HackTheBox – Aero

00:00 – Introduction
00:56 – Start of nmap
04:20 – Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 – Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 – Showing the exports of the DLL to confirm it is there, then hiding the ReverseShell export
12:30 – Testing our DLL from our windows computer
13:30 – Creating the malicious Windows Theme
17:20 – Setting up a SOCAT forward to send port 445 from our linux box to our Windows Box
19:20 – Updating the IP Address in our DLL and then getting a shell
22:10 – Downloading the PDF by converting it to base64 and then copy and pasting it to our box
23:45 – Researching CVE-2023-28252, which is a Windows Local Privesc in the Common Log File System (CLFS) and patched back in April 2023
26:30 – Opening the CLFS Exploit up in Visual Studio and placing a Powershell Web Cradle to send a reverse shell and getting Root
32:30 – Beyond root: Changing up the DLL we used for the foothold to just execute code upon DLL Attach and not export anything.