HackTheBox - Vault

01:08 - Begin of Recon
03:08 - Begin of GoBustering
07:15 - Discovery of an image upload script
08:39 - Attempting to bypass the upload filter
12:46 - Reverse Shell to ubuntu Returned. Examining Web Source
15:28 - ALTERNATIVE: Checking out the host name pollution, setting host header to localhost
19:27 - Resume of poking around the host, discover passwords and other hosts in /home
23:14 - Uploading a static-compiled nmap to the box (static-binaries is a github repo)
24:57 - SSH Local Port Forward and Dynamic, to let our Kali box communicate with the next hop.
27:27 - Discovery of a page that lets us create ovpn (openvpn) configs and test the VPN
28:45 - Think i broke the box here, sent unicode to the box.... It stops responding on web.
32:55 - Machine reverted, getting back to where I started.
34:50 - Trying this again, and get a shell on ubuntu -- Lets do a Reverse Port Forward to get a shell on our kali box.
36:12 - Shell returned to Kali Box, explaining how to use socat if SSH Forward cannot listen on all ports.
38:58 - Exploring the DNS Server box.
39:26 - Finding a password in /home/dave/ssh
40:15 - Discovering Vault's IP Address in /etc/hosts
41:20 - Perfoming a NMAP on the vault box, discover two ports closed
41:50 - Doing a NMAP with the source port of one of the above ports to test for a lazy firewall, discover SSH on port 987
43:20 - ALTERNATIVE: Bypassing the firewall by using IPv6
49:47 - How to set the source port with SSH via ncat
50:45 - Discovering root.txt.gpg on Vault, it is encrypted with RSA Key D1EB1F03
51:35 - Dave has the above RSA Key, use SCP to send the file back to Ubuntu
54:45 - The file has been copied, using gpg to decrypt the file.
55:39 - MAJOR UNINTENDED WAY: Discovering SPICE ports are listening on localhost:5900-5903, this is like VNC
57:05 - Using Remote-Viewer to connect to the SPICE Port and getting physical access to the machine.
57:42 - Rebooting Vault by sending the Ctrl+Alt+delete key
58:00 - Editing grub to get a root shell without a password
58:56 - Changing the password to root, then rebooting again
59:30 - Logging in with the new password.