMOD'd to 777 ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 31:05 - Examining Wordpress Site (big hint left by author) ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 32:10 - Enumerating MySQL Database ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 35:15 - Giving up on MySQL, lets edit PHP Files to dump passwords! ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 36:50 - Identifying the file we want to backdoor ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 37:51 - Placing our PHP Code ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 42:06 - Got the password! REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 08:20 - NODE-RED: Reverse Shell Returned REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 15:30 - NODE-RED: Running IP and Port Scans to identify lateral movement targets REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 24:29 - Downloading Chisel (Go Program for Tunnels). REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 25:00 - Shrinking Go Programs by using ldflags and upx packing from 10Mb to 3Mb! REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 27:00 - PowerPoint: Explaining Reverse Pivot Tunnel using Chisel REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 31:25 - WWW: Tunnel online, examining the website REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 34:23 - Full Port Scan to 172.19.0.2, discover REDIS REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 36:30 - Searching for ways to execute code against REDIS REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 38:07 - Using REDIS to create a PHP Shell REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 41:06 - PowerPoint: Explaining Local Pivot Tunnel using Chisel REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 44:30 - WWW: Reverse Shell Returned REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 45:45 - Notice wildcard used with RSYNC, go search GTFOBins REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 51:32 - Abusing the wildcard within RSYNC REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 57:23 - WWW: Got Root, but no flag... Lets go look at RSYNC again. REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 60:15 - Explaining how to tunnel from Backup - WWW - NODE-RED - Kali REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 77:50 - Getting reverse shell on BACKUP via uploading CronJob through rsync REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 80:30 - BACKUP: Reverse Shell Returned... No root.txt here either!? REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 86:30 - BACKUP: Noticing this is has /dev/sda*, where other dockers do not REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 88:15 - BACKUP: Dropping a cronjob on root disk to get shell on the host REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 90:45 - ExtraContent: PowerPoint Reverse SOCKS5 Proxy with Chisel REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 00:42 - Begin of Nmap REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 04:23 - Examining the anonymous FTP Directory and discovering email addresses in Meta Data REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 06:50 - Manually enumerating valid email addresses via SMTP REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 10:50 - Creating a "Canary Document" in Word to ping back to our server when a word document is opened REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 13:14 - Generating a malicious RTF Document (CVE-2017-0199) REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 26:28 - Shell Returned. Enumerating the AppLocker Policy REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 32:53 - Decrypting a PowerShell Secure String to reveal Tom's Password, Testing access with SSH REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 35:22 - Lets forget we had Tom and run Bloodhound from Nico! REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 40:30 - First time opening BloodHound on this box. REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 49:45 - Lets update Bloodhound, looks like some data is missing and there were errors when running it REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 53:25 - Finding a path from Nico to BACKUP_ADMINS and explaining AD Security Objects (GenericWrite, WriteOwner,etc) REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 58:23 - Taking Ownership over Herman then allowing Nico to change his password and examining bloodhound REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 61:40 - Adding Herman to the Backup_Admins group REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 64:30 - Finding the Administrator Password within backup scripts. REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 67:00 - Attempting to run Watson (ends up not working) REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 83:22 - Using Metasploit to do the box REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 85:42 - Since Watson failed, lets just look at last patch times on the box to get an idea whats vulnerable. REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 87:19 - Attempting to do the ALPC Exploit within Metasploit REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 91:00 - That failed - Lets just prove the box is vulnerable, by overwriting a DLL FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 01:16 - Begin of Recon, until around 13 minutes gathering information to avoid rabbit holes FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 04:04 - Using nc/ncat to verify a port is open (-zv) FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 11:17 - Doing gobuster across man of the sub directories FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 13:03 - Examining /admin/ - Examine the HTML Source because login is not sending any data FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 14:09 - Discover some weird text encoding (Ook), how I went about decoding it FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 15:44 - Decoded to base64 with some spaces, clean up the base64 and are left with a zip file FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 19:19 - After cracking the zip, there is another text encoding challenge (BrainF*) FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 25:11 - With potential information, return to our long running recon for more information FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 28:49 - Discovering /playsms FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 32:00 - Reading ExploitDB Articles and then attempting to manuall exploit PlaySMS via uploading a CSV FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 34:34 - Getting a reverse shell FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 39:00 - Running LinEnum.sh FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 40:00 - Finding the SetUID file: rop FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 42:00 - Exploiting ROP Program with ret2libc FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 45:30 - Getting offsets of system, exit, /bin/sh from libc using ldd, readelf, and strings FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 50:34 - Running our exploit to get root shell FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 54:00 - Begin of recovering rop.c source code FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 56:41 - Recreating rop.c then compiling FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 59:44 - Copying the physical disk to our local box via SSH and DD FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 01:01:44 - Using PhotoRec to restore files and finding rop.c ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 00:50 - Begin of Recon, Downloading FTP and inspecting websites ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 10:23 - Recap of what we saw on the recon. Limited pages that provide paths for exploitation, Server Hostname, and FTP ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 11:30 - Sending MD5Hashes to VirusTotal to get file age ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 15:45 - Downloading PasswordBox sourcecode to examine pbox.dat and discover a password manager. ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 21:00 - Use Hydra to try to bruteforce ethereal.htb:8080, find blind command injection in page by running various ping commands but no way to view output. ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 25:45 - Using nslookup to exfil the results of commands executed. ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 33:15 - Creating Python Script to automate exploitaiton of this program. Using Scapy, BeutifulSoup, and Requests. ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 55:23 - Script working! Now to make the output a bit more pretty using tokens to sepereate spaces ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:02:00 - Running commands to get interesting information about the page ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:05:20 - Enumerating the Firewall via netsh ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:09:10 - Using OpenSSL to get a reverse shell on windows ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:17:25 - Reverse shell returned. ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:19:40 - Creating a malicious shortcut via powershell ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:22:40 - Using OpenSSL To transfer files ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:28:00 - Getting reverse shell as Alan, then using OpenSSL to convert files to base64 to make exfil easier ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:32:30 - Creating and signing a malicious MSI with WiX. ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:48:15 - First attempt failed, creating a less complicated MSI File by just having it execute our shortcut ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:53:00 - Getting reverse shell as SYSTEM - Cannot read EFS Files ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:55:20 - Having our MSI not run as SYSTEM by changing impersonation in WiX ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:58:30 - Shell as Rupal returned. POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 00:56 - Start of recon, use Bootstrap XSL Script to make nmap pretty POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 03:10 - Looking at nmap in web browser POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 03:52 - Navigating to the web page, and testing all the pages. POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 06:25 - Testing for LFI POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 07:00 - Using PHP Filters to view the contents of php file through LFI (Local File Inclusion) POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 08:40 - Testing for RFI (Remote File Inclusion) [not vuln] POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 10:00 - Code Execution via LFI + phpinfo() POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 14:45 - Modifying the PHP-LFI Script code to get it working POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 17:10 - Debugging the script to see why tmp_name couldn't be found POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 20:12 - Shell returned! POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 21:25 - Looking at pwdbackup.txt and decoding 13 times to get password. POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 23:37 - SSH into the box (Do not privesc right away!) POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 24:29 - Getting shell via Log Poisoning POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 26:39 - Whoops. Broke the exploit, because of bad PHP Code... We'll come back to this! (42:50) POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 28:47 - Begin of PrivEsc, grabbing secret.zip off POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 32:38 - Searching for processes running as root, find VNC POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 33:49 - Setting up SSH Tunnels without exiting SSH Session. POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 37:43 - Something weird happend... Setting up SSH Tunnels manually. POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 40:10 - PrivEsc: VNC through the SSH Tunnel, passing the encrypted VNC Password POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 41:40 - Decrypting the VNC Password because we can. POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 42:50 - Examining the log file to see why our Log Poison Failed, then doing the Log Poison MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 01:20 - Begin of NMAP MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 02:30 - Extra nmaps, SNMP and AllPorts MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 04:00 - Playing with OneSixtyOne (SNMP BruteForce) MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 07:00 - Looking at SNMPWalk Output MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 08:40 - Installing SNMP Mibs so SMPWalk is readable MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 10:05 - Accessing the box over Link Local IPv6 Address MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 14:00 - Looking at Por 3366 (Website), getting PW from SNMP Info MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 17:50 - Getting IPv6 Routable Address via SNMP MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 19:20 - NMAP the IPv6 Address MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 21:00 - Accessing the page over IPv6 MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 23:00 - Getting output from the command execution page MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 24:55 - Viewing Credentials Files and accessing the box via SSH MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 29:00 - Examining why loki cannot use /bin/su (getfacl) MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 31:00 - Getting a shell as www-data MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 38;10 - Finding the root.txt file from using find command to search for files by date MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 40:30 - Extra content, reading files via ICMP CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 01:18 - Begin of Recon CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 04:55 - Start of aChat buffer Overflow: Finding the exploit script with Searchsploit CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 07:24 - Begin of replacing POC's Calc Shellcode with what is generated from MSFVenom CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 09:42 - Correction: Payload Size wrong, should be 3,xxx -- look at "Payload Size" I accidentally highlighted the size of the python file. CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 14:30 - Whoops, erased too much out of POC. Lets correctly replace the shellcode this time and get a shell. CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 17:50 - Running PowerUp to find AutoLogon Credentials CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 20:05 - Running Code as Administrator CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 24:18 - First Privesc Method: Using Start-Process to execute commands as a different user because Invoke-Command did not work. CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 27:30 - Alternate way to read root.txt -- Alfred owns root.txt, so he can edit the files access list. Get-ACL to view access list and cacls to modify CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 33:12 - Summary of the box CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 34:37 - Doing the box with Metasaploit, Warning: Lots of fails. CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 43:10 - Using meterpreters PortFwd to bypass ChatterBox's firewall and access port 445 CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 51:25 - Doing the box with Empire ! CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 58:20 - Using Empire's Run_As module to execute commands as Administrator SOLIDSTATE | https://www.youtube.com/embed/_QapCUx55Xk ^ OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 01:30 - Begin of Recon, nmap filtered explanation OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 03:30 - Begin of initial DNSRecon, hunting for a domain name OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 06:04 - Web page enumeration, finding xdebug in header OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 09:47 - Installing xdebug plugin in Chrome to show its use OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 12:50 - Getting a reverse shell on the first docker (Icarus) OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 15:00 - Setting up nginx to accept files uploaded over HTTP / WebDav OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 20:30 - Examining the Wireless Capture from Icarus OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 21:30 - Cracking WPA with aircrack / hashcat OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 25:00 - Decrypting WPA traffic in Wireshark OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 27:50 - Enumerating valid usernames via SSH (CVE-2018-15473) OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 33:15 - SSH into port 2222 with information from Wireless Capture OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 34:40 - Domain Name found! Time to do a DNS Zone Transfer OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 36:15 - Port Knocking to open up port 22 OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 40:05 - PrivEsc to root via being a member of the Docker Group OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 00:50 - Start of the box OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 05:30 - Attempting GoBuster but wildcard response gives issue OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 07:40 - Start of doing wfuzz to find content OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 10:38 - Manually testing SQLInjection OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 13:07 - Running SQLMap and telling it exactly where the injection is OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 16:04 - Manually extracting files with the SQL Injection OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 19:50 - Cracking the hash with hashcat OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 25:00 - Start of examining the custom webapp, playing with Template Injection OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 27:00 - Explaining a way to enumerate language behind a webapp OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 35:17 - Reverse Shell returned on first Docker Container OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 38:00 - Examining SQL Database OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 39:40 - Doing the Port Knock to open up SSH OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 43:50 - Gain a foothold on the host of the docker container via ssh OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 46:00 - Identifying containers running OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 50:10 - Creating SSH Port Forwards without exiting SSH Session then NMAP through SSH OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 55:11 - Begin looking into Portainer, finding a weak API Endpoint OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 59:00 - Start of creating a container in portainer that can access the root file system OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 68:25 - Changing sudoers so dorthy can privesc to root OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 69:50 - Lets go back and create a python script to play with SQL Injection BASHED | https://www.youtube.com/embed/2DqdPcbYcy8 ^ TENTEN | https://www.youtube.com/embed/A4U3xiRWfsU ^ ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 01:00 - Begin of recon ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 10:00 - Finding the vulnerable Wordpress Plugin ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 17:50 - Exploiting lcars plugin ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 28:30 - Logging into WP and Getting Reverse Shell ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 35:00 - Wordpress RevShell Returned ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 40:00 - Using Meterpreter to pivot and provide access to MySQL ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 50:00 - MySQL Shell Returned ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 52:00 - Logging into Joomla and Getting Reverse Shell ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 57:20 - Joomla Reverse Shell returned ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 59:00 - Getting Reverse Shell on Host OS (port 443) ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 62:00 - Shell Returned begin of local privesc recon ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 72:06 - Beginning of Binary Exploitation ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 81:00 - Start writing exploit script ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 88:30 - Analyzing the PHP SQL Injection Scripts ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 96:30 - Viewing what SQLMap does to exploit this ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 100:00 - Stepping through Double Query Injection ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 107:20 - Writing our own SQL Injection Exploit Script BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 00:38 - Begin of recon BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 001:48 - Gobuster, using -x aspx to find aspx pages BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 003:16 - Playing with a file upload form, seeing what can be uploaded BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 005:15 - Using Burp Intruder to automate checking file extensions BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 007:00 - Finding a way to execute code from file upload in ASPX (web.config) BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 010:55 - Executing code via web.config file upload BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 013:08 - Installing Merlin to be our C2 BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 015:25 - Compiling the Merlin Windows Agent BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 018:37 - Modifying web.config to upload and execute merlin BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 021:14 - Merlin Shell returned! BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 024:18 - Checking for SEImpersonatePrivilege Token then doing Juicy Potato BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 027:44 - Getting Admin via Juicy Potato BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 029:44 - Box completed BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 030:00 - Start of doing this box again, with Metasploit! Creating a payload with Unicorn BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 033:00 - Having troubles getting the server call back to us, trying Ping to see if the exploit is still working BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 034:17 - Reverted box. Have to update our payload with some updated VIEWSTATE parameters BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 036:45 - Metasploit Session Returned! Checking local_exploit_suggester BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 040:01 - Comparing local_exploit_suggester on x32 and x64 meterpreter sessions BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 040:30 - Getting Admin via MS10-092 BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 042:05 - Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host #PivotProblems) BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 047:20 - Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 00:43 - Start of Recon, nmap and poking around the website CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 04:00 - Dirbusting a site that always respond 200 CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 09:43 - Switching to a different Wordlist (SecLists/Discovery/Web/Common) CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 10:48 - Discovery of .git - Poking around to clone it and download CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 15:10 - Downloaded .git, examining commit history CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 19:50 - Start of Pickle Talk CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 21:25 - Begin writing of the pickle exploit CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 28:45 - Return of Reverse Shell as www-data CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 32:30 - Begin looking into CouchDB CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 34:00 - Poking around at documents within CouchDB CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 36:15 - Examining first exploit with creating a CouchDB User CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 39:50 - Exploring the passwords database with our newly created admin user and finding Homers Password. CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 42:00 - Getting root with sudo pip install CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 45:55 - Box Done. Begin second unintended way to get to Homer User CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 47:03 - Playing with the public RCE Exploit for CouchDB CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 48:20 - Running the exploit CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 49:36 - Examining the exploit, doing each step manually to see where it fails CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 54:30 - Searching on how to create a new CouchDB Cluster, maybe it will allow this work? CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 55:55 - Digging into how erlang works CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 57:30 - Finding default CouchDB Cookie CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 59:10 - Connecting to the Erlang pool then searching for how to run commands. CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 61:54 - Exploring how to send long commands as distributed task CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 64:30 - Getting reverse shell FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:00:55 - Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb. FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:02:53 - Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and members.streetfighterclub.htb/old/login.asp FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:08:45 - Begin poking around the members.streetfighterclub.htb page - Find SQL Injection FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:12:00 - Boolean injection to force the query to return "valid login". Play with logins to find it always returns to "Service not available" FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:14:25 - Testing Union Injections for easy exfil of data FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:15:50 - Examining Stacked Queries to make running our own SQL Statements easy. Then bunch of injections to run Xp_CMDShell and get output. FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:19:30 - Some valuable recon/information in debugging our SQL queries. Noticing small things really helps. FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:34:40 - Start of making a program to give us a command shell. FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 69:40 - Explaining the program we just created. Then fix a small bug. FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 72:45 - Begin of popping the box the intended way. Finding powershell is blocked but specifying the 32-bit version is not FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 77:10 - Return of 32-bit PowerShell... Identifying we can append data to c:\users\decoder\clean.bat -- That's odd lets try to place a shell in it to see if it is being ran. FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 92:40 - Found the issue! Powershell is encoding in UTF-16 which is confusing cmd prompt. 64-bit Shell as Decoder returned! FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 95:30 - Exploiting Capcom Driver to gain root shell, this post is super helpful: http://www.fuzzysecurity.com/tutorial... FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 102:18 - Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dll to our box so we can reverse it. FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 107:25 - Looking at the binaries in Ida64 Free FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 111:14 - Explaining what's happening and then writing a script to bypass the password check. FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 115:35 - Start of unintended way (Juicy Potato) FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 118:10 - Finding a world write-able spot under System32 for AppLocker Bypass, thanks @Bufferov3rride -- Then uploading JuicyPotato FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 126:10 - Start of modifying JuicyPotato to accept uppercase arguments. FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 130:14 - Finding a vulnerable CLSID to get JuicyPotato working FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 148:25 - Running JuicyPotato with a vulnerable CLSID to gain a SYSTEM Shell, then create our own DLL to bypass the check. SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 01:00 - Nmap SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 02:23 - Examining the Web Page SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 04:08 - GoBuster SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 04:53 - Finding /uploads/ Directory SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 05:50 - Finding /secret_area_51/ Directory SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 06:20 - Using Audacity to find Steg in Audio SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 08:50 - FTP With Creds revealed from Steg SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 10:06 - Examining files downloaded from FTP SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 12:43 - Finding decryption key + blob SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 14:33 - Using Python seccure to decrypt ecc SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 16:05 - SSH Into Shrek as SEC SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 16:35 - Farquad Rabbit Hole SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 17:42 - Incident Response : Finding files modified between two times SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 20:47 - What is /usr/src/thoughts.txt? SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 21:45 - Privesc through cron running: chown * STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 01:11 - Begin of recon STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 03:48 - Manually checking the page out STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 04:30 - Discovering the webserver is java/tomcact STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 05:35 - Starting up GoBuster / Hydra STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 09:40 - The Directory /Monitoring was found - Discovering its Struts because of .action STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 11:00 - Stumbling upon an exploit trying to find out how to enumerate Struts Versions STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 14:10 - Searching Github for CVE-2017-5638 exploit script, exploiting the box to find out its firewalled off STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 21:10 - Using a HTTP Forward Shell to get around the strict firewall STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 22:40 - Go here if you want to start copying the Forward Shell Script STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 23:34 - Explaining how it works STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 25:10 - Explaining the code STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 31:06 - Forward Shell Returned - Enumerating Database to find creds STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 37:29 - Examining User.py STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 40:15 - Privesc: Abusing Python's Path to load a malicious library and sudo user.py CRONOS | https://www.youtube.com/embed/CYeVUmOar3I ^ RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 08:10 - Attempting to enumerate users of OWA-2010 (Fails) RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 14:10 - Checking out Joomla Version (/administrator/manifets/files/joomla.xml) RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 15:50 - Using SearchSploit with (Complain Management System) RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 19:38 - Register Account, Login, Verify/Play with SQL Union Injection RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 23:30 - Enumerating SQL Injection with SQLMap RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 29:18 - Going back to MSF/OWA_LOGIN and testing credentials. RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 32:15 - Logging into OWA and reading email to find out OpenOFfice, Defender, and Powershell Constain Mode is installed RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 36:20 - Creating a malicious OpenOffice macro with LibreOffice + Downloading an Executing a file without Powershell (certutil ftw) RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 40:18 - Compiling Merlin (like MSF/Empire) RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 48:40 - Sending the email and waiting. RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 50:20 - Merlin call back, Switch to Powershell Nishang to get a interactive shell RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 54:30 - Running PowerUp to find we are an Administrator RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 56:56 - Running JAWS to do some more Windows Enumeration RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 63:04 - Found an odd scheduled task "System Maintenance" RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 66:03 - Attempting to write a php shell to HTTPD RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 72:30 - Frusterated creating a PHP Script... Switch to the SCHTask Privesc RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 78:20 - Uhh. Testing if echo is somehow breaking .bat/.php files RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 91:50 - Going back to test PHP to verify it just didn't like echo. JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 00:45 - Introduction, nmap JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 01:30 - Clicking around in Tomcat JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 02:20 - Playing around with HTTP Authentication JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 05:45 - Bruteforcing tomcat default creds with Hydra and seclists JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 08:20 - Sending hydra through a proxy to examine what is happening JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 12:50 - Logging into tomcat and using msfvenom + metasploit to upload a malicious war file JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 22:42 - Begin of doing this box without MSF JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 23:45 - Downloading a cmd jsp shell and making a malicious war file JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 26:25 - WebShell returned JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 28:00 - Begin of installing SilentTrinity JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 30:55 - SilentyTrinity Started, starting listener and generating a payload JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 33:00 - Pasting the payload into the webshell JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 34:00 - Debugging SSL Handshake errors JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 37:00 - Starting SilentTrinity back up, how to use modules JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 39:10 - Start of Execute-Assembly, compiling Watson JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 43:10 - Running Watson JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 43:30 - Start of Seatbelt and debugging why some dotNet code may not run (versioning issues) TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 01:10 - Begin of recon TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 03:00 - Discovery of Wordpress and fixing broken links with burp TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 06:50 - Start of WPScan TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 07:14 - Start of poking at Monstra, (Rabbit Hole) TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 13:05 - Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 16:30 - Reverse shell returned as www-data TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 18:08 - Confirming monstra was read-only TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 18:50 - Running LinEnum.sh to see www-data can run tar via sudo TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 20:30 - Use GTFOBins to find a way to execute code with Tar TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 22:00 - Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 24:10 - Examining backuperer script TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 26:00 - Hunting for vulnerabilities in Backuperer TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 32:15 - Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 34:20 - Begin of exploiting the backuperer service by exploiting intregrity check TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 36:40 - Creating our 32-bit setuid binary TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 39:16 - Replacing backup tar, with our malicious one. (File Owner of Shell is wrong) TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 40:54 - Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 42:30 - Exploiting the Backuperer Service via SetUID! TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 45:00 - Unintended Exploit: Using SymLinks to read files via backuperer service DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 01:02 - Going over NMAP DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 02:00 - Anonymous FTP + File Upload DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 04:30 - MSFVenom DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 07:20 - Metasploit DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 10:00 - Exploit Suggestor DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 11:30 - Getting Root BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 00:38 - Start of Recon BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 01:20 - Finding NMAP Scripts (Probably a stupid way) BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 02:00 - Running Safe Scripts - Not -sC, which is default. BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 02:52 - Listing NMAP Script Categories (Prob a really stupid way) BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 03:18 - Really Cool Grep (Only show matching -oP) BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 04:40 - Nmap Safe Script Output BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 06:30 - Exploiting MS17-010 with MSF BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 07:40 - Setting up Dev Branch of Empire BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 09:07 - Starting a Listener BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 10:55 - Getting a PowerShell Oneliner to launch payload BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 12:16 - Invoke-Expression (IEX) to Execute Launcher BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 13:25 - Interacting with a single agent BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 13:40 - Using Modules - PowerUp Invoke-AllChecks BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 14:40 - Fixing weird issue with PS Module BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 16:15 - Invoke-AllChecks finished BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 17:15 - Loading PS Modules into Memory BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 17:40 - Executing funcitons out of above module BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 18:20 - Why I don't pass to MSF via InjectShellcode BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 22:45 - How I pass from Empire to MSF (Unicorn + IEX) BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 25:53 - Just running Powershell CMDs from Empire (Shell) DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 01:00 - Start of Recon DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 02:15 - TFTP Enumeration - Identifying configuration and OS information DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 06:32 - Finding a path to code execution DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 07:17 - Examining PSExec Metasploit Module DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 08:55 - Using irb within metasploit to print a powershell payload DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 12:30 - Examining PsExec() DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 15:40 - Examining native_upload DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 18:10 - Examining mof_upload DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 20:34 - Using irb within metasploit to print the MOF File DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 22:35 - Quick explanation of MOF Files DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 25:05 - Modifying the MOF to run NetCat DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 27:30 - Uploading nc to the target DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 28:50 - Uploading the malicious MOF File and getting a shell! DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 29:50 - Using Streams to view Hidden text within ADS DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 33:08 - Start of Bonus Content, finging a TFTP Exploit that uses MOF DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 35:05 - Attempting to use distrinct_ftp_traversal against DropZone DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 36:30 - Installing pry.byebug in order to allow us to drop to a debug console and step through metasploit modules DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 40:50 - Testing out pry.byebug DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 42:30 - Finding why the exploit module didn't work DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 44:50 - Module still doesn't work, TFTP Stopping mid transfer DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 49:30 - Whoops, changed the delay on the wrong timeout DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 51:00 - Meterpreter Shell returned, showing off the extended API and some WMI Commands. CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 00:58 - Begin of Recon CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 03:00 - Looking at the web application and finding the Serialized Cookie CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 04:38 - Googling for Node JS Deserialization Exploits CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 06:30 - Start of building our payload CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 07:10 - Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 09:10 - Moving our serialized object to "Name", hoping to get to read stdout CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 11:30 - Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE) CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 13:25 - Failing to convert an object (stdout) to string. CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 14:02 - Verifying code execution via ping CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 15:32 - Code execution verified, gaining a shell CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 18:49 - Reverse shell returned, running LinEnum.sh CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 21:26 - Examining logs to find the Cron Job running as root CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 22:09 - Privesc by placing a python root shell in script.py CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 24:15 - Going back and getting a shell with NodeJSShell JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 01:19 - Begin of Enumeration JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 04:15 - Avoiding the Rabbit Hole on port 80 (IIS) JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 06:00 - Begin of Jenkins JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 09:00 - Using Jenkins Script Console (Groovy) to gain code execution JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 12:00 - Reverse TCP Shell via Nishang JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 17:00 - Reverse Shell returned. PowerSplit dev branch to find unintended privesc (Tokens) JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 22:20 - Powersploit's Invoke-AllChecks completes JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 24:20 - Finding Keepass Database using Impack-SMBServer to transfer files JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 27:00 - Cracking the KeePass Database JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 30:20 - Using KeePass2 to open database JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 34:25 - PassTheHash via pth-winexe to gain administrator shell JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 35:20 - Grabbing root.txt that is hidden via Alternate Data Streams (ADS) JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 39:00 - Using RottenPotato to escalate to root via MSF JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 41:00 - Using Unicorn to gain a reverse MSF SHell JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 45:20 - Performing the attack JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 48:00 - Impersonating Token to gain root BASTARD | https://www.youtube.com/embed/lP-E5vmZNC0 ^ JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 00:52 - Recon - NMAP JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 04:05 - Recon - Getting Linux Distro JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 04:35 - Recon - GoBuster JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 05:40 - Analyzing Jail.c source JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 09:45 - Begin Binary Exploitation JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 15:10 - Verify Buffer Overflow JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 17:35 - Create Exploit Skeleton JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 20:50 - Finding EIP Overwrite JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 23:02 - Adding Reverse TCP Shellcode JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 30:15 - Switching to "Socket Re-Use" Shellcode JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 32:20 - Shell Returned JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 34:00 - NFSv3 Privesc Begin JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 40:15 - Begin incorrectly playing with SetUID JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 43:10 - SELinux Escape JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 45:25 - Using SELinux Escape to copy SSH Key JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 48:55 - Logging in as Frank JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 50:00 - Privesc to adm (sudo rvim) JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 51:44 - Begin of finding a way to root JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 55:58 - Begin cracking rar file JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 57:18 - Using Hashcat to generate custom wordlist JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 60:40 - Cracking with JohnTheRipper JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 62:30 - RsaCtfTool to exploit weak SSH Pub Key JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 63:36 - Login as root with SSH Private Key JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 64:11 - EXTRA CONTENT: Alternative Privesc to ADM (NFS) JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 65:21 - Creating a directory to give other users NFS Write access JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 67:30 - Correct way to do SetUID Program JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 71:04 - Using SetUID Programs to write to disk MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 00:40 - Begin of Recon MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 04:00 - Start of GoBuster MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 05:40 - Finding a SSRF MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 09:00 - Passing arguments to cmd.aspx via SSRF MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 12:05 - Firewall Enumeration MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 16:35 - Begin of setting up ICMP Reverse Shell MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 22:25 - Begin of sending ICMP Rev Shell to Server (Warning: Lots of Fail) MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 46:31 - Return of ICMP Rev Shell MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 52:20 - PrivEsc form IIS to Decoder MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 71:15 - Unzipping via Powershell MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 74:05 - Finding Administrator password hidden in NTFS File Stream MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 76:30 - Using Net Use to mount C: As Administrator MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 79:30 - Using IDA to analyze root.exe and grab the flag (Misses last character of hash) MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 84:15 - Using Invoke Command to execute root.exe as admin (Lots of Fail) MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 92:52 - Opening up the Firewall then just using RDP to gain access SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 01:20 - Star of Recon SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 03:40 - GoBuster SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 04:45 - Getting banned and Pivoting to verify SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 10:20 - Logging into PFSense SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 16:50 - Manually Exploiting PFsense SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 38:30 - Using Metasploit to exploit SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 42:00 - Creating a Bruteforce Script in Python ( CSRF ) SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 01:08 - Start of Recon (NetDiscover/Masscan/Nmap) SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 05:37 - Finding the CGI Script and using Shellshock SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 10:00 - Start creating ShellShock python script SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 16:08 - Converting script "Forward Shell" for FW Evasion with mkfifo SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 40:00 - Adding Threading (Background Task) to improve script SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 45:00 - Script completed - Attempt to enumerate FW Rules SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 49:00 - Fumbling around with IPv6 (Check out Sneaky Video for more) SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 53:25 - Reverse shell via IPv6 and ncat SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 01:05:00 - Reading Bynarr's mail to get password and PrivEsc via LIME/Memory Dump SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 67:20 - Unintended PrivEsc via ShellShock + Environment Variables SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 78:20 - Begin of MITM (Man in the Middle) First with Ettercap SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 84:19 - Installing Bettercap2 + Usage SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 93:40 - Spoofing ARP and DNS with BetterCap SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 101:11 - Privesc to root via Git on case-insensitive FS SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 113:30 - Woot root, lets take a look at the IPTable FW SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 116:00 - Explaining the exploit a bit better ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 00:23 - Explaining VM Layout ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 01:47 - Nmap Start ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 05:20 - Poking at Virtual Host Routing (Beehive & Calvin) ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 10:25 - Fixing GoBuster to find /cgi-bin/ ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 11:48 - Enumerating WAF (Web Application Firewall), to see how it detects Shellshock ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 15:08 - Using VirtualHostRouting to navigate to Calvin.htb.htb ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 18:15 - Using ImageTragick to exploit Calvin ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 25:30 - Calvin Reverse shell returned ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 31:35 - Poking at /common, which allows pivot to Bastion Host ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 34:20 - SSH into the Bastion Host ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 38:45 - Explain SSH Local and Remote Port Forwarding ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 46:00 - Beehive Reverse Shell Returned ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 50:00 - Finding the root password via /common/containers/bastion-live/Dockerfile ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 54:50 - PrivEsc via Docker (much like the LXC shown in Calamity) ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 57:05 - Getting root access to filesystem ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 58:10 - Failing to get root shell via Crontab ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 66:20 - Yeah screw crontab, lets just create an ssh key. FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 02:08 - Begin of Recon FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 14:00 - XXE Detection on Fulcrum API FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 17:40 - XXE Get Files FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 23:40 - XXE File Retrieval Working FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 24:30 - Lets Code a Python WebServer to Aid in XXE Exploitation FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 39:45 - Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 47:28 - Shell Returned + Go Over LinEnum FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 56:49 - Finding WebUser's Password and using WinRM to pivot FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 66:00 - Getting Shell via WinRM, finding LDAP Credentials FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 74:00 - Using PowerView to Enumerate AD Users FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 87:06 - Start of getting a Shell on FILE (TroubleShooting FW) FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 95:35 - Getting shell over TCP/53 on FILE FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 97:58 - Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 118:10 - Troubleshooting the error correctly and getting Domain Admin! FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 123:54 - Begin of unintended method (Rooting the initial Linux Hop) FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 129:54 - Root Exploit Found FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 132:25 - Mounting the VMDK Files and accessing AD. CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 1:30 - Rabbit Hole - Searching for SuperCMS CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 6:23 - Running enumeration in the background (GoBuster) CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 7:40 - Rabbit Hole - SQLMap Blog SinglePost.php CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 12:04 - Finding PHP Files in /cmsdata/ (GoBuster) CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 12:53 - Manual Identification of SQL Injection CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 15:50 - SQL Injection Explanation CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 17:20 - Rabbit Hole - Starting SQLMap in the Background CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 18:10 - SQL Union Injection Explanation CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 19:30 - Identifying "Bad/Filtered Words" in SQL Injection CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 21:02 - SQL Union Finding number of items returned CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 21:48 - Returning data from Union Injection CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 22:48 - SQL Concat Explanation CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 23:55 - Enumerating SQL Databases Explanation (Information_Schema) CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 25:46 - Returning Database, Table, Columns from Information_Schema CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 29:30 - Scripting to dump all columns CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 36:45 - Listing of columns in SuperCMS CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 37:15 - Dumping User Credentials CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 41:36 - Logging in and exploiting SuperCMS CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 47:00 - Return of reverse shell CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 48:40 - Transfering small files from shell to my machine CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 50:56 - Using RsaCtfTool to decrypt contents with weak public key CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 52:52 - Breaking weak RSA manually CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 61:20 - Begin PrivEsc to Root CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 62:40 - Transering large files with NC CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 63:50 - Analyzing SuperShell with BinaryNinja (Paid) CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 66:04 - Analyzing SuperShell with Radare2 (Free) CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 68:22 - Exploiting SuperShell CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 72:46 - Encore. Getting a Root Shell with SetUID Binary INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 01:05 - Start of Recon + Finding dompdf INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 08:30 - PHP Wrappers + Failed testing for RCE INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 11:35 - Writing Python Program to automate file disclosure bug INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 18:40 - Finding WebDav Configuration + Uploading Files for RCE INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 25:50 - Modifying Sokar's Forward Shell (PTY over HTTP) INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 33:55 - Forward shell returned INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 38:50 - Using Squid to pivot to ports listening locally + NMAP via ProxyChains INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 47:48 - Getting nmap on Inception to speed up scanning private network INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 59:16 - Nmap results returned for 192.168.0.1, FTP Anonymous Login INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 61:15 - Finding TFTP as a Running Service INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 66:35 - Using TFTP to grab crontab & creating a pre-invoke apt script MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 01:20 - Start of nmap MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 03:22 - Poking at a rabbit hole (8080) MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 08:08 - GoBuster to find hidden directory MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 09:50 - Finding SQL Creds in hidden directory MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 13:40 - Using dbeaver to enumerate database MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 16:50 - Impacket-PSExec to Admin MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 19:00 - Proving James is not an Admin MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 20:35 - Using MSF to Enable Remote Desktop to do Incident Response MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 27:00 - Start of Remote Desktop Looking at Event Log + Active Directory MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 31:00 - Installing Sysmon to get better logs MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 36:15 - Looking at Sysmon Logs MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 42:20 - Proving the PrivEsc was due to Impacket-PSExec not cleaning up MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 48:00 - Using Forensics to get Service Creation Date MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 53:30 - Finding a HTB User creating a Git Issue to Impacket (LOL) MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 55:10 - Intended Route - Forging a Kerberos Ticket MS14-068 MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 71:00 - Explaining why the unintended route probably got created APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 01:26 - Enumeration Start APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 02:58 - WPScan Start APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 05:40 - Directory Scanning with GoBuster APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 10:54 - Examining WPScan Output APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 13:40 - Bruteforcing with WPScan APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 14:40 - Bruteforcing HTTP Post with Hydra APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 18:30 - Edit WP Theme to get Code Execution APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 22:09 - Return of Reverse Shell APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 26:25 - Privelege Escalation Word Writeable Passwd FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 01:25 - Begin of recon FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 02:20 - Wiresharking NMAP to identify fingerprint FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 05:53 - Checking the WebPage FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 09:15 - Finding /sync and why web browser has a 403 FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 12:45 - Using wfuzz to find what arguments /sync takes FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 15:45 - The actual wfuzz command FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 20:30 - Finding Bad Characters with wfuzz FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 24:51 - Getting command execution FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 32:00 - Getting a reverse shell FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 43:40 - Privesc to root abusing custom script FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 47:48 - Examining how NGINX/OpenResty was configured SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 00:00 - Intro SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 00:44 - Recon + Web Enum SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 01:33 - SQL Injection SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 05:30 - Start of IPv6 Talk SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 06:30 - What is an IPv6 IP Address? SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 11:27 - Types of IPv6 Addresses SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 14:06 - IPv6 Subnetting Explained SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 21:20 - End of IPv6 Primer, Exploit time! SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 22:43 - Method 1: Getting MAC and calculating fe80 SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 30:30 - Method 2: Enumerating Networks by pinging Multicast SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 33:56 - Extra: Getting Windows to respond from Multicast Ping SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 38:07 - Extra: NMAP Scanning ipv6 local networks SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 40:15 - Convert RPM to DEB (Needed for install nmap on tenten) SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 41:30 - Intended Solution: Getting IPv6 via SNMP SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 43:58 - No SNMP MIB Output SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 45:58 - Getting SNMP MIBS Installed and Configured SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 47:52 - Tool: Enyx - SNMPv6 Enumeration via Python SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 50:44 - Privesc Enumeration SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 52:49 - Buffer Overflow SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 01:30 - Begin of recon SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 03:15 - Begin of installing SQLPlus and ODAT (Oracle Database Attack Tool) SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 08:45 - Bruteforcing the SID with ODAT SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 10:15 - Holy crap, this is slow lets also do it with Metasploit SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 13:00 - Bruteforcing valid logins with ODAT SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 16:00 - Credentials returned, logging into Oracle with SQLPlus as SysDBA SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 19:00 - Reading files from disk via Oracle SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 23:20 - Writing files to disk from Oracle. Testing it in WebRoot Directory SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 25:52 - File Written, lets write an ASPX WebShell to the Server SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 29:10 - WebShell Working! Lets get a Reverse Shell SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 31:28 - Reverse Shell Returned SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 32:24 - Finding a DropBox link, but password doesn't display well. SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 33:55 - Attempting to copy file via SMB to view UTF8 Text SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 35:18 - That didn't work, lets transfer the file by encoding it in Base64. SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 36:55 - Got the password lets download the dump! SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 39:10 - Begin of Volatility SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 45:20 - Running the HashDump plugin from volatilty then PassTheHash with Administrator's NTLM! SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 47:35 - Begin of unintended way, examining odat and uploading an meterpreter exe SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 50:30 - Using odat externaltable to execute meterpreter and get a system shell! SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 52:20 - Examining odat verbosity flag to see what commands it runs and try to learn. BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 01:54 - Begin Recon, Windows IIS/OS Mapping and GoBuster BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 05:20 - Explanation of Virtual Host Routing BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 09:50 - Developers name exposed in HTML Source, also discover /monitor BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 11:10 - Enumerating Username in PHP Server Monitor: Challenge Watch Sense to understand CSRF and write an automated bruteforcer BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 16:33 - Discover of Internal-01.bart.htb BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 19:17 - Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /Log/log.php) BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 29:34 - Finally got Hydra to return the password! BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 32:20 - Log Poisoning + LFI = Remote Code Execution BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 37:30 - Return of Reverse Shell BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 41:30 - Why you should check if you're a 32-bit process on a 64-bit machine BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 48:35 - Attempting to use b33f/FuzzySecurity Invoke-RunAs BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 56:00 - Mistake with Invoke-RunAs is probably pointing it to the wrong port. D: BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 63:40 - ARGH! Lets try to use this account via Empire BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 71:00 - Bring out the big guns, it's Metasploit Time! BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 78:10 - Alright, lets poke a hole in the firewall and connect over SMB! BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 81:17 - Failed to PSExec in MSF BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 81:40 - Found Impacket-PSExec! And it works! BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 83:45 - Lets go hunt for creds! BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 95:23 - Cracking Salted Hashes with Hashcat (Sha265.Salt) CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 01:28 - Begin of recon CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 02:20 - GoBuster CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 03:30 - admin.php discovered, finding the pw CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 04:50 - Getting Code Execution CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 07:45 - Finding out why Reverse Shells weren't working CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 09:45 - Getting a reverse shell by renaming nc CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 11:30 - Transfering files via nc CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 14:00 - Opening the wav file CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 16:25 - Using audiodiff to identify differences in sound CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 17:05 - The next step, why is the same song there twice? CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 19:25 - Importing files into Audacity and Inverting CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 22:25 - Attempting to exploit the process blacklist CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 24:25 - Unintended root LXC Background CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 28:30 - Creating an Alpine LXC CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 30:40 - Importing the image into lxc CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 32:00 - Creating the container CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 32:40 - Adding the host drive to container CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 34:20 - Starting the container and entering it CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 35:05 - Examining the Process Blacklist script CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 35:54 - Running through the exploit again on a Ubuntu Host

IppsecTribute V1.1

It doesn't matter whether you're a nooby or a seasoned Pentester, we all love Ippsec's videos and we all can learn a lot from them!
Here is a simple way to search for keywords (like sql, gobuster, tftp, Burp, Impacket, etc etc) thru all of his videos.
The search is not case sensitive, so just give it a try :)
EDIT: you can get the full page here . I try to keep the page updated, but if you like you can of course just download it and run it locally :)