



00:30 – Begin of Recon

01:55 – Creating an entry in /etc/hosts for reblog.htb (found on webpage)

04:00 – Reading each blog post and taking notes

07:50 – Poking at SMB to see MALWARE_DROPBOX

08:30 – Digging into why SMBMAP says READ_ONLY. Don’t get anywhere but its an impacket thing?

12:45 – Installing LibreOffice, then creating a macro to ping us

16:45 – Obfuscating the macro by placing it over multiple lines (do LOLBINS at end of video)

18:00 – Converting our obfuscated macro to a powershell cradle/one lienr (iconv to make it UTF-16LE)

22:20 – Reverse Shell returned as LUKE, showing a way to get a logged in users hash and attempting to crack

26:25 – Running WinPEAS.bat (will do EXE at the end of the video)

35:45 – Going over the process_sample.ps1 script to discover a potential WinRAR Vulnerability

38:09 – Using evilWinRAR to generate a ZipSlip like file, forget a trailing slash and do quite a bit of troubleshooting

49:00 – Switching up the ASPX Shell by using one from the TennC Repository

52:35 – Reverse shell as the IIS User

53:30 – Doing a Ghidra XXE Vulnerability to steal the users hash

57:00 – Copying the XXE Vulnerability in POC

01:04:45 – Lol. Found what out i was zipping the file incorrectly

01:07:30 – Cracking the new hash we just got

01:09:20 – Using Powershell to Invoke-Command with a different user

01:12:55 – Begin of unattended route (Changing macro to be RevSvr32 with an SCT File instead of CMD /c)

01:21:20 – Downloading SharpUp and WinPEAS to compile executables

01:27:30 – Using rlwrap for our reverse shell so we have a semi-proper TTY on Windows

01:28:45 – Running PowerUp to identify the bad service and playing with a few commands to show what is happening

01:33:10 – Running WinPEASEXE to show the output

01:35:30 – Enabling RDP so we can see the error message SharpUp threw

01:37:50 – Changing DotNet version in the project properties to get SharpUp working on the box



source