ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 01:15 - Start of NMAP
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 04:10 - Signing into Zabbix as Guest
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 05:30 - Getting potential usernames from inside Zabbix and guessing creds
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 06:30 - Running Searchsploit and looking for vulnerabilties
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 07:20 - Analyzing the "API" Script from SearchSploit as we have API Creds
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 10:15 - Modifying the "API" Script
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 11:15 - Showing a shortcut to skip the Container to Host Lateral Movement.
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 15:35 - Shell on the Container.
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 17:25 - Searching for Zabbix MySQL Password
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 18:35 - Dumping the Zabbix User Database
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 20:00 - Logging into Zabbix as Admin, discover ZBX Agent on Host. Testing if port is accessible
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 23:30 - Running commands on the Zabbix Agent (Host OS) from Zabbix Server (Guest OS)
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 29:53 - Getting a Reverse Shell on Zabbix (use nohup to fork)
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 32:40 - Running LinEnum on Zabbix Host
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 35:15 - Examining home directories to find Zapper Creds
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 36:42 - Examining the "Zabbix-Service" SetUID
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 39:00 - PRIVESC #1: Running ltrace to discover it is vulnerable to $PATH Manipulation
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 42:00 - PRIVESC #2: Weak permissions on Purge-Backups Service
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 48:30 - Extra Content: Building a Zabbix API Client from Scratch!
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 48:55 - "Pseudo Terminal" Skeleton Script via Cmd module
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 50:00 - Adding Login Functionality
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 56:08 - Making the script login upon starting
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 57:50 - Adding functionality to dump users
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 64:00 - Adding functionality to dump groups
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 65:25 - Adding functionality to add users
ZIPPER | https://www.youtube.com/embed/RLvFwiDK_F8 ^ 70:45 - Adding functionality to modify users
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 01:00 - Begin of intro
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 02:17 - Examining port 80 and 443
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 03:15 - Using gobuster to discover directories
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 04:20 - /remote discovered, nothing to do here
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 05:25 - /mvc discovered
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 06:15 - SQL Injection everywhere
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 09:15 - Attempt to perform union injection on search
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 10:15 - Having trouble, send to SQLMap look at other places in the applicaiton
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 12:20 - SQLMap having trouble with search SQL, change to ITEM
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 16:50 - Attempting XP_CMDSHELL (Fails)
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 19:50 - Using XP_DIRTREE to read files off SMBShare
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 23:30 - Use Responder to steal the authentication attempt of XP_DIRTREE
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 25:00 - Cracking the NetNTLMv2 Hash
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 26:00 - Logging into /remote with cracked credentials
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 26:40 - Discovering unifi video is installed, this has a known privesc
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 29:30 - Attempting to use Meterpreter. (Fail: AV)
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 32:15 - Grabbing and compiling a DotNet Reverse Shell
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 35:15 - Actually compiling the reverse shell
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 38:58 - Using xcopy to copy our reverse shell to the victim
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 39:00 - Attempting to find Unifi Service name so we can restart it. End up searching registry due to permission issues.
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 42:10 - Restarting Unifi Service so it executes TaskKill.exe
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 44:25 - Start of Bypassing AppLocker Bypass by copying executable into a directory under Windows
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 45:50 - Escaping powershell constrained mode with PSBypassCLM
GIDDY | https://www.youtube.com/embed/J2unwbMQvUo ^ 60:25 - Showing the Powershell History file which contained a hint at Unifi
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 01:30 - Begin of Recon
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 02:25 - Enumerating OpenBSD Patch Date via SSH Version
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 04:00 - Examining port 80... Use Wireshark to see why NMAP gets a response but firefox does not
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 06:30 - Invalid Requests, will cause HTTP Service to send error message
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 07:00 - Using ldapsearch to enumerate ldap, use wireshark to see how the nmap script works
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 21:30 - Using SMBMap to PassTheHash and enumerate fileshares and download Putty Key
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 23:20 - Using PuttyGen to convert Putty Key to an RSA Key
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 24:55 - Testing out ssh_enumusers to see if that would have worked to get valid usernames
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 26:30 - Logged in as Alice, use LinEnum
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 28:40 - Examining doas configuration (like Sudo -l)
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 30:00 - Examining HTTPD Configuration to see why we couldn't hit the webserver earlier
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 32:30 - Examining SSHD Configuration to see SSH is configured to allow CA Signed Keys
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 34:40 - Getting hashes from SSH Keys to know what publics go to which privates
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 37:00 - Playing with the SSHAUTH webservice to enumerate what principals go to which users
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 41:45 - Signing a SSH Key using DoAs to sign a key with the root Principal
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 45:30 - Testing the key, explaining how this all works
YPUFFY | https://www.youtube.com/embed/UoB-J-eDvrg ^ 47:30 - Unintended privesc, Xorg exploit
LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 00:39 - Basic Web Page Discovery
LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 03:30 - Examining Cookies - Pt1 (Burp Sequencer)
LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 05:05 - Fuzzing Usernames (2nd Order SQL Injection)
LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 07:15 - Examining Cookies - Pt2
LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 07:40 - Cookie Bitflip
LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 12:45 - Oracle Padding Attack - Pt1
LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 15:30 - Rooting the Box
LAZY | https://www.youtube.com/embed/3VxZNflJqsw ^ 22:50 - Oracle Padding Attack - Pt2
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 01:00 - Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 03:50 - Checking FTP Server for hidden files
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 04:30 - Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 08:20 - Creating a bunch of files varying in length to narrow likely ciphers down.
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 14:35 - Encrypting all of the above files and checking their file sizes
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 22:45 - Decrypting file, obtaining a password
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 24:25 - Begin looking at Drupal, running Droopescan
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 25:12 - Manually examining Drupal, finding a way to enumerate usernames
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 25:50 - Placing invalid emails in create account, is a semi-silent way to enumerate usernames
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 28:15 - Logging into Drupal with Admin.
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 29:25 - Gaining code execution by enabling PHP Plugin, then previewing a page with php code
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 32:30 - Reverse Shell Returned
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 33:25 - Running LinEnum.sh - Discover H2 (Database) runs as root
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 37:00 - Hunting for passwords in Drupal Configuration
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 39:25 - Finding database connection settings. SSHing with daniel and the database password (not needed)
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 40:10 - Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk’s Loopback. Only need to do one of those, just showing its possible without daniel
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 44:30 - Accessing Hawk’s H2 Service (8082) via the loopback address
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 50:00 - Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console.
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 51:45 - Logging into H2 by using a non-existent database, then testing code execution
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 52:50 - Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service.
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 59:50 - Reverted box, cleaning up environment then getting reverse shell
HAWK | https://www.youtube.com/embed/UGd9JE1ZXUI ^ 62:45 - Discovering could have logged into the database with Drupal Database Creds.
POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 00:25 - TMUX and Connecting to HTB
POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 02:00 - Virtual Host Routing Explanation
POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 02:40 - File Enumeration (Dirb)
POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 03:59 - Discover of Web App
POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 05:45 - Starting SQLMap in the Background
POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 09:30 - Uploading a PHP Shell
POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 14:01 - Python PTY Reverse Shell (Tab Autocomplete!)
POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 19:25 - MOTD Root (Method 1)
POPCORN | https://www.youtube.com/embed/NMGsnPSm8iw ^ 23:50 - Dirtyc0w Root (Method 2)
CRONOS | https://www.youtube.com/embed/CYeVUmOar3I ^
HAIRCUT | https://www.youtube.com/embed/9ZXG1qb8lUI ^ 01:45 - GoBuster
HAIRCUT | https://www.youtube.com/embed/9ZXG1qb8lUI ^ 04:40 - Exploiting exposed.php
HAIRCUT | https://www.youtube.com/embed/9ZXG1qb8lUI ^ 11:40 - Getting Shell
HAIRCUT | https://www.youtube.com/embed/9ZXG1qb8lUI ^ 20:09 - Screen Privesc
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 1:38 - Go to HTTPFileServer
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 2:56 - Explanation of Vulnerability
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 4:49 - Testing the Exploit
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 6:25 - Getting rev tcp shell with Nishang
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 11:54 - Shell returned
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 13:15 - Finding exploits with Sherlock
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 15:15 - Using Empire Module without Empire for Privesc
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 21:00 - Start of doing the box with Metasploit
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 22:36 - Reverse Shell Returned (x32)
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 24:45 - MSF Error during PrivEsc
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 25:35 - Reverse Shell Returned (x64)
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 26:19 - Same PrivEsc as earlier, different result
OPTIMUM | https://www.youtube.com/embed/kWTnVBIpNsE ^ 28:47 - Examining how Rejetto MSF Module works with Burp
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 01:05 - Begin of recon
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 02:45 - Checking out the website
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 03:50 - Using wfuzz to enumerate usernames
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 05:45 - Logging in with an account we created
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 07:23 - Checking out Change Password and noticing it does this poorly
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 09:25 - Using the contact form, to see if tyler will follow links
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 14:14 - Changing Tyler's password by sending him to the ChangePassword Page
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 15:00 - Logged in and find SMB Share with credentials.
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 16:15 - Found a webshare but not sure the directory it executes from. Begin hunting for a different webserver.
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 17:48 - Port 8808 found via nmap'ing all ports. Creating a php script to gain code execution
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 19:15 - Downloading netcat for windows to use as a Reverse Shell
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 21:14 - Playing with Bash on Windows
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 22:35 - Finding the administrator password in ~/.bash_history
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 23:45 - Alternate way to find the .bash_history file
SECNOTES | https://www.youtube.com/embed/PJXb2pK8K84 ^ 25:36 - Unintended way to bypass the CSRF. SQL Injection + bad Static Code analysis
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 01:15 - Begin of Recon
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 04:25 - Bruteforcing valid users
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 11:15 - Manually finding SQL Injection
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 13:13 - Using --string with SQLMap to aid Boolean Detection
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 15:41 - PHP Type Confusion ( == vs === with 0e12345) [Type Juggling]
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 18:35 - Attempting Wget Exploit with FTP Redirection (failed)
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 26:39 - Exploiting wget's maximum file length
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 33:30 - Reverse Shell Returned
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 36:19 - Linux Priv Checking Enum
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 41:00 - Checking web crap for passwords
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 44:00 - Grabbing the screenshot of tty
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 49:00 - Privesc via Yossi being in Disk Group (debugfs)
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 50:15 - Grabbing ssh root key off /dev/sda1
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 52:15 - Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll)
FALAFEL | https://www.youtube.com/embed/CUbWpteTfio ^ 67:42 - Manually exploiting the SQL Injection! with Python
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 00:45 - Pulling up Web Page.
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 01:10 - Searchsploit
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 02:40 - Enumerating Version (Download Versions, Hash Static Files)
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 08:20 - Default cred /backend -- Upload Shell
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 09:51 - User Reverse Shell
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 12:10 - Transfering file over nc
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 14:45 - Begin "fuzzing" Binary
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 16:15 - GDB Analysis
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 18:46 - Get a full reverse shell with tab autocomplete.
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 19:00 - Showing ASLR changing address
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 20:20 - Disable ASLR on Exploit Dev Machine
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 21:15 - Start of exploit development for ovrflw binary (Pattner_Create)
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 27:27 - Start of Return to LibC attack - Getting Addresses
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 37:20 - Grabbing memory locations off October Machine
OCTOBER | https://www.youtube.com/embed/K05mJazHhF4 ^ 41:00 - Convert script to Bruteforce ASLR
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 01:15 - Begin Recon with Reconnoitre
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 03:15 - Examining findings from Reconnoitre
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 06:50 - Decompiling java Jar Files with JAD
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 08:18 - Using JD-GUI
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 10:33 - Running WPScan
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 12:10 - Manually enumerating wordpress users
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 12:43 - SSH To the box and PrivEsc
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 15:30 - Rabbit hole, gaining access through FTP
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 17:09 - Finding Wordpress DB Password
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 18:33 - Switching to WWW-DATA by using phpMyAdmin + Wordpress
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 20:10 - Generating a PHP Password for Wordpress
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 21:50 - Gaining code execution with Wordpress Admin access
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 25:40 - Shell as www-data
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 26:40 - Enumerating Kernel Exploits with Linux-Exploit-Suggester
BLOCKY | https://www.youtube.com/embed/C2O-rilXA6I ^ 30:10 - Attempting CVE-2017-6074 Dccp Kernel Exploit (Unstable AF)
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 00:40 - Begin of the box
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 03:20 - Checking the HTTP Ports out
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 04:38 - Using wfuzz to bruteforce a login on port 80
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 08:15 - Begin examining port 8080, use wfuzz to bruteforce a cookie
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 11:30 - Using wfuzz to enumerate the WAF and determine bad characters
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 14:40 - Doing a SSRF Like attack with wfuzz and enumerating open ports on localhost.
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 16:50 - Begin examining port 11211 (MemCache)
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 18:00 - Dumping data from Memcache
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 23:50 - Using CVE-2018-15473 to enumerate valid users over SSH
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 27:35 - Cracking the users hash and logging into the box
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 29:00 - Using R2 to analyzing rabbit hole application "try_harder"
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 33:30 - Going through LinEnum
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 38:30 - Using r2 to examine myexec to find password
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 40:13 - Using r2 to examine libseclogin.so
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 41:30 - Examining ld.so.conf.d to identify if we can use ldconfig to hijack a library
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 42:10 - Creating a malicious library to hijack seclogin()
DAB | https://www.youtube.com/embed/JvqBaZ0WnV4 ^ 45:10 - Lets bypass the login by hijacking printf()
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 01:50 - Start of Recon
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 04:58 - documents and secret rabbit hole enumeration
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 08:13 - Using wfuzz on the secret rabbit hole to find argument for download.php
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 13:40 - Begin of Web Application Enumeration, some XSS Found
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 18:23 - Throwing bad characters in username and finding Second-Order SQL Injection.
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 23:50 - Begin of Union Injection to dump the database via second order sql injection
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 39:36 - Dumping users and passwords from SysAdmin table and using Hydra to bruteforce SSH
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 43:54 - Enumerating SFTP (Using SSHFS to Dump a File Listing)
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 53:00 - Converting 64-Bit SFTP Exploit to 32-Bit
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 71:46 - Reverse Shell Returned, some stuff and finding Set-GID Binary
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 82:55 - Reversing SLS binary with Radare2 (r2)
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 107:53 - Exploiting SLS Binary with new line character (Get to Decoder User)
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 111:47 - Begin of Kernel Exploitation (CVE-2017-1000112)
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 116:00 - Kernel Exploit Compiled (silly mistake before)
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 119:52 - Creating a new lsb-release file so exploit can identify kernel
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 127:03 - Recap of Box
NIGHTMARE | https://www.youtube.com/embed/frh-jYaUvrU ^ 129:56 - Creating a Tamper Script to do Second-Order SQL Injection
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 01:10 - Begin of recon
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 03:00 - Poking at DNS - Nothing really important.
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 04:00 - Examining what NMAP Scripts are ran.
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 06:35 - Lets just try out smbclient to list shares available
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 07:25 - Using SMBMap to show the same thing, a great recon tool!
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 08:30 - Pillaging the Replication Share with SMBMap
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 09:20 - Discovering Groups.xml and then decrypting passwords from it
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 13:10 - Dumping Active Directory users from linux with Impacket GetADUsers
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 16:28 - Using SMBMap with our user credentials to look for more shares
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 18:25 - Switching to Windows to run BloodHound against the domain
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 26:00 - Analyzing BloodHound Output to discover Kerberostable user
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 27:25 - Performing Kerberoast attack from linux with Impacket GetUsersSPNs
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 29:00 - Cracking tgs 23 with Hashcat
ACTIVE | https://www.youtube.com/embed/jUc1J31DNdw ^ 30:00 - Getting root on the box via PSEXEC
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 01:15 - Begin of Recon
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 02:00 - Looking at what Filtered means in Nmap
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 05:00 - Start of looking at webpage (GoBuster)
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 06:30 - Manual HTTP Enumeration
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 09:50 - Start of exploiting with BurpSuite
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 17:00 - SSH Key Found, logging in with nobody
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 19:12 - Discovering a second SSH Server
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 23:36 - Using the same SSH Key to login to the second SSH Server as monitor
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 24:38 - Escaping rBash by modifying an executable file in our current $PATH
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 28:13 - Running LinEnum.sh to search for PrivEscs
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 30:50 - Enabling ThoroughTests in LinEnum to see what else it will check
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 36:30 - Looking into capabilities permission sin linux
WALDO | https://www.youtube.com/embed/1klneIHECqY ^ 39:00 - Begin of second way to escape rBash and setup a SSH Tunnel for fun
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 00:00 - Intro
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 01:58 - Begin Recon (NMAP)
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 04:19 - GoBuster HTTP + HTTPS
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 06:35 - Accessing Pages
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 07:05 - Using Hydra against HTTP + HTTPS Web Forms
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 11:30 - Logging into HTTP and hunting for vulns
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 17:00 - Second Hydra attempt against HTTPS
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 17:57 - Logging into HTTPS (phpLiteAdmin)
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 20:17 - Chaining Exploits to get Code Execution
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 26:38 - Reverse Shell Returned
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 28:00 - LinEnum.sh Script Review
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 31:30 - Watching for new Processes
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 37:00 - Found the error in script :)
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 39:30 - Getting reverse root shell
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 41:51 - Intended Route to get User
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 46:12 - Reviewing Knockd configuration
NINEVEH | https://www.youtube.com/embed/K9DKULxSBK4 ^ 49:33 - Doing the PortKnock
JOKER |https://www.youtube.com/embed/5wyvpJa9LdU ^ 00:27 - Port Enumeration
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 02:54 - UDP Port Review
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 03:40 - TFTP Enumeration
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 06:30 - Cracking Squid PW
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 08:00 - FoxyProxy Setup
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 09:45 - Burp Setup
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 14:45 - Running Commands
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 21:20 - Reverse Shell
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 22:30 - PrivEsc to Alekos #1
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 28:00 - PrivEsc to Alekos #2
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 30:37 - Root #1 (SymLink)
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 30:48 - Root #2 (Tar Checkpoint)
JOKER | https://www.youtube.com/embed/5wyvpJa9LdU ^ 44:45 - Root #3 (Remove Development)
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 00:00 - Intro
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 00:12 - Enumerate with nmap
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 00:40 - Going to the webpage
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 01:50 - Using SearchSploit to find ColdFusion Exploits
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 02:40 - Attempt to exploit through MSF. Debug why it failed.
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 03:50 - Setting up a Burp Redirect listener
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 04:55 - Examining request send by MSF Exploit
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 06:35 - Getting a reverse shell
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 07:50 - Using Unicorn to create a Powershell Meterpreter Loa
der
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 11:35 - Reverseshell returned
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 12:10 - Using the MSF post module local_exploit_suggestor
ARCTIC | https://www.youtube.com/embed/e9lVyFH7-4o ^ 15:29 - Privesc via MS10-092
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 00:49 - Nmap
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 01:31 - Examining some odd behavior. Nmap different result than browser.
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 04:00 - Getting to /admin and testing for Zone Transfer
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 05:40 - Testing SSH Default Raspberry Pi Creds
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 06:11 - Escalate to root 'sudo su'
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 07:10 - Recovering the deleted root.txt
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 08:38 - GrepFu
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 10:40 - Downloading /dev/sdb via SSH
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 12:48 - Running Binwalk against it
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 13:18 - Trying to recover with TestDisk
MIRAI | https://www.youtube.com/embed/SRmvRGUuuno ^ 14:37 - Trying to recover with PhotoRec
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 00:25 - Start of Recon, identifying end of life OS from nmap
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 03:20 - Running vulnerability scripts in nmap to discover heartbleed
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 04:16 - Going to the HTTP Page to see what it looks like
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 06:30 - Begin of Heartbleed - Grabbing Python Module
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 07:13 - Explaining Heartbleed -- XKCD ftw
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 10:15 - Explaining and running the exploit
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 13:40 - Exporting large chunks of memory by running in a loop
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 14:10 - Finding an encrypted SSH Key on the server
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 15:35 - Examining heartbleed output to discover SSH Key Password
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 17:45 - SSH as low priv user returned
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 21:55 - Finding a writable tmux socket to hijack session and find a root shell
VALENTINE | https://www.youtube.com/embed/XYXNvemgJUo ^ 23:50 - Alternative Privesc, DirtyC0w
BEEP | https://www.youtube.com/embed/XJmBpOd__N8 ^ 1:35 - Method 1: LFI + Password
BEEP | https://www.youtube.com/embed/XJmBpOd__N8 ^ 16:03 - Method 2: Turning LFI into RCE
BEEP | https://www.youtube.com/embed/XJmBpOd__N8 ^ 37:46 - Method 3: Code exec via call
BEEP | https://www.youtube.com/embed/XJmBpOd__N8 ^ 54:00 - Method 4: Shellshock
BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 0:20 - Recon
BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 3:40 - Start of WP Hacking
BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 10:30 - Logged into WP
BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 15:00 - Login to SuperSecretForum
BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 25:00 - Cracking the SSH Key
BRAINFUCK | https://www.youtube.com/embed/o5x1yg3JnYI ^ 27:15 - Begin of getting root.txt (RSA Cracking)
EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 00:24 - Recon with Sparta
EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 02:00 - Enumerating SSL Certificate
EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 03:55 - Manually View SSL Certificate
EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 04:35 - VirtualHostRouting Explanation
EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 07:42 - SQL Injection - Auth Bypass
EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 13:00 - Dumping the Database with SQLMap
EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 16:45 - Begin of Web Exploit (Regex //e)
EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 23:00 - Getting a Shell
EUROPA | https://www.youtube.com/embed/OsxDB41jg6A ^ 27:10 - Begin PrivEsc (CronJob)
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 00:18 - Start of Recon
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 01:15 - Finding hidden directory via Source
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 02:15 - Downloading NibbleBlog to help us with finding version information
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 03:59 - Identifying what vresion of NibblesBlog is running
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 04:42 - Using SearchSploit to find vulnerabilities
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 05:36 - Examining the Exploit
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 06:08 - Explanation of exploit
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 07:25 - Attempting to find valid usernames for NibblesBlog
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 09:13 - Finding usernames in /content/private
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 10:15 - Using Hydra to attempt to bruteforce
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 14:08 - Oh crap. Hydra not good idea we're blocked...
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 15:40 - Using SSH Proxies to hit nibbles from another box (Falafel)
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 18:20 - Guessing the password
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 20:10 - Logged in, lets attempt our exploit!
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 22:46 - Code Execution achieved. Lets get a reverse shell
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 24:53 - Reverse shell returned.
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 26:00 - Running sudo -l examine sudoer, then finding out why sudo took forever to return
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 26:50 - Privesc via bad sudo rules
NIBBLES | https://www.youtube.com/embed/s_0GcRGv6Ds ^ 32:10 - Alternative PrivEsc via RationalLove
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 00:45 - Begin of NMAP
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 03:00 - GoBuster (Fails)
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 08:15 - Screw GoBuster, BurpSpider FTW
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 09:12 - Examing Routes File to find more pages
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 10:10 - Finding Credentials and downloading backup
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 14:45 - Cracking the zip with fcrackzip
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 16:45 - Finding more credentials (SSH) within MongoSource
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 21:50 - Privesc to Tom User
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 35:04 - Analyzing Backup Binary File
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 36:49 - Using strace to find binary password
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 40:25 - Finding blacklisted characters/words
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 50:00 - Unintended method one, abusing CWD
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 52:20 - Unintended method two, wildcards to bypass blacklist
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 54:45 - Unintended method three, command injection via new line
NODE | https://www.youtube.com/embed/sW10TlZF62w ^ 59:15 - Intended root Buffer Overflow ASLR Brute Force
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 01:26 - Start of Recon
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 03:25 - Notice SSH configured for Pub Key Only. Hint at what to grab later!
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 03:50 - Grabbing test.txt off ftp server via anonymous auth
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 04:07 - Determining if I want to go down the "Exploit VSFTPD" rabbit hole
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 05:54 - Viewing test.txt and hosts.php
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 06:48 - Figuring out how hosts.php works and discovering XXE
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 08:58 - Start of XXE Discovery
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 10:16 - Making the XXE Output /etc/passwd
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 11:33 - Encoding output in Base64 in order to view PHP Files
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 12:58 - Using Burp Intruder to BruteForce Files
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 16:20 - Creating a program to bruteforce home directories
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 26:41 - Program Finished. Finding SSH ID_RSA Key
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 28:15 - Low Priv Access Granted
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 30:24 - LinEnum.sh shows Wordpress CHMOD'd to 777
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 31:05 - Examining Wordpress Site (big hint left by author)
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 32:10 - Enumerating MySQL Database
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 35:15 - Giving up on MySQL, lets edit PHP Files to dump passwords!
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 36:50 - Identifying the file we want to backdoor
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 37:51 - Placing our PHP Code
ARAGOG | https://www.youtube.com/embed/NFdi-2tgvxY ^ 42:06 - Got the password!
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 08:20 - NODE-RED: Reverse Shell Returned
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 15:30 - NODE-RED: Running IP and Port Scans to identify lateral movement targets
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 24:29 - Downloading Chisel (Go Program for Tunnels).
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 25:00 - Shrinking Go Programs by using ldflags and upx packing from 10Mb to 3Mb!
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 27:00 - PowerPoint: Explaining Reverse Pivot Tunnel using Chisel
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 31:25 - WWW: Tunnel online, examining the website
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 34:23 - Full Port Scan to 172.19.0.2, discover REDIS
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 36:30 - Searching for ways to execute code against REDIS
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 38:07 - Using REDIS to create a PHP Shell
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 41:06 - PowerPoint: Explaining Local Pivot Tunnel using Chisel
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 44:30 - WWW: Reverse Shell Returned
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 45:45 - Notice wildcard used with RSYNC, go search GTFOBins
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 51:32 - Abusing the wildcard within RSYNC
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 57:23 - WWW: Got Root, but no flag... Lets go look at RSYNC again.
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 60:15 - Explaining how to tunnel from Backup - WWW - NODE-RED - Kali
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 77:50 - Getting reverse shell on BACKUP via uploading CronJob through rsync
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 80:30 - BACKUP: Reverse Shell Returned... No root.txt here either!?
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 86:30 - BACKUP: Noticing this is has /dev/sda*, where other dockers do not
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 88:15 - BACKUP: Dropping a cronjob on root disk to get shell on the host
REDDISH | https://www.youtube.com/embed/Yp4oxoQIBAM ^ 90:45 - ExtraContent: PowerPoint Reverse SOCKS5 Proxy with Chisel
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 00:42 - Begin of Nmap
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 04:23 - Examining the anonymous FTP Directory and discovering email addresses in Meta Data
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 06:50 - Manually enumerating valid email addresses via SMTP
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 10:50 - Creating a "Canary Document" in Word to ping back to our server when a word document is opened
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 13:14 - Generating a malicious RTF Document (CVE-2017-0199)
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 26:28 - Shell Returned. Enumerating the AppLocker Policy
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 32:53 - Decrypting a PowerShell Secure String to reveal Tom's Password, Testing access with SSH
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 35:22 - Lets forget we had Tom and run Bloodhound from Nico!
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 40:30 - First time opening BloodHound on this box.
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 49:45 - Lets update Bloodhound, looks like some data is missing and there were errors when running it
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 53:25 - Finding a path from Nico to BACKUP_ADMINS and explaining AD Security Objects (GenericWrite, WriteOwner,etc)
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 58:23 - Taking Ownership over Herman then allowing Nico to change his password and examining bloodhound
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 61:40 - Adding Herman to the Backup_Admins group
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 64:30 - Finding the Administrator Password within backup scripts.
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 67:00 - Attempting to run Watson (ends up not working)
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 83:22 - Using Metasploit to do the box
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 85:42 - Since Watson failed, lets just look at last patch times on the box to get an idea whats vulnerable.
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 87:19 - Attempting to do the ALPC Exploit within Metasploit
REEL | https://www.youtube.com/embed/ob9SgtFm6_g ^ 91:00 - That failed - Lets just prove the box is vulnerable, by overwriting a DLL
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 01:16 - Begin of Recon, until around 13 minutes gathering information to avoid rabbit holes
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 04:04 - Using nc/ncat to verify a port is open (-zv)
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 11:17 - Doing gobuster across man of the sub directories
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 13:03 - Examining /admin/ - Examine the HTML Source because login is not sending any data
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 14:09 - Discover some weird text encoding (Ook), how I went about decoding it
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 15:44 - Decoded to base64 with some spaces, clean up the base64 and are left with a zip file
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 19:19 - After cracking the zip, there is another text encoding challenge (BrainF*)
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 25:11 - With potential information, return to our long running recon for more information
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 28:49 - Discovering /playsms
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 32:00 - Reading ExploitDB Articles and then attempting to manuall exploit PlaySMS via uploading a CSV
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 34:34 - Getting a reverse shell
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 39:00 - Running LinEnum.sh
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 40:00 - Finding the SetUID file: rop
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 42:00 - Exploiting ROP Program with ret2libc
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 45:30 - Getting offsets of system, exit, /bin/sh from libc using ldd, readelf, and strings
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 50:34 - Running our exploit to get root shell
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 54:00 - Begin of recovering rop.c source code
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 56:41 - Recreating rop.c then compiling
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 59:44 - Copying the physical disk to our local box via SSH and DD
FROLIC | https://www.youtube.com/embed/b6WGQSJu_zQ ^ 01:01:44 - Using PhotoRec to restore files and finding rop.c
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 00:50 - Begin of Recon, Downloading FTP and inspecting websites
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 10:23 - Recap of what we saw on the recon. Limited pages that provide paths for exploitation, Server Hostname, and FTP
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 11:30 - Sending MD5Hashes to VirusTotal to get file age
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 15:45 - Downloading PasswordBox sourcecode to examine pbox.dat and discover a password manager.
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 21:00 - Use Hydra to try to bruteforce ethereal.htb:8080, find blind command injection in page by running various ping commands but no way to view output.
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 25:45 - Using nslookup to exfil the results of commands executed.
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 33:15 - Creating Python Script to automate exploitaiton of this program. Using Scapy, BeutifulSoup, and Requests.
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 55:23 - Script working! Now to make the output a bit more pretty using tokens to sepereate spaces
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:02:00 - Running commands to get interesting information about the page
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:05:20 - Enumerating the Firewall via netsh
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:09:10 - Using OpenSSL to get a reverse shell on windows
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:17:25 - Reverse shell returned.
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:19:40 - Creating a malicious shortcut via powershell
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:22:40 - Using OpenSSL To transfer files
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:28:00 - Getting reverse shell as Alan, then using OpenSSL to convert files to base64 to make exfil easier
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:32:30 - Creating and signing a malicious MSI with WiX.
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:48:15 - First attempt failed, creating a less complicated MSI File by just having it execute our shortcut
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:53:00 - Getting reverse shell as SYSTEM - Cannot read EFS Files
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:55:20 - Having our MSI not run as SYSTEM by changing impersonation in WiX
ETHEREAL | https://www.youtube.com/embed/Bhh5yPHjwUY ^ 01:58:30 - Shell as Rupal returned.
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 00:56 - Start of recon, use Bootstrap XSL Script to make nmap pretty
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 03:10 - Looking at nmap in web browser
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 03:52 - Navigating to the web page, and testing all the pages.
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 06:25 - Testing for LFI
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 07:00 - Using PHP Filters to view the contents of php file through LFI (Local File Inclusion)
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 08:40 - Testing for RFI (Remote File Inclusion) [not vuln]
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 10:00 - Code Execution via LFI + phpinfo()
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 14:45 - Modifying the PHP-LFI Script code to get it working
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 17:10 - Debugging the script to see why tmp_name couldn't be found
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 20:12 - Shell returned!
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 21:25 - Looking at pwdbackup.txt and decoding 13 times to get password.
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 23:37 - SSH into the box (Do not privesc right away!)
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 24:29 - Getting shell via Log Poisoning
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 26:39 - Whoops. Broke the exploit, because of bad PHP Code... We'll come back to this! (42:50)
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 28:47 - Begin of PrivEsc, grabbing secret.zip off
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 32:38 - Searching for processes running as root, find VNC
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 33:49 - Setting up SSH Tunnels without exiting SSH Session.
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 37:43 - Something weird happend... Setting up SSH Tunnels manually.
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 40:10 - PrivEsc: VNC through the SSH Tunnel, passing the encrypted VNC Password
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 41:40 - Decrypting the VNC Password because we can.
POISON | https://www.youtube.com/embed/rs4zEwONzzk ^ 42:50 - Examining the log file to see why our Log Poison Failed, then doing the Log Poison
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 01:20 - Begin of NMAP
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 02:30 - Extra nmaps, SNMP and AllPorts
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 04:00 - Playing with OneSixtyOne (SNMP BruteForce)
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 07:00 - Looking at SNMPWalk Output
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 08:40 - Installing SNMP Mibs so SMPWalk is readable
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 10:05 - Accessing the box over Link Local IPv6 Address
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 14:00 - Looking at Por 3366 (Website), getting PW from SNMP Info
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 17:50 - Getting IPv6 Routable Address via SNMP
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 19:20 - NMAP the IPv6 Address
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 21:00 - Accessing the page over IPv6
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 23:00 - Getting output from the command execution page
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 24:55 - Viewing Credentials Files and accessing the box via SSH
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 29:00 - Examining why loki cannot use /bin/su (getfacl)
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 31:00 - Getting a shell as www-data
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 38;10 - Finding the root.txt file from using find command to search for files by date
MISCHIEF | https://www.youtube.com/embed/GKo6xoB1g4Q ^ 40:30 - Extra content, reading files via ICMP
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 01:18 - Begin of Recon
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 04:55 - Start of aChat buffer Overflow: Finding the exploit script with Searchsploit
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 07:24 - Begin of replacing POC's Calc Shellcode with what is generated from MSFVenom
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 09:42 - Correction: Payload Size wrong, should be 3,xxx -- look at "Payload Size" I accidentally highlighted the size of the python file.
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 14:30 - Whoops, erased too much out of POC. Lets correctly replace the shellcode this time and get a shell.
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 17:50 - Running PowerUp to find AutoLogon Credentials
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 20:05 - Running Code as Administrator
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 24:18 - First Privesc Method: Using Start-Process to execute commands as a different user because Invoke-Command did not work.
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 27:30 - Alternate way to read root.txt -- Alfred owns root.txt, so he can edit the files access list. Get-ACL to view access list and cacls to modify
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 33:12 - Summary of the box
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 34:37 - Doing the box with Metasaploit, Warning: Lots of fails.
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 43:10 - Using meterpreters PortFwd to bypass ChatterBox's firewall and access port 445
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 51:25 - Doing the box with Empire !
CHATTERBOX | https://www.youtube.com/embed/_dRrvJNdP-s ^ 58:20 - Using Empire's Run_As module to execute commands as Administrator
SOLIDSTATE | https://www.youtube.com/embed/_QapCUx55Xk ^
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 01:30 - Begin of Recon, nmap filtered explanation
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 03:30 - Begin of initial DNSRecon, hunting for a domain name
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 06:04 - Web page enumeration, finding xdebug in header
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 09:47 - Installing xdebug plugin in Chrome to show its use
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 12:50 - Getting a reverse shell on the first docker (Icarus)
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 15:00 - Setting up nginx to accept files uploaded over HTTP / WebDav
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 20:30 - Examining the Wireless Capture from Icarus
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 21:30 - Cracking WPA with aircrack / hashcat
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 25:00 - Decrypting WPA traffic in Wireshark
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 27:50 - Enumerating valid usernames via SSH (CVE-2018-15473)
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 33:15 - SSH into port 2222 with information from Wireless Capture
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 34:40 - Domain Name found! Time to do a DNS Zone Transfer
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 36:15 - Port Knocking to open up port 22
OLYMPUS | https://www.youtube.com/embed/7ifJOon5-G8 ^ 40:05 - PrivEsc to root via being a member of the Docker Group
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 00:50 - Start of the box
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 05:30 - Attempting GoBuster but wildcard response gives issue
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 07:40 - Start of doing wfuzz to find content
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 10:38 - Manually testing SQLInjection
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 13:07 - Running SQLMap and telling it exactly where the injection is
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 16:04 - Manually extracting files with the SQL Injection
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 19:50 - Cracking the hash with hashcat
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 25:00 - Start of examining the custom webapp, playing with Template Injection
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 27:00 - Explaining a way to enumerate language behind a webapp
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 35:17 - Reverse Shell returned on first Docker Container
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 38:00 - Examining SQL Database
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 39:40 - Doing the Port Knock to open up SSH
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 43:50 - Gain a foothold on the host of the docker container via ssh
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 46:00 - Identifying containers running
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 50:10 - Creating SSH Port Forwards without exiting SSH Session then NMAP through SSH
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 55:11 - Begin looking into Portainer, finding a weak API Endpoint
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 59:00 - Start of creating a container in portainer that can access the root file system
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 68:25 - Changing sudoers so dorthy can privesc to root
OZ | https://www.youtube.com/embed/yX00n1UmalE ^ 69:50 - Lets go back and create a python script to play with SQL Injection
BASHED | https://www.youtube.com/embed/2DqdPcbYcy8 ^
TENTEN | https://www.youtube.com/embed/A4U3xiRWfsU ^
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 01:00 - Begin of recon
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 10:00 - Finding the vulnerable Wordpress Plugin
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 17:50 - Exploiting lcars plugin
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 28:30 - Logging into WP and Getting Reverse Shell
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 35:00 - Wordpress RevShell Returned
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 40:00 - Using Meterpreter to pivot and provide access to MySQL
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 50:00 - MySQL Shell Returned
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 52:00 - Logging into Joomla and Getting Reverse Shell
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 57:20 - Joomla Reverse Shell returned
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 59:00 - Getting Reverse Shell on Host OS (port 443)
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 62:00 - Shell Returned begin of local privesc recon
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 72:06 - Beginning of Binary Exploitation
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 81:00 - Start writing exploit script
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 88:30 - Analyzing the PHP SQL Injection Scripts
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 96:30 - Viewing what SQLMap does to exploit this
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 100:00 - Stepping through Double Query Injection
ENTERPRISE | https://www.youtube.com/embed/NWVJ2b0D1r8 ^ 107:20 - Writing our own SQL Injection Exploit Script
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 00:38 - Begin of recon
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 001:48 - Gobuster, using -x aspx to find aspx pages
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 003:16 - Playing with a file upload form, seeing what can be uploaded
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 005:15 - Using Burp Intruder to automate checking file extensions
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 007:00 - Finding a way to execute code from file upload in ASPX (web.config)
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 010:55 - Executing code via web.config file upload
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 013:08 - Installing Merlin to be our C2
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 015:25 - Compiling the Merlin Windows Agent
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 018:37 - Modifying web.config to upload and execute merlin
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 021:14 - Merlin Shell returned!
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 024:18 - Checking for SEImpersonatePrivilege Token then doing Juicy Potato
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 027:44 - Getting Admin via Juicy Potato
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 029:44 - Box completed
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 030:00 - Start of doing this box again, with Metasploit! Creating a payload with Unicorn
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 033:00 - Having troubles getting the server call back to us, trying Ping to see if the exploit is still working
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 034:17 - Reverted box. Have to update our payload with some updated VIEWSTATE parameters
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 036:45 - Metasploit Session Returned! Checking local_exploit_suggester
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 040:01 - Comparing local_exploit_suggester on x32 and x64 meterpreter sessions
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 040:30 - Getting Admin via MS10-092
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 042:05 - Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host #PivotProblems)
BOUNTY | https://www.youtube.com/embed/7ur4om1K98Y ^ 047:20 - Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 00:43 - Start of Recon, nmap and poking around the website
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 04:00 - Dirbusting a site that always respond 200
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 09:43 - Switching to a different Wordlist (SecLists/Discovery/Web/Common)
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 10:48 - Discovery of .git - Poking around to clone it and download
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 15:10 - Downloaded .git, examining commit history
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 19:50 - Start of Pickle Talk
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 21:25 - Begin writing of the pickle exploit
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 28:45 - Return of Reverse Shell as www-data
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 32:30 - Begin looking into CouchDB
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 34:00 - Poking around at documents within CouchDB
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 36:15 - Examining first exploit with creating a CouchDB User
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 39:50 - Exploring the passwords database with our newly created admin user and finding Homers Password.
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 42:00 - Getting root with sudo pip install
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 45:55 - Box Done. Begin second unintended way to get to Homer User
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 47:03 - Playing with the public RCE Exploit for CouchDB
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 48:20 - Running the exploit
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 49:36 - Examining the exploit, doing each step manually to see where it fails
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 54:30 - Searching on how to create a new CouchDB Cluster, maybe it will allow this work?
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 55:55 - Digging into how erlang works
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 57:30 - Finding default CouchDB Cookie
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 59:10 - Connecting to the Erlang pool then searching for how to run commands.
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 61:54 - Exploring how to send long commands as distributed task
CANAPE | https://www.youtube.com/embed/rs75y2qPonc ^ 64:30 - Getting reverse shell
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:00:55 - Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb.
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:02:53 - Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and members.streetfighterclub.htb/old/login.asp
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:08:45 - Begin poking around the members.streetfighterclub.htb page - Find SQL Injection
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:12:00 - Boolean injection to force the query to return "valid login". Play with logins to find it always returns to "Service not available"
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:14:25 - Testing Union Injections for easy exfil of data
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:15:50 - Examining Stacked Queries to make running our own SQL Statements easy. Then bunch of injections to run Xp_CMDShell and get output.
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:19:30 - Some valuable recon/information in debugging our SQL queries. Noticing small things really helps.
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 00:34:40 - Start of making a program to give us a command shell.
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 69:40 - Explaining the program we just created. Then fix a small bug.
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 72:45 - Begin of popping the box the intended way. Finding powershell is blocked but specifying the 32-bit version is not
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 77:10 - Return of 32-bit PowerShell... Identifying we can append data to c:\users\decoder\clean.bat -- That's odd lets try to place a shell in it to see if it is being ran.
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 92:40 - Found the issue! Powershell is encoding in UTF-16 which is confusing cmd prompt. 64-bit Shell as Decoder returned!
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 95:30 - Exploiting Capcom Driver to gain root shell, this post is super helpful: http://www.fuzzysecurity.com/tutorial...
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 102:18 - Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dll to our box so we can reverse it.
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 107:25 - Looking at the binaries in Ida64 Free
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 111:14 - Explaining what's happening and then writing a script to bypass the password check.
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 115:35 - Start of unintended way (Juicy Potato)
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 118:10 - Finding a world write-able spot under System32 for AppLocker Bypass, thanks @Bufferov3rride -- Then uploading JuicyPotato
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 126:10 - Start of modifying JuicyPotato to accept uppercase arguments.
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 130:14 - Finding a vulnerable CLSID to get JuicyPotato working
FIGHTER | https://www.youtube.com/embed/CW4mI5BkP9E ^ 148:25 - Running JuicyPotato with a vulnerable CLSID to gain a SYSTEM Shell, then create our own DLL to bypass the check.
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 01:00 - Nmap
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 02:23 - Examining the Web Page
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 04:08 - GoBuster
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 04:53 - Finding /uploads/ Directory
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 05:50 - Finding /secret_area_51/ Directory
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 06:20 - Using Audacity to find Steg in Audio
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 08:50 - FTP With Creds revealed from Steg
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 10:06 - Examining files downloaded from FTP
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 12:43 - Finding decryption key + blob
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 14:33 - Using Python seccure to decrypt ecc
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 16:05 - SSH Into Shrek as SEC
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 16:35 - Farquad Rabbit Hole
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 17:42 - Incident Response : Finding files modified between two times
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 20:47 - What is /usr/src/thoughts.txt?
SHREK | https://www.youtube.com/embed/tI592BjTd4o ^ 21:45 - Privesc through cron running: chown *
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 01:11 - Begin of recon
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 03:48 - Manually checking the page out
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 04:30 - Discovering the webserver is java/tomcact
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 05:35 - Starting up GoBuster / Hydra
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 09:40 - The Directory /Monitoring was found - Discovering its Struts because of .action
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 11:00 - Stumbling upon an exploit trying to find out how to enumerate Struts Versions
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 14:10 - Searching Github for CVE-2017-5638 exploit script, exploiting the box to find out its firewalled off
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 21:10 - Using a HTTP Forward Shell to get around the strict firewall
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 22:40 - Go here if you want to start copying the Forward Shell Script
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 23:34 - Explaining how it works
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 25:10 - Explaining the code
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 31:06 - Forward Shell Returned - Enumerating Database to find creds
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 37:29 - Examining User.py
STRATOSPHERE | https://www.youtube.com/embed/uMwcJQcUnmY ^ 40:15 - Privesc: Abusing Python's Path to load a malicious library and sudo user.py
CRONOS | https://www.youtube.com/embed/CYeVUmOar3I ^
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 08:10 - Attempting to enumerate users of OWA-2010 (Fails)
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 14:10 - Checking out Joomla Version (/administrator/manifets/files/joomla.xml)
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 15:50 - Using SearchSploit with (Complain Management System)
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 19:38 - Register Account, Login, Verify/Play with SQL Union Injection
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 23:30 - Enumerating SQL Injection with SQLMap
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 29:18 - Going back to MSF/OWA_LOGIN and testing credentials.
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 32:15 - Logging into OWA and reading email to find out OpenOFfice, Defender, and Powershell Constain Mode is installed
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 36:20 - Creating a malicious OpenOffice macro with LibreOffice + Downloading an Executing a file without Powershell (certutil ftw)
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 40:18 - Compiling Merlin (like MSF/Empire)
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 48:40 - Sending the email and waiting.
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 50:20 - Merlin call back, Switch to Powershell Nishang to get a interactive shell
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 54:30 - Running PowerUp to find we are an Administrator
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 56:56 - Running JAWS to do some more Windows Enumeration
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 63:04 - Found an odd scheduled task "System Maintenance"
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 66:03 - Attempting to write a php shell to HTTPD
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 72:30 - Frusterated creating a PHP Script... Switch to the SCHTask Privesc
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 78:20 - Uhh. Testing if echo is somehow breaking .bat/.php files
RABBIT | https://www.youtube.com/embed/5nnJq_IWJog ^ 91:50 - Going back to test PHP to verify it just didn't like echo.
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 00:45 - Introduction, nmap
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 01:30 - Clicking around in Tomcat
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 02:20 - Playing around with HTTP Authentication
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 05:45 - Bruteforcing tomcat default creds with Hydra and seclists
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 08:20 - Sending hydra through a proxy to examine what is happening
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 12:50 - Logging into tomcat and using msfvenom + metasploit to upload a malicious war file
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 22:42 - Begin of doing this box without MSF
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 23:45 - Downloading a cmd jsp shell and making a malicious war file
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 26:25 - WebShell returned
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 28:00 - Begin of installing SilentTrinity
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 30:55 - SilentyTrinity Started, starting listener and generating a payload
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 33:00 - Pasting the payload into the webshell
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 34:00 - Debugging SSL Handshake errors
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 37:00 - Starting SilentTrinity back up, how to use modules
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 39:10 - Start of Execute-Assembly, compiling Watson
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 43:10 - Running Watson
JERRY | https://www.youtube.com/embed/PJeBIey8gc4 ^ 43:30 - Start of Seatbelt and debugging why some dotNet code may not run (versioning issues)
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 01:10 - Begin of recon
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 03:00 - Discovery of Wordpress and fixing broken links with burp
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 06:50 - Start of WPScan
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 07:14 - Start of poking at Monstra, (Rabbit Hole)
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 13:05 - Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 16:30 - Reverse shell returned as www-data
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 18:08 - Confirming monstra was read-only
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 18:50 - Running LinEnum.sh to see www-data can run tar via sudo
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 20:30 - Use GTFOBins to find a way to execute code with Tar
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 22:00 - Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 24:10 - Examining backuperer script
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 26:00 - Hunting for vulnerabilities in Backuperer
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 32:15 - Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 34:20 - Begin of exploiting the backuperer service by exploiting intregrity check
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 36:40 - Creating our 32-bit setuid binary
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 39:16 - Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 40:54 - Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 42:30 - Exploiting the Backuperer Service via SetUID!
TARTARSAUCE | https://www.youtube.com/embed/9MeBiP637ZA ^ 45:00 - Unintended Exploit: Using SymLinks to read files via backuperer service
DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 01:02 - Going over NMAP
DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 02:00 - Anonymous FTP + File Upload
DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 04:30 - MSFVenom
DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 07:20 - Metasploit
DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 10:00 - Exploit Suggestor
DEVEL | https://www.youtube.com/embed/2LNyAbroZUk ^ 11:30 - Getting Root
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 00:38 - Start of Recon
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 01:20 - Finding NMAP Scripts (Probably a stupid way)
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 02:00 - Running Safe Scripts - Not -sC, which is default.
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 02:52 - Listing NMAP Script Categories (Prob a really stupid way)
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 03:18 - Really Cool Grep (Only show matching -oP)
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 04:40 - Nmap Safe Script Output
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 06:30 - Exploiting MS17-010 with MSF
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 07:40 - Setting up Dev Branch of Empire
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 09:07 - Starting a Listener
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 10:55 - Getting a PowerShell Oneliner to launch payload
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 12:16 - Invoke-Expression (IEX) to Execute Launcher
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 13:25 - Interacting with a single agent
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 13:40 - Using Modules - PowerUp Invoke-AllChecks
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 14:40 - Fixing weird issue with PS Module
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 16:15 - Invoke-AllChecks finished
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 17:15 - Loading PS Modules into Memory
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 17:40 - Executing funcitons out of above module
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 18:20 - Why I don't pass to MSF via InjectShellcode
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 22:45 - How I pass from Empire to MSF (Unicorn + IEX)
BLUE | https://www.youtube.com/embed/YRsfX6DW10E ^ 25:53 - Just running Powershell CMDs from Empire (Shell)
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 01:00 - Start of Recon
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 02:15 - TFTP Enumeration - Identifying configuration and OS information
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 06:32 - Finding a path to code execution
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 07:17 - Examining PSExec Metasploit Module
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 08:55 - Using irb within metasploit to print a powershell payload
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 12:30 - Examining PsExec()
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 15:40 - Examining native_upload
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 18:10 - Examining mof_upload
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 20:34 - Using irb within metasploit to print the MOF File
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 22:35 - Quick explanation of MOF Files
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 25:05 - Modifying the MOF to run NetCat
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 27:30 - Uploading nc to the target
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 28:50 - Uploading the malicious MOF File and getting a shell!
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 29:50 - Using Streams to view Hidden text within ADS
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 33:08 - Start of Bonus Content, finging a TFTP Exploit that uses MOF
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 35:05 - Attempting to use distrinct_ftp_traversal against DropZone
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 36:30 - Installing pry.byebug in order to allow us to drop to a debug console and step through metasploit modules
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 40:50 - Testing out pry.byebug
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 42:30 - Finding why the exploit module didn't work
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 44:50 - Module still doesn't work, TFTP Stopping mid transfer
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 49:30 - Whoops, changed the delay on the wrong timeout
DROPZONE | https://www.youtube.com/embed/QzP5nUEhZeg ^ 51:00 - Meterpreter Shell returned, showing off the extended API and some WMI Commands.
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 00:58 - Begin of Recon
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 03:00 - Looking at the web application and finding the Serialized Cookie
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 04:38 - Googling for Node JS Deserialization Exploits
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 06:30 - Start of building our payload
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 07:10 - Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 09:10 - Moving our serialized object to "Name", hoping to get to read stdout
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 11:30 - Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE)
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 13:25 - Failing to convert an object (stdout) to string.
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 14:02 - Verifying code execution via ping
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 15:32 - Code execution verified, gaining a shell
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 18:49 - Reverse shell returned, running LinEnum.sh
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 21:26 - Examining logs to find the Cron Job running as root
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 22:09 - Privesc by placing a python root shell in script.py
CELESTIAL | https://www.youtube.com/embed/aS6z4NgRysU ^ 24:15 - Going back and getting a shell with NodeJSShell
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 01:19 - Begin of Enumeration
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 04:15 - Avoiding the Rabbit Hole on port 80 (IIS)
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 06:00 - Begin of Jenkins
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 09:00 - Using Jenkins Script Console (Groovy) to gain code execution
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 12:00 - Reverse TCP Shell via Nishang
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 17:00 - Reverse Shell returned. PowerSplit dev branch to find unintended privesc (Tokens)
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 22:20 - Powersploit's Invoke-AllChecks completes
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 24:20 - Finding Keepass Database using Impack-SMBServer to transfer files
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 27:00 - Cracking the KeePass Database
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 30:20 - Using KeePass2 to open database
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 34:25 - PassTheHash via pth-winexe to gain administrator shell
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 35:20 - Grabbing root.txt that is hidden via Alternate Data Streams (ADS)
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 39:00 - Using RottenPotato to escalate to root via MSF
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 41:00 - Using Unicorn to gain a reverse MSF SHell
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 45:20 - Performing the attack
JEEVES | https://www.youtube.com/embed/EKGBskG8APc ^ 48:00 - Impersonating Token to gain root
BASTARD | https://www.youtube.com/embed/lP-E5vmZNC0 ^
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 00:52 - Recon - NMAP
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 04:05 - Recon - Getting Linux Distro
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 04:35 - Recon - GoBuster
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 05:40 - Analyzing Jail.c source
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 09:45 - Begin Binary Exploitation
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 15:10 - Verify Buffer Overflow
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 17:35 - Create Exploit Skeleton
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 20:50 - Finding EIP Overwrite
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 23:02 - Adding Reverse TCP Shellcode
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 30:15 - Switching to "Socket Re-Use" Shellcode
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 32:20 - Shell Returned
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 34:00 - NFSv3 Privesc Begin
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 40:15 - Begin incorrectly playing with SetUID
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 43:10 - SELinux Escape
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 45:25 - Using SELinux Escape to copy SSH Key
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 48:55 - Logging in as Frank
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 50:00 - Privesc to adm (sudo rvim)
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 51:44 - Begin of finding a way to root
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 55:58 - Begin cracking rar file
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 57:18 - Using Hashcat to generate custom wordlist
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 60:40 - Cracking with JohnTheRipper
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 62:30 - RsaCtfTool to exploit weak SSH Pub Key
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 63:36 - Login as root with SSH Private Key
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 64:11 - EXTRA CONTENT: Alternative Privesc to ADM (NFS)
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 65:21 - Creating a directory to give other users NFS Write access
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 67:30 - Correct way to do SetUID Program
JAIL | https://www.youtube.com/embed/80-73OYcrrk ^ 71:04 - Using SetUID Programs to write to disk
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 00:40 - Begin of Recon
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 04:00 - Start of GoBuster
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 05:40 - Finding a SSRF
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 09:00 - Passing arguments to cmd.aspx via SSRF
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 12:05 - Firewall Enumeration
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 16:35 - Begin of setting up ICMP Reverse Shell
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 22:25 - Begin of sending ICMP Rev Shell to Server (Warning: Lots of Fail)
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 46:31 - Return of ICMP Rev Shell
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 52:20 - PrivEsc form IIS to Decoder
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 71:15 - Unzipping via Powershell
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 74:05 - Finding Administrator password hidden in NTFS File Stream
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 76:30 - Using Net Use to mount C: As Administrator
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 79:30 - Using IDA to analyze root.exe and grab the flag (Misses last character of hash)
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 84:15 - Using Invoke Command to execute root.exe as admin (Lots of Fail)
MINION | https://www.youtube.com/embed/IbVmpr6IFQU ^ 92:52 - Opening up the Firewall then just using RDP to gain access
SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 01:20 - Star of Recon
SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 03:40 - GoBuster
SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 04:45 - Getting banned and Pivoting to verify
SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 10:20 - Logging into PFSense
SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 16:50 - Manually Exploiting PFsense
SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 38:30 - Using Metasploit to exploit
SENSE | https://www.youtube.com/embed/d2nVDoVr0jE ^ 42:00 - Creating a Bruteforce Script in Python ( CSRF )
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 01:08 - Start of Recon (NetDiscover/Masscan/Nmap)
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 05:37 - Finding the CGI Script and using Shellshock
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 10:00 - Start creating ShellShock python script
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 16:08 - Converting script "Forward Shell" for FW Evasion with mkfifo
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 40:00 - Adding Threading (Background Task) to improve script
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 45:00 - Script completed - Attempt to enumerate FW Rules
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 49:00 - Fumbling around with IPv6 (Check out Sneaky Video for more)
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 53:25 - Reverse shell via IPv6 and ncat
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 01:05:00 - Reading Bynarr's mail to get password and PrivEsc via LIME/Memory Dump
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 67:20 - Unintended PrivEsc via ShellShock + Environment Variables
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 78:20 - Begin of MITM (Man in the Middle) First with Ettercap
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 84:19 - Installing Bettercap2 + Usage
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 93:40 - Spoofing ARP and DNS with BetterCap
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 101:11 - Privesc to root via Git on case-insensitive FS
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 113:30 - Woot root, lets take a look at the IPTable FW
SOKAR | https://www.youtube.com/embed/k6ri-LFWEj4 ^ 116:00 - Explaining the exploit a bit better
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 00:23 - Explaining VM Layout
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 01:47 - Nmap Start
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 05:20 - Poking at Virtual Host Routing (Beehive & Calvin)
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 10:25 - Fixing GoBuster to find /cgi-bin/
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 11:48 - Enumerating WAF (Web Application Firewall), to see how it detects Shellshock
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 15:08 - Using VirtualHostRouting to navigate to Calvin.htb.htb
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 18:15 - Using ImageTragick to exploit Calvin
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 25:30 - Calvin Reverse shell returned
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 31:35 - Poking at /common, which allows pivot to Bastion Host
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 34:20 - SSH into the Bastion Host
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 38:45 - Explain SSH Local and Remote Port Forwarding
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 46:00 - Beehive Reverse Shell Returned
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 50:00 - Finding the root password via /common/containers/bastion-live/Dockerfile
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 54:50 - PrivEsc via Docker (much like the LXC shown in Calamity)
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 57:05 - Getting root access to filesystem
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 58:10 - Failing to get root shell via Crontab
ARIEKEI | https://www.youtube.com/embed/Pc4tzsn-ats ^ 66:20 - Yeah screw crontab, lets just create an ssh key.
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 02:08 - Begin of Recon
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 14:00 - XXE Detection on Fulcrum API
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 17:40 - XXE Get Files
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 23:40 - XXE File Retrieval Working
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 24:30 - Lets Code a Python WebServer to Aid in XXE Exploitation
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 39:45 - Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 47:28 - Shell Returned + Go Over LinEnum
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 56:49 - Finding WebUser's Password and using WinRM to pivot
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 66:00 - Getting Shell via WinRM, finding LDAP Credentials
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 74:00 - Using PowerView to Enumerate AD Users
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 87:06 - Start of getting a Shell on FILE (TroubleShooting FW)
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 95:35 - Getting shell over TCP/53 on FILE
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 97:58 - Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 118:10 - Troubleshooting the error correctly and getting Domain Admin!
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 123:54 - Begin of unintended method (Rooting the initial Linux Hop)
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 129:54 - Root Exploit Found
FULCRUM | https://www.youtube.com/embed/46RJxJ-Fm0Y ^ 132:25 - Mounting the VMDK Files and accessing AD.
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 1:30 - Rabbit Hole - Searching for SuperCMS
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 6:23 - Running enumeration in the background (GoBuster)
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 7:40 - Rabbit Hole - SQLMap Blog SinglePost.php
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 12:04 - Finding PHP Files in /cmsdata/ (GoBuster)
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 12:53 - Manual Identification of SQL Injection
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 15:50 - SQL Injection Explanation
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 17:20 - Rabbit Hole - Starting SQLMap in the Background
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 18:10 - SQL Union Injection Explanation
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 19:30 - Identifying "Bad/Filtered Words" in SQL Injection
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 21:02 - SQL Union Finding number of items returned
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 21:48 - Returning data from Union Injection
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 22:48 - SQL Concat Explanation
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 23:55 - Enumerating SQL Databases Explanation (Information_Schema)
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 25:46 - Returning Database, Table, Columns from Information_Schema
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 29:30 - Scripting to dump all columns
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 36:45 - Listing of columns in SuperCMS
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 37:15 - Dumping User Credentials
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 41:36 - Logging in and exploiting SuperCMS
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 47:00 - Return of reverse shell
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 48:40 - Transfering small files from shell to my machine
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 50:56 - Using RsaCtfTool to decrypt contents with weak public key
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 52:52 - Breaking weak RSA manually
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 61:20 - Begin PrivEsc to Root
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 62:40 - Transering large files with NC
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 63:50 - Analyzing SuperShell with BinaryNinja (Paid)
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 66:04 - Analyzing SuperShell with Radare2 (Free)
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 68:22 - Exploiting SuperShell
CHARON | https://www.youtube.com/embed/_csbKuOlmdE ^ 72:46 - Encore. Getting a Root Shell with SetUID Binary
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 01:05 - Start of Recon + Finding dompdf
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 08:30 - PHP Wrappers + Failed testing for RCE
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 11:35 - Writing Python Program to automate file disclosure bug
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 18:40 - Finding WebDav Configuration + Uploading Files for RCE
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 25:50 - Modifying Sokar's Forward Shell (PTY over HTTP)
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 33:55 - Forward shell returned
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 38:50 - Using Squid to pivot to ports listening locally + NMAP via ProxyChains
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 47:48 - Getting nmap on Inception to speed up scanning private network
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 59:16 - Nmap results returned for 192.168.0.1, FTP Anonymous Login
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 61:15 - Finding TFTP as a Running Service
INCEPTION | https://www.youtube.com/embed/J2I-5xPgyXk ^ 66:35 - Using TFTP to grab crontab & creating a pre-invoke apt script
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 01:20 - Start of nmap
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 03:22 - Poking at a rabbit hole (8080)
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 08:08 - GoBuster to find hidden directory
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 09:50 - Finding SQL Creds in hidden directory
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 13:40 - Using dbeaver to enumerate database
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 16:50 - Impacket-PSExec to Admin
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 19:00 - Proving James is not an Admin
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 20:35 - Using MSF to Enable Remote Desktop to do Incident Response
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 27:00 - Start of Remote Desktop Looking at Event Log + Active Directory
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 31:00 - Installing Sysmon to get better logs
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 36:15 - Looking at Sysmon Logs
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 42:20 - Proving the PrivEsc was due to Impacket-PSExec not cleaning up
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 48:00 - Using Forensics to get Service Creation Date
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 53:30 - Finding a HTB User creating a Git Issue to Impacket (LOL)
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 55:10 - Intended Route - Forging a Kerberos Ticket MS14-068
MANTIS | https://www.youtube.com/embed/VVZZgqIyD0Q ^ 71:00 - Explaining why the unintended route probably got created
APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 01:26 - Enumeration Start
APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 02:58 - WPScan Start
APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 05:40 - Directory Scanning with GoBuster
APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 10:54 - Examining WPScan Output
APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 13:40 - Bruteforcing with WPScan
APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 14:40 - Bruteforcing HTTP Post with Hydra
APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 18:30 - Edit WP Theme to get Code Execution
APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 22:09 - Return of Reverse Shell
APOCALYST | https://www.youtube.com/embed/TJVghYBByIA ^ 26:25 - Privelege Escalation Word Writeable Passwd
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 01:25 - Begin of recon
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 02:20 - Wiresharking NMAP to identify fingerprint
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 05:53 - Checking the WebPage
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 09:15 - Finding /sync and why web browser has a 403
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 12:45 - Using wfuzz to find what arguments /sync takes
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 15:45 - The actual wfuzz command
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 20:30 - Finding Bad Characters with wfuzz
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 24:51 - Getting command execution
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 32:00 - Getting a reverse shell
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 43:40 - Privesc to root abusing custom script
FLUXCAPACITOR | https://www.youtube.com/embed/XLIBbkQJKuY ^ 47:48 - Examining how NGINX/OpenResty was configured
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 00:00 - Intro
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 00:44 - Recon + Web Enum
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 01:33 - SQL Injection
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 05:30 - Start of IPv6 Talk
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 06:30 - What is an IPv6 IP Address?
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 11:27 - Types of IPv6 Addresses
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 14:06 - IPv6 Subnetting Explained
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 21:20 - End of IPv6 Primer, Exploit time!
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 22:43 - Method 1: Getting MAC and calculating fe80
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 30:30 - Method 2: Enumerating Networks by pinging Multicast
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 33:56 - Extra: Getting Windows to respond from Multicast Ping
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 38:07 - Extra: NMAP Scanning ipv6 local networks
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 40:15 - Convert RPM to DEB (Needed for install nmap on tenten)
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 41:30 - Intended Solution: Getting IPv6 via SNMP
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 43:58 - No SNMP MIB Output
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 45:58 - Getting SNMP MIBS Installed and Configured
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 47:52 - Tool: Enyx - SNMPv6 Enumeration via Python
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 50:44 - Privesc Enumeration
SNEAKY | https://www.youtube.com/embed/1UGxjqTnuyo ^ 52:49 - Buffer Overflow
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 01:30 - Begin of recon
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 03:15 - Begin of installing SQLPlus and ODAT (Oracle Database Attack Tool)
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 08:45 - Bruteforcing the SID with ODAT
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 10:15 - Holy crap, this is slow lets also do it with Metasploit
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 13:00 - Bruteforcing valid logins with ODAT
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 16:00 - Credentials returned, logging into Oracle with SQLPlus as SysDBA
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 19:00 - Reading files from disk via Oracle
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 23:20 - Writing files to disk from Oracle. Testing it in WebRoot Directory
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 25:52 - File Written, lets write an ASPX WebShell to the Server
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 29:10 - WebShell Working! Lets get a Reverse Shell
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 31:28 - Reverse Shell Returned
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 32:24 - Finding a DropBox link, but password doesn't display well.
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 33:55 - Attempting to copy file via SMB to view UTF8 Text
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 35:18 - That didn't work, lets transfer the file by encoding it in Base64.
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 36:55 - Got the password lets download the dump!
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 39:10 - Begin of Volatility
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 45:20 - Running the HashDump plugin from volatilty then PassTheHash with Administrator's NTLM!
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 47:35 - Begin of unintended way, examining odat and uploading an meterpreter exe
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 50:30 - Using odat externaltable to execute meterpreter and get a system shell!
SILO | https://www.youtube.com/embed/2c7SzNo9uoA ^ 52:20 - Examining odat verbosity flag to see what commands it runs and try to learn.
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 01:54 - Begin Recon, Windows IIS/OS Mapping and GoBuster
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 05:20 - Explanation of Virtual Host Routing
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 09:50 - Developers name exposed in HTML Source, also discover /monitor
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 11:10 - Enumerating Username in PHP Server Monitor: Challenge Watch Sense to understand CSRF and write an automated bruteforcer
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 16:33 - Discover of Internal-01.bart.htb
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 19:17 - Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /Log/log.php)
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 29:34 - Finally got Hydra to return the password!
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 32:20 - Log Poisoning + LFI = Remote Code Execution
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 37:30 - Return of Reverse Shell
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 41:30 - Why you should check if you're a 32-bit process on a 64-bit machine
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 48:35 - Attempting to use b33f/FuzzySecurity Invoke-RunAs
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 56:00 - Mistake with Invoke-RunAs is probably pointing it to the wrong port. D:
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 63:40 - ARGH! Lets try to use this account via Empire
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 71:00 - Bring out the big guns, it's Metasploit Time!
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 78:10 - Alright, lets poke a hole in the firewall and connect over SMB!
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 81:17 - Failed to PSExec in MSF
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 81:40 - Found Impacket-PSExec! And it works!
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 83:45 - Lets go hunt for creds!
BART | https://www.youtube.com/embed/Cz6vQvGGiuc ^ 95:23 - Cracking Salted Hashes with Hashcat (Sha265.Salt)
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 01:28 - Begin of recon
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 02:20 - GoBuster
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 03:30 - admin.php discovered, finding the pw
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 04:50 - Getting Code Execution
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 07:45 - Finding out why Reverse Shells weren't working
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 09:45 - Getting a reverse shell by renaming nc
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 11:30 - Transfering files via nc
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 14:00 - Opening the wav file
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 16:25 - Using audiodiff to identify differences in sound
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 17:05 - The next step, why is the same song there twice?
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 19:25 - Importing files into Audacity and Inverting
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 22:25 - Attempting to exploit the process blacklist
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 24:25 - Unintended root LXC Background
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 28:30 - Creating an Alpine LXC
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 30:40 - Importing the image into lxc
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 32:00 - Creating the container
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 32:40 - Adding the host drive to container
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 34:20 - Starting the container and entering it
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 35:05 - Examining the Process Blacklist script
CALAMITY | https://www.youtube.com/embed/EloOaaGg3nA ^ 35:54 - Running through the exploit again on a Ubuntu Host
IppsecTribute V1.1
It doesn't matter whether you're a nooby or a seasoned Pentester, we all love Ippsec's videos and we all can learn a lot from them!
Here is a simple way to search for keywords (like sql, gobuster, tftp, Burp, Impacket, etc etc) thru all of his videos.
The search is not case sensitive, so just give it a try :)
EDIT: you can get the full page here . I try to keep the page updated, but if you like you can of course just download it and run it locally :)