HackTheBox - Napper
00:00 - Introduction
00:55 - Start of nmap, showing -vv will cause the output to contain TTL
04:40 - Checking out the website
05:23 - Doing a VHOST Bruteforce to discover the internal domain and discovering credentials on a blog post
07:30 - Checking out the NAPListener blog post, which gives us a way to enumerate for the NAPLISTENER Implant
10:30 - Showing the Backdoor code to discover how it works
12:30 - Building a DotNet Reverse Shell and renaming the method to Run, then using Mono (mcs) to compile
14:45 - Converting the DLL to base64 and getting NAPLISTENER to execute it
19:20 - Discovering a draft blog post talking about them getting rid of laps and building a custom solution that uses elastic
24:00 - Setting up a tunnel with Chisel so we can talk to Elastic
25:55 - Using curl to enumerate Elastic
30:20 - Reversing the Golang binary with Ghidra
42:30 - Creating a Golang Binary to grab a document (seed), then using search to grab the blob, and decrypting it with AES-CFB
47:30 - Connecting to Elastic, using a Proxy
56:00 - Grabbing the Seed with the Golang Elastic Library
1:03:00 - Grabbing the Blob with Golang Elastic Library
1:09:45 - Using the Seed to generate our 16 byte key
1:13:53 - Creating a decrypt function
1:16:30 - Getting the PlainText then using RunasCS to get a reverse shell as the Backup User, which is administrator
Watch video HackTheBox - Napper online, duration hours minute second in high quality that is uploaded to the channel IppSec 04 May 2024. Share the link to the video on social media so that your subscribers and friends will also watch this video. This video clip has been viewed 11,246 times and liked it 309 visitors.
