HackTheBox - AirTouch

00:00 - Introduction 00:50 - Start of nmap 02:15 - Playing with UDPx which is a fast udp scanner 05:00 - Running SNMPWalk and seeing the password is in the system description 07:00 - There were some pictures in the home directory, looking at them to see network diagrams 09:50 - Discovering airodump-ng is on the box. Looking at wireless networks, showing we could manually do this from iwlist aswell 14:40 - Showing Airodump by default only scanning 2.4ghz, changing the bands to include 5ghz channels to get more information 21:00 - Looking at authentication methods, seeing the Internet uses WPA PSK which is crackable. 25:50 - Adding the WPA PSK into wireshark so it decrypts for me, grabbing cookies from an HTTP Packet to bypass auth 27:30 - Joining the Airtouch-Internet wifi network then accessing the web portal 34:00 - Uploading a PHP Script with phtml extension to get RCE 38:50 - Testing networks by manually adding routes to see if any can talk to 10.10.10.0/24 41:00 - Finding SSL Certificates, copying them to the initial box so we can run EapHammer to perform the evil twin attack 44:30 - Running eaphammer than performing the deauth attack on both office access points to get a client to connect to us 48:20 - Connecting to the Office Network then discovering more credentials in hostapd configuration 51:30 - Switching to admin which can su to root