HackTheBox - Remote

00:00 - Intro
01:00 - Begin of nmap, enumerate ftp, and smb
05:32 - Taking a look at the website to discover umbraco
10:50 - Examining NFS with showmount
16:00 - Discovering umbraco.sdf on NFS is a database and contains the admin password
21:15 - Logging into umbraco and discovering the unauthenticated RCE
23:35 - Editing the umbraco exploit to ping our box
26:30 - Getting a reverse shell using Invoke-WebRequest instead of (New-Object Net.WebClient)
30:30 - Running WinPEAS to discover UsoSvc service is editable
37:00 - Editing the UsoSvc binpath to execute our reverse shell
40:15 - Alternate Path: Using Rogue Potato to get a shell