#hackthebox
#htb
#hacking

Hack The Box - Flight

00:00 - Introduction
01:00 - Start of Nmap
03:00 - Playing with the web page, but everything is static doing a VHOST Bruteforce to discover school.flight.htb
07:10 - Discovering the view parameter and suspecting File Disclosure, testing by including index.php and seeing the source code
09:20 - Since this is a Windows, try to include a file off a SMB Share and steal the NTLMv2 Hash of the webserver then crack it
13:30 - Running CrackMapExec (CME) checking shares, doing a Spider_Plus to see the files in users
18:30 - Running CrackMapExec (CME) to create a list of users on the box then doing a password spray to discover a duplicate password
20:20 - Checking the shares with S.Moon and discovering we can write to the Shared Directory
21:30 - Using NTLM_Theft to create a bunch of files that would attempt to steal NTLM Hashes of users when browsing to a directory getting C.Bum's creds with Desktop.ini
26:18 - C.Bum can write to Web, dropping a reverse shell
29:30 - Reverse shell returned as svc_apache, discovering inetpub directory that c.bum can write to
32:40 - Using RunasCS.EXE to switch users to cbum
37:30 - Creating an ASPX Reverse shell on the IIS Server and getting a shell as DefaultAppPool
48:00 - Reverse shell returned as DefaultAppPool, showing it is a System Account
50:05 - Uploading Rubeus and stealing the kerberos ticket of the system account, which because this is a DC we can DCSync
52:50 - Running DCSync

https://www.youtube.com/watch?v=Jor8DNWLmiM

#hackthebox
#htb
#hacking

HackTheBox - Interface

00:00 - Introduciton
00:50 - Start of nmap, navigating to the page and identifying the framework based upon 404
02:30 - Playing around looking at javascript source, not getting anything
04:30 - Playing around with prd.m.rengering-api.interface.htb... I'm guessing file not found is the webserver, not actual code.
07:40 - Showing the difficulty of dirbusting API Servers
11:20 - Showing importance of updating FeroxBuster
15:00 - Playing with the HTML2PDF endpoint and discovering we need to send a POST with HTML as an argument
18:20 - The PDF Generated has dompdf 1.2.0 in the exif data searching for exploits
20:40 - Researching how CVE-2022-28368 works, then manually exploiting the vulnerabiltiy
28:50 - The CSS/Font is created, running the exploit and finding where the Font (PHP File) gets uploaded to
34:30 - Reverse shell returned
38:15 - Uploading pspy to examine how the box cleans itself up
40:20 - Discovering and exploiting Bash Arithmetic Injection

https://www.youtube.com/watch?v=yM914q6zS-U

#hackthebox
#htb
#hacking

HackTheBox - Precious

00:00 - Introduction
01:00 - Start of nmap
02:00 - Checking out the web page and finding command injection in the URL
03:20 - Space appears to be a bad character with command injection. Normal tricks like brace expansion or IFS don't work.
07:20 - Trying IFS to be a space but the trailing character makes it difficult
12:00 - Taking a step back from the RCE, downloading the PDF to examine metadata and discovering it was made with pdfkit 0.8.6, which has public POC's against it
13:00 - The POC puts a space before the exploit which then removes the space being a bad character in our exploit
14:29 - Beyond Root/Edit: Using $- to terminate the $IFS, allowing us to bypass the need to prepend the space
20:30 - End of edit, shell as ruby, discovering credentials in a config file for henry
22:53 - Henry can run sudo, discover he can execute a ruby script
25:50 - Looking up a ruby deserialization exploit with YAML
27:35 - Finding a different payload and getting a root shell

https://www.youtube.com/watch?v=2XSFWiGa2j0

#hackthebox
#htb
#hacking

HackTheBox - Absolute

00:00 - Intro
01:00 - Start of nmap discovering Active Directory (AD)
04:15 - Using wget to mirror the website, then a find command with exec to run exiftool and extract all user names in metadata
06:45 - Using Username Anarchy to build a wordlist of users from our dump and then Kerbrute to enumerate valid ones
13:55 - Building Kerbrute from source to get the latest feature of auto ASREP Roasting
16:20 - Kerbrute pulled the wrong type of hash, using the downgrade to pull etype 18 of the hash
21:30 - Running Bloodhound with D.Klay, using Kerberos authentication
24:50 - Going over the bloodhound data and finding some attack paths
31:13 - Manually parsing the Bloodhound with JQ to show descriptions for all users and finding the SVC_SMB password in the Description
34:45 - EDIT: Don't want to use Blodhound? Showing LdapSearch with Kerberos, and why the FQDN has to be first in the /etc/hosts file
40:30 - End of edit: Using SMBClient with SVC_SMB and Kerberos to download files
46:22 - Sharing my internet connection from Linux to Windows, so I can run test.exe on Windows
53:45 - Running test.exe and getting m.lovegod's password from LDAP
56:30 - Going back to Bloodhound, and now we can perform the attack of adding a member to a group then creating shadow credentials for winrm_user
57:30 - Pulling a version of Impacket that has DACLEDIT and building it
1:01:00 - Running DaclEdit to give m.lovegod permission to add users to a group and then net rpc to add him
1:08:20 - Running Certipy to add shadow credentials to winrm_user so we can login
1:12:00 - Using WinRM to login to the box with our shadow credential
1:15:30 - Start of fumbling around with KRBRelay to privesc
1:18:40 - Using RunasCS to change our LoginType which may allow us to run KRBRelay
1:27:40 - Pulling the CLSID of TrustedInstaller which works and allows us to add ourselves to the administrator group

https://www.youtube.com/watch?v=rfAmMQV_wss

#hackthebox
#htb
#hacking

HackTheBox - Bagel

00:00 - Introduction
01:00 - Start of nmap
02:50 - Taking a look at the web page
04:30 - Looking for LFI, then exploring /proc to find where the application is and extracting the source code
06:30 - Taking a look at the Python Source Code and discovering port 5000 is the dotnet application and uses websockets
07:55 - Using wscat to test the websocket
09:00 - Bruteforcing the /proc/{pid}/cmdline directory in order to see running processes and find the dotnet dll
13:45 - Reversing Bagel.dll and discovering a deserialization vulnerability in dotnet which allows us to read files
15:00 - Looking at what TypeNameHandling means in NewtonSoft's deserialize
20:00 - Looking for a gadget to use with our deserialization
21:40 - Building the deserialization payload
23:20 - Dumping Phil's SSH Key, then logging in
25:00 - The dotnet app, had developers password, switching to that user
25:50 - Developer can run dotnet with sudo, using the FSI gtfobin to get a shell.

https://www.youtube.com/watch?v=teHGtY_ta40

#hackthebox
#hacking
#htb

HackTheBox - TwoMillion

00:00 - Intro
00:18 - Start of nmap, scanning all ports with min-rate
02:35 - Browsing to the web page and taking a trip down memory lane with the HackTheBox v1 page
04:00 - Attempting to enumerate usernames
05:10 - Solving the HackTheBox Invite Code Challenge
05:50 - Sending the code to JS-Beautify
06:45 - Sending a curl request to /api/v1/invite/how/to/generate to see how to generate an invite code
10:40 - Creating an account and logging into the platform then identifying what we can do
16:50 - Discovering hitting /api/v1/ provides a list of API Routes, going over them and identifying any dangerous ones
17:50 - Attempting a mass assignment vulnerability upon logging in now that we know there is an is_admin flag
22:30 - Playing with the /api/v1/admin/settings/update route and discovering we can hit this as our user and change our role to admin
24:30 - Now that we are admin, playing with /api/v1/admin/vpn/generate and finding a command injection vulnerability
26:15 - Got a shell on the box, finding a password in an environment variable and attempting to crack the user passwords
30:00 - Re-using the database password to login as admin, discovering mail that hints at using a kernel privesc
32:00 - Searching for the OverlayFS Kernel Exploit
35:00 - Finding a proof of concept for CVE-2023-0386, seems sketchy but GCC is on the HTB Machine so i don't feel bad about running it
37:27 - Running the exploit and getting Root, finding an extra challenge thank_you.json, which is can be done pretty much in CyberChef
42:20 - Looking deeper at the invite code challenge to see if it was vulnerable to Type Juggling (it was back in the day but not anymore)
43:30 - Testing for command injection with a poisoned username
47:20 - Didn't work, looking at the source code and discovering it had sanitized usernames on the non-admin function

https://www.youtube.com/watch?v=Exl4P3fsF7U

#hackthebox
#htb
#hacking

HackTheBox - Soccer

00:00 - Introduction
01:00 - Start of nmap, assuming the web app is NodeJS based upon a 404 message
04:20 - Running Gobuster and discovering Tiny File Manager
06:00 - Looking for the source code and finding a default password of admin@123
06:45 - Navigating to uploads and attempting to upload a php shell to the website
07:45 - Getting a reverse shell with our php shell
09:00 - Reverse shell returned
09:30 - Talking about hidepid=2 is set, so we can't see processes for other users
10:00 - Looking at nginx configuration to see what port 9091 is and discovering a new subdomain (soc-player.soccer.htb)
11:00 - Navigating to soc-player.soccer.htb and discovering a few more pages
12:00 - The /check endpoint looks like it is vulnerable to Boolean SQL Injection
13:00 - Intercepting the websocket in BurpSuite and showing
15:20 - Using SQLMap to dump the database, first time I've used SQLMap with websockets
23:30 - Attempting to ssh with creds found in the database and logging in as player
26:50 - Running LinPEAS
30:50 - Looks like we can run doas, which is like sudo. Looking at the command we can run and seeing dstat
33:30 - Creating a dstat plugin, then executing it with doas

https://www.youtube.com/watch?v=V_CkT7xyiCc

#hackthebox
#htb
#hacking

HackTheBox - Escape

00:00 - Introduction
01:00 - Start of nmap
03:10 - Examining SSL Certificates and seeing "sequel-DC-CA", which hints towards there being a Certificate Authority
05:45 - Using CrackMapExec to enumerate file shares
06:30 - Accessing the Public Share, downloading a PDF File and finding credentials in it, using CME again and using CME to test smb, winrm, and mssql
10:00 - Using mssqlclient to login to access MSSQL
10:50 - Using XP_DIRTREE to request a file off an SMB Share in order to intercept the hash of the user running MSSQL, then cracking it
18:45 - Using Evil-WinRM to login to the box with SQL_SVC account, uploading Certify.exe and not finding a vulnerable certificate
20:45 - Looking at the error logs and discovering a user entered their password as a username so it got logged. Logging in as Ryan.Cooper
23:40 - Running Certify again as Ryan and finding a vulnerable UserAuthentication Certificate
25:00 - Using Certify Scenario #3 to create a UserAuthentication certificate with Administrator as the Alt Name which lets us authenticate as them
26:00 - Cannot use the certificate for WinRM because there isn't SSL (5986)
30:00 - Uploading Rubeus and the PFX File to the box, so we can use the PFX to obtain the local administrator NTLM Hash
33:30 - Showing an alternative method with Certipy which lets us run this attack from our attacker box without uploading files to the box
37:40 - Showing an alternate way to root via Silver Tickets and MSSQL, Explaining what a TGS Ticket is and why this attack works
41:10 - Generating the NTLM Hash from the password because that is what signs/encrypts kerberos tickets
43:00 - Using Ticketer.py to generate a silver ticket which lets us log into MSSQL as Administrator

https://www.youtube.com/watch?v=PS2duvVcjws

#hackthebox
#htb
#hacking

HackTheBox - Stocker

00:00 - Introduction
00:56 - Start of nmap
02:15 - Running Gobuster in VHOST Detection mode to find the dev subdomain
03:50 - Intercepting a request to dev.stocker.htb and seeing an connect.sid cookie and x-powered-by header saying express, both indicating it uses NodeJS/Express
05:00 - Explaining why I'm trying these injections
07:00 - Bypassing login with mongodb injection by setting both username and password to not equals instead of equals
09:10 - Playing with the e-commerce store and seeing it gives us a PDF
10:45 - Using exiftool to see how the PDF was generated
12:05 - Inserting an HTML IFRAME when we purchase an item to see if the PDF Generated will include local files
17:00 - Extracting /var/www/dev/index.js and getting the mongodb password which lets us log into the server
19:50 - The order numbers don't appear to be that random, looking at the source code to identify how this is generated. It's just mongo's object ID which is heavily based upon time stamps
26:00 - Looking at sudo, we can perform a directory traversal to execute run any .js file as root
27:50 - Showing that you can now put regex in the Sudoers file which would fix this exploit

https://www.youtube.com/watch?v=fWMHh8GYqJE

#hackthebox
#hacking
#htb

HackTheBox - Busqueda

00:00 - Introduction
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing
08:20 - Discovering we can append to the string, then trying for executing code with print to test for eval statements
10:00 - Getting a reverse shell
15:00 - Reverse shell returned
17:00 - Looking at apache virtualhosts to discover a hidden vhost that is running gitea
19:00 - Finding creds in the .git folder which lets us run sudo
22:00 - Inspecting the docker containers to discover passwords in environment variables which lets us log into gitea as administrator and view the script we are running as sudo
25:30 - Discovering the system-checkup.py script is not using an absolute path, so we can execute a shell script in our CWD as root


https://www.youtube.com/watch?v=5dHgfviJWmg

#hackthebox
#htb
#hacking

HackTheBox - Pikatwoo

00:00 - Introduction
01:00 - Start of nmap
03:15 - Identifying all the technologies used in the box
10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-38155
12:15 - Pulling up API DOCS to see how to login to Keystone, then testing lockout
14:00 - Taking the Burpsuite Request, sending it to FFUF and using a trick to try each password multiple times
25:30 - Attempting to access Swift as a vendor to bypass auth, using GoBuster and discovering an Android directory with Pokatmon app in it
35:10 - Start of analyzing the Pokatmon App, examining DNS, setting up a MITM with Burpsuite and Socat
40:15 - Using Frida to disable TLS Certificate Pinning on Flutter
45:20 - Discovering the App Signs every request, grabbing the certificate out of the app, and signing our own request
49:20 - Performing an SQL Injection, getting an email address then looking for vulnerabilities in Forgot Password on the main website
58:48 - Discovering CVE-2021-43557 in APISIX, which gives us an idea to URLEncode Paths to bypass blacklists and gaining access to the /private/ directory which has a /forgot-password we can use to reset Roger's password
1:04:45 - Logging into the docs, gaining access to the API and finding an LFI
1:09:45 - Looking into CVE-2021-35368, which is a ModSecurity Bypass that allows us to abuse the LFI
1:18:10 - Using NGINX's temporary files with our PHP LFI to gain code execution
1:27:55 - Shell returned on Pokatdex-API, exporting Kubernetes secrets
1:34:20 - Discovering an APISIX admin key and exploiting this service by creating a route that executes code
1:59:20 - Shell returned on the APISIX box, discovering credentials we can SSH with
2:11:10 - Explioting the CRI-O with Kubernetes to set a kernel param to execute a script when a core dump is created (CVE-2022-0811)


https://www.youtube.com/watch?v=gRj9Uz8_EOY

#hackthebox
#htb
#hacking

HackThebox - Wifinetic

00:00 - Introduction
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec to spray SSH with our password and getting a success with netadmin
09:15 - Running LinPeas to discover Reaver has the capability cap_net_raw
13:15 - Explaining why Reaver has this capability is interesting
14:40 - Running Reaver to attempt to brute force the WPS Pin and getting the WPA PSK which is also the root password
15:30 - Start of building a bash script to spray a single password across valid users with su
22:00 - Converting our script into a Bash Function so its easier to run without touching disk
24:55 - Talking about WPS and how this exploit worked
25:30 - The first vulnerability in the WPS Pin, the eighth digit is just a checksum
28:30 - The second flaw in WPS, the PIN is broken in half if the first four digits are wrong the responses tell you. Making the possibilities of hashes from 10^7 to 10^4 + 10^3.
30:00 - Showing the WSC Nack gets sent after Message 4 if the first four of the pin is wrong
31:15 - Changing the PIN and playing more with reaver to showcase how reaver works.

https://www.youtube.com/watch?v=jj4r5lwnCp8

#hackthebox
#htb
#hacking

HackTheBox - Snoopy

00:00 - Introduction
01:00 - Start of nmap, discovering ssh/dns/http
02:30 - Taking a look at the website
04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled
09:40 - Identifying the website is running with PHP Enabled, then running gobuster
13:00 - Attacking the file download and discovering File Disclosure
15:35 - We got lucky discovering the File Disclosure filter bypass, using FFUF which would be make catching this more consistent
19:30 - Automating the File Disclosure by creating a python script
24:30 - Looking at files on the target, discovering the DNS Configuration which has the RNDC Key to update DNS
30:40 - Looking at the NSUPDATE Man page and then adding a the DNS Record mail.snoopy.htb and pointing it to us
34:24 - Using python to run a SMTP Server and then having Mattermost's forgot password email us the password reset
39:50 - Using the Mattermost bot to provision a server via SSH which causes it to SSH back to us
42:30 - Backdooring PAM with pam_exec and a bash script to log passwords of users logging into our box, and grabbing CBROWN's password
50:40 - cbrown can run Git apply as sbrown, looking for exploits around it and discovering CVE-2023-23946.
1:08:50 - sbrown can run clamscan in debug mode as root
1:11:45 - Looking at CVE's in clamav and discovering an XXE in the DMG Parser (CVE-2023-20052)
1:23:30 - Downloading a DMG File (sublime), then modifying the XML to put an XXE in, scanning, then exfiltrating the root ssh key

https://www.youtube.com/watch?v=6tn30O0SjVQ

#hackthebox
#htb
#hacking


HackTheBox - Aero

00:00 - Introduction
00:56 - Start of nmap
04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 - Showing the exports of the DLL to confirm it is there, then hiding the ReverseShell export
12:30 - Testing our DLL from our windows computer
13:30 - Creating the malicious Windows Theme
17:20 - Setting up a SOCAT forward to send port 445 from our linux box to our Windows Box
19:20 - Updating the IP Address in our DLL and then getting a shell
22:10 - Downloading the PDF by converting it to base64 and then copy and pasting it to our box
23:45 - Researching CVE-2023-28252, which is a Windows Local Privesc in the Common Log File System (CLFS) and patched back in April 2023
26:30 - Opening the CLFS Exploit up in Visual Studio and placing a Powershell Web Cradle to send a reverse shell and getting Root
32:30 - Beyond root: Changing up the DLL we used for the foothold to just execute code upon DLL Attach and not export anything.

https://www.youtube.com/watch?v=g01cZciFI9o

#hackthebox
#htb
#hacking

HackTheBox - Format

00:00 - Introduction
01:00 - Start of nmap
04:00 - Downloading source code from gitea
04:30 - Examining the website via browser to see what it does
07:30 - Making sense of how the sitebuilder works
14:20 - Examining the source code, discovering a file disclosure
24:00 - Creating a python script to automate the File Disclosure
48:00 - Script is done, downloading nginx configs. Then trying to find any directory we can write a PHP Script to
55:00 - Looking at how the site adds a pro license to users
58:50 - Explaining how we can do a protocol smuggling attack and access the REDIS socket to manipulate our user
1:05:19 - Showing that the plus is not being URL Decoded in the path of a URL but %20 is
1:08:48 - Uploading a PHP Script to get code execution
1:13:55 - Dumping the REDIS Database and getting cooper's password
1:17:10 - Looking at the License Python script cooper can execute with sudo and seeing a Python Format String vulnerability

https://www.youtube.com/watch?v=WiTgB9BRrmM

#hackthebox
#htb
#hacking

HackTheBox - PC

00:00 - Introduction
01:05 - Start of nmap
03:00 - Googling the port number, and reading more about gRPC
04:45 - Install GRPCurl so we can access the gRPC interface
06:30 - Enumerating the grpc interface
10:30 - Registering a user and logging in
13:45 - Using Verbose with GRPCurl to get extra information which includes an JWT
16:20 - Discovering an SQL Injection in the SimpleApp.GetInfo, enumerating the database to discover SQLite
19:45 - Enumerating the SQLite Database (similar to Information_schema with mysql)
21:45 - Using Group_Concat with a union injection to dump all users and passwords, then SSH into the box
24:45 - Discovering PyLoad is running on localhost, setting up an SSH Tunnel to access it
26:00 - Finding a public POC and running it to exploit PyLoad

https://www.youtube.com/watch?v=AQSLvalzW8g

#hackthebox
#htb
#hacking

HackTheBox - Intentions

00:00 - Introduction
01:00 - Start of nmap
02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header
08:10 - Playing with updating genre and viewing feed to discover an error
10:04 - Opening up SQL Fiddle to explain what I think is going on, its using FIND_IN_SET
14:20 - Discovering space is a bad character and when this happens using the -- comment is bad
17:48 - Manually dumping the database with union statements
25:18 - Using SQL Map showing this SQL Injection
30:54 - Going over our recon and discovering a v2 admin login endpoint which lets us login with the password hash
38:28 - Logged in as an admin (Steve)
42:10 - Talking about Exploiting PHP Object Instanatiations then exploiting ImageMagick
1:01:20 - Shell returned, downloading .git, looking at commits and finding Greg's password
1:07:05 - Talking about the Scanner Binary and showing how we can leak the file one byte at a time
1:10:07 - Creating a python program to run the scanner binary thousands of times to leak files one byte at a time

https://www.youtube.com/watch?v=YmRDV0JR4qg

#hackthebox
#htb
#hacking

HackTheBox - Jupiter

00:00 - Introduction
03:40 - Using gobuster to enum
05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL
08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell
12:45 - Got a shell as the PostgreSQL user
15:08 - Got a SSH Shell as the PostgreSQL user, then finding port 8888 and enumerating that port
17:00 - Discovered a Jupityr Notebook, using find to discover what users are doing on the box and seeing Juno has network-simulation.yml
18:45 - Putting a shell on Network-Simulation.yml and getting a shell as juno
23:45 - Shell as Juno, looking for jupityr files and discovering the token, which enables us login to Jupityr notebooks and get a shell as
28:45 - Jovian can run sattrack as as root (via sudo), running strace to discover that it reads the config from /tmp
31:30 - Editing the sattrick config to download an authorized_keys file to root's .ssh directory
33:15 - Pretending /root/.ssh didn't exist, getting a shell through cron

https://www.youtube.com/watch?v=HOvVjVw3pww

#hackthebox
#htb
#hacking

HackTheBox - Visual

00:00 - Introduction
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create a project and adding a solutions file to it
13:00 - Having the webapp download our repo, then looking at PreBuildEvents to execute commands before it is compiled
16:00 - Talking about why this PreBuildEvent exists
19:20 - Looking at why our build failed
21:30 - Adding a nishang reverse shell to the prebuild event
26:40 - Reverse Shell Returned!
29:45 - Writing a webshell as Enox, to get a shell as the Apache Service User
34:00 - Using FullPowers to restore our tokens while will enable the SeImpersonate privilege
36:00 - Grabbing a good PHP Reverse Shell Script that supports Windows!
39:15 - Using GotPotato to abuse the SeImpersonate Privilege and run code as system

https://www.youtube.com/watch?v=ZJDefj0K9Jw

#hackthebox
#htb
#hacking

HackTheBox - Hospital

00:00 - Introduction
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files
13:48 - Uploading a php shell, discovering there are disabled functions blocking system
17:15 - Using dfunc bypass to identify proc_open is not disabled and then getting code execution
23:00 - Reverse shell returned on the linux host
26:00 - Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password
29:20 - Talking about Man Pages and how they are organized to identify $y$ is yescrypt
33:40 - Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit
36:00 - Building a malicious EPS File with a powershell reverse shell
43:40 - PRIVESC 1: Uploading a shell in XAMPP and getting system
52:30 - PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password
1:01:50 - While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen
1:10:08 - PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password

https://www.youtube.com/watch?v=E8h0qWsBz6c