https://stream.echo6.co/videos/watch/cfcdf6ea-4edb-4157-b1e6-bb3c34fae9b3 00:00 - Intro 01:05 - Start of nmap 02:50 - Checkign out the open SVN Port 03:45 - Adding the discovered domains to /etc/hosts and checking out the websites 05:30 - Some grep magic to show only what we want, which is URLS 09:15 - Using GoBuster to see if there are any more more VHOSTS 11:00 - Checking out the SVN and seeing creds in a previous revision (commit) 13:00 - Logging into Azure Devops (devops.worker.htb) and discovering the pipelin to deploy master branch to a server 15:00 - Pushing our webshell to the git master branch and getting shell on the box 16:10 - Choosing the revshell out of the tennc github page 21:40 - Creating a powershell one liner to get a reverse shell via Nishang 24:30 - Discovering SVN Credentials and using CrackMapExec to find valid passwords 28:50 - CrackMapExec was giving me issues, installing it from source with Poetry 30:00 - Using CrackMapExec to test a list of credentials without bruteforcing all passwords to all users 32:10 - Using WinRM to get a shell as Robisl 35:10 - Logging into Azure Devops as Robisl and discovering we can edit the build pipeline 39:45 - Copying our reverse shell to the box, so we can easily execute it from the build pipeline and getting admin 41:30 - UNINTENDED: Doing the box via RoguePotato 42:50 - Poorly explaining why we need to use chisel 45:50 - Running Chisel to setup a reverse port forward between the target and our box 52:15 - Setting up SoCAT to go through our tunnel 52:50 - Executing RoguePotato to get an admin shell 53:30 - Explaining the tunneling again in MSPaint. Hope this helps. 1:01:40 - Doing RoguePotato without socat, just a single Chisel tunnel Wed, 15 Apr 2026 09:43:30 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/cfcdf6ea-4edb-4157-b1e6-bb3c34fae9b3 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.