#hackthebox
#htb
#hacking

HackTheBox - Investigation

00:00 - Introduction
01:00 - Start of nmap
02:00 - Start of gobuster
04:00 - Discovering an upload form, looking for where things get uploaded
05:50 - The upload gives us ExifTool output, including the version number to show it is vulnerable to CVE-2022-23935
08:11 - You should really watch "The Perl Jam"
08:40 - Showing the weird syntax of perl's file open and how | leads to RCE
16:15 - Back to the box, exploiting and getitng a shell
20:00 - Reverse shell returned, looking at the uploaded files
22:35 - Running LinPEAS to discover a cron
27:00 - There's an outlook email message with an attachment. Copying it then converting to eml format and extracting the file
32:45 - The file was an windows event log. Using Chainsaw to search through the logs
38:30 - Using Chainsaw and JQ to parse the Successful and Failed logins
42:25 - In the failed logins field, there's a password as a username and logging in as smorton
44:35 - There's a binary on this box, copying it to us and opening in Ghidra
45:30 - Start of reversing, just showing strings and finding out where the get loaded in the program
47:00 - Running the binary in GDB and showing how arguments work, then renaming and retyping variables to have decompiled output make more sense
51:30 - Retyping done, renaming a few variables to make things easier to read
53:45 - Cleaning up the curl_easy_setopt, code by creating an enum in C then using Ghidra to "Parse C Source"
59:20 - Now that the code is cleaned up, it is obvious the program executes perl scripts... Funny thing is the perl binary can execute non-perl scripts
1:01:05 - Showing there is also a race condition in the binary because the curl downloads to CWD and even thoe its owned by root we can rename it and take control over the file

https://www.youtube.com/watch?v=X5hVEuWmehk

#hackthebox
#htb
#hacking

HackTheBox - MetaTwo

00:00 - Introduction
01:00 - Start of nmap, attempting to login with FTP then going to the website
02:45 - Running WPScan with enumerate all plugins in aggressive mode
04:00 - Taking a look at the site while WPScan runs and finding a plugin (BookingPress-Appointment-Booking) and finding an exploit
06:15 - Replacing the NONCE in the exploit to get it working
09:00 - Using SQLMap to dump everything, while we attempt to get only the data we think we are interested in.
11:00 - Manually dumping the WP_USERS table with the SQL Injection
13:25 - Cracking the wordpress hashes to get a user credential
16:57 - EDIT: Playing with SQLMap to get it to dump this database
23:30 - Searching for Wordpress 5.6.2 exploits, discovering an XXE in WAV Files
25:20 - Using the XXE to exfil files off the webserver
30:20 - Discovering FTP Credentials in the WP Config, logging into the FTP Server and finding SSH Credentials
32:40 - Logging in as JNelson and seeing PassPie, which is a CLI Password Manager that uses PGP/GPG Keys
34:30 - Cracking to PGP/GPG Key with John and getting root


https://www.youtube.com/watch?v=Alx5KQWq7ZM

#hackthebox
#htb
#hacking

Hack The Box - Flight

00:00 - Introduction
01:00 - Start of Nmap
03:00 - Playing with the web page, but everything is static doing a VHOST Bruteforce to discover school.flight.htb
07:10 - Discovering the view parameter and suspecting File Disclosure, testing by including index.php and seeing the source code
09:20 - Since this is a Windows, try to include a file off a SMB Share and steal the NTLMv2 Hash of the webserver then crack it
13:30 - Running CrackMapExec (CME) checking shares, doing a Spider_Plus to see the files in users
18:30 - Running CrackMapExec (CME) to create a list of users on the box then doing a password spray to discover a duplicate password
20:20 - Checking the shares with S.Moon and discovering we can write to the Shared Directory
21:30 - Using NTLM_Theft to create a bunch of files that would attempt to steal NTLM Hashes of users when browsing to a directory getting C.Bum's creds with Desktop.ini
26:18 - C.Bum can write to Web, dropping a reverse shell
29:30 - Reverse shell returned as svc_apache, discovering inetpub directory that c.bum can write to
32:40 - Using RunasCS.EXE to switch users to cbum
37:30 - Creating an ASPX Reverse shell on the IIS Server and getting a shell as DefaultAppPool
48:00 - Reverse shell returned as DefaultAppPool, showing it is a System Account
50:05 - Uploading Rubeus and stealing the kerberos ticket of the system account, which because this is a DC we can DCSync
52:50 - Running DCSync

https://www.youtube.com/watch?v=Jor8DNWLmiM

#hackthebox
#htb
#hacking

HackTheBox - Interface

00:00 - Introduciton
00:50 - Start of nmap, navigating to the page and identifying the framework based upon 404
02:30 - Playing around looking at javascript source, not getting anything
04:30 - Playing around with prd.m.rengering-api.interface.htb... I'm guessing file not found is the webserver, not actual code.
07:40 - Showing the difficulty of dirbusting API Servers
11:20 - Showing importance of updating FeroxBuster
15:00 - Playing with the HTML2PDF endpoint and discovering we need to send a POST with HTML as an argument
18:20 - The PDF Generated has dompdf 1.2.0 in the exif data searching for exploits
20:40 - Researching how CVE-2022-28368 works, then manually exploiting the vulnerabiltiy
28:50 - The CSS/Font is created, running the exploit and finding where the Font (PHP File) gets uploaded to
34:30 - Reverse shell returned
38:15 - Uploading pspy to examine how the box cleans itself up
40:20 - Discovering and exploiting Bash Arithmetic Injection

https://www.youtube.com/watch?v=yM914q6zS-U

#hackthebox
#htb
#hacking

HackTheBox - Precious

00:00 - Introduction
01:00 - Start of nmap
02:00 - Checking out the web page and finding command injection in the URL
03:20 - Space appears to be a bad character with command injection. Normal tricks like brace expansion or IFS don't work.
07:20 - Trying IFS to be a space but the trailing character makes it difficult
12:00 - Taking a step back from the RCE, downloading the PDF to examine metadata and discovering it was made with pdfkit 0.8.6, which has public POC's against it
13:00 - The POC puts a space before the exploit which then removes the space being a bad character in our exploit
14:29 - Beyond Root/Edit: Using $- to terminate the $IFS, allowing us to bypass the need to prepend the space
20:30 - End of edit, shell as ruby, discovering credentials in a config file for henry
22:53 - Henry can run sudo, discover he can execute a ruby script
25:50 - Looking up a ruby deserialization exploit with YAML
27:35 - Finding a different payload and getting a root shell

https://www.youtube.com/watch?v=2XSFWiGa2j0

#hackthebox
#htb
#hacking

HackTheBox - Absolute

00:00 - Intro
01:00 - Start of nmap discovering Active Directory (AD)
04:15 - Using wget to mirror the website, then a find command with exec to run exiftool and extract all user names in metadata
06:45 - Using Username Anarchy to build a wordlist of users from our dump and then Kerbrute to enumerate valid ones
13:55 - Building Kerbrute from source to get the latest feature of auto ASREP Roasting
16:20 - Kerbrute pulled the wrong type of hash, using the downgrade to pull etype 18 of the hash
21:30 - Running Bloodhound with D.Klay, using Kerberos authentication
24:50 - Going over the bloodhound data and finding some attack paths
31:13 - Manually parsing the Bloodhound with JQ to show descriptions for all users and finding the SVC_SMB password in the Description
34:45 - EDIT: Don't want to use Blodhound? Showing LdapSearch with Kerberos, and why the FQDN has to be first in the /etc/hosts file
40:30 - End of edit: Using SMBClient with SVC_SMB and Kerberos to download files
46:22 - Sharing my internet connection from Linux to Windows, so I can run test.exe on Windows
53:45 - Running test.exe and getting m.lovegod's password from LDAP
56:30 - Going back to Bloodhound, and now we can perform the attack of adding a member to a group then creating shadow credentials for winrm_user
57:30 - Pulling a version of Impacket that has DACLEDIT and building it
1:01:00 - Running DaclEdit to give m.lovegod permission to add users to a group and then net rpc to add him
1:08:20 - Running Certipy to add shadow credentials to winrm_user so we can login
1:12:00 - Using WinRM to login to the box with our shadow credential
1:15:30 - Start of fumbling around with KRBRelay to privesc
1:18:40 - Using RunasCS to change our LoginType which may allow us to run KRBRelay
1:27:40 - Pulling the CLSID of TrustedInstaller which works and allows us to add ourselves to the administrator group

https://www.youtube.com/watch?v=rfAmMQV_wss

#hackthebox
#htb
#hacking

HackTheBox - Bagel

00:00 - Introduction
01:00 - Start of nmap
02:50 - Taking a look at the web page
04:30 - Looking for LFI, then exploring /proc to find where the application is and extracting the source code
06:30 - Taking a look at the Python Source Code and discovering port 5000 is the dotnet application and uses websockets
07:55 - Using wscat to test the websocket
09:00 - Bruteforcing the /proc/{pid}/cmdline directory in order to see running processes and find the dotnet dll
13:45 - Reversing Bagel.dll and discovering a deserialization vulnerability in dotnet which allows us to read files
15:00 - Looking at what TypeNameHandling means in NewtonSoft's deserialize
20:00 - Looking for a gadget to use with our deserialization
21:40 - Building the deserialization payload
23:20 - Dumping Phil's SSH Key, then logging in
25:00 - The dotnet app, had developers password, switching to that user
25:50 - Developer can run dotnet with sudo, using the FSI gtfobin to get a shell.

https://www.youtube.com/watch?v=teHGtY_ta40

#hackthebox
#hacking
#htb

HackTheBox - TwoMillion

00:00 - Intro
00:18 - Start of nmap, scanning all ports with min-rate
02:35 - Browsing to the web page and taking a trip down memory lane with the HackTheBox v1 page
04:00 - Attempting to enumerate usernames
05:10 - Solving the HackTheBox Invite Code Challenge
05:50 - Sending the code to JS-Beautify
06:45 - Sending a curl request to /api/v1/invite/how/to/generate to see how to generate an invite code
10:40 - Creating an account and logging into the platform then identifying what we can do
16:50 - Discovering hitting /api/v1/ provides a list of API Routes, going over them and identifying any dangerous ones
17:50 - Attempting a mass assignment vulnerability upon logging in now that we know there is an is_admin flag
22:30 - Playing with the /api/v1/admin/settings/update route and discovering we can hit this as our user and change our role to admin
24:30 - Now that we are admin, playing with /api/v1/admin/vpn/generate and finding a command injection vulnerability
26:15 - Got a shell on the box, finding a password in an environment variable and attempting to crack the user passwords
30:00 - Re-using the database password to login as admin, discovering mail that hints at using a kernel privesc
32:00 - Searching for the OverlayFS Kernel Exploit
35:00 - Finding a proof of concept for CVE-2023-0386, seems sketchy but GCC is on the HTB Machine so i don't feel bad about running it
37:27 - Running the exploit and getting Root, finding an extra challenge thank_you.json, which is can be done pretty much in CyberChef
42:20 - Looking deeper at the invite code challenge to see if it was vulnerable to Type Juggling (it was back in the day but not anymore)
43:30 - Testing for command injection with a poisoned username
47:20 - Didn't work, looking at the source code and discovering it had sanitized usernames on the non-admin function

https://www.youtube.com/watch?v=Exl4P3fsF7U

#hackthebox
#htb
#hacking

HackTheBox - Soccer

00:00 - Introduction
01:00 - Start of nmap, assuming the web app is NodeJS based upon a 404 message
04:20 - Running Gobuster and discovering Tiny File Manager
06:00 - Looking for the source code and finding a default password of admin@123
06:45 - Navigating to uploads and attempting to upload a php shell to the website
07:45 - Getting a reverse shell with our php shell
09:00 - Reverse shell returned
09:30 - Talking about hidepid=2 is set, so we can't see processes for other users
10:00 - Looking at nginx configuration to see what port 9091 is and discovering a new subdomain (soc-player.soccer.htb)
11:00 - Navigating to soc-player.soccer.htb and discovering a few more pages
12:00 - The /check endpoint looks like it is vulnerable to Boolean SQL Injection
13:00 - Intercepting the websocket in BurpSuite and showing
15:20 - Using SQLMap to dump the database, first time I've used SQLMap with websockets
23:30 - Attempting to ssh with creds found in the database and logging in as player
26:50 - Running LinPEAS
30:50 - Looks like we can run doas, which is like sudo. Looking at the command we can run and seeing dstat
33:30 - Creating a dstat plugin, then executing it with doas

https://www.youtube.com/watch?v=V_CkT7xyiCc

#hackthebox
#htb
#hacking

HackTheBox - Escape

00:00 - Introduction
01:00 - Start of nmap
03:10 - Examining SSL Certificates and seeing "sequel-DC-CA", which hints towards there being a Certificate Authority
05:45 - Using CrackMapExec to enumerate file shares
06:30 - Accessing the Public Share, downloading a PDF File and finding credentials in it, using CME again and using CME to test smb, winrm, and mssql
10:00 - Using mssqlclient to login to access MSSQL
10:50 - Using XP_DIRTREE to request a file off an SMB Share in order to intercept the hash of the user running MSSQL, then cracking it
18:45 - Using Evil-WinRM to login to the box with SQL_SVC account, uploading Certify.exe and not finding a vulnerable certificate
20:45 - Looking at the error logs and discovering a user entered their password as a username so it got logged. Logging in as Ryan.Cooper
23:40 - Running Certify again as Ryan and finding a vulnerable UserAuthentication Certificate
25:00 - Using Certify Scenario #3 to create a UserAuthentication certificate with Administrator as the Alt Name which lets us authenticate as them
26:00 - Cannot use the certificate for WinRM because there isn't SSL (5986)
30:00 - Uploading Rubeus and the PFX File to the box, so we can use the PFX to obtain the local administrator NTLM Hash
33:30 - Showing an alternative method with Certipy which lets us run this attack from our attacker box without uploading files to the box
37:40 - Showing an alternate way to root via Silver Tickets and MSSQL, Explaining what a TGS Ticket is and why this attack works
41:10 - Generating the NTLM Hash from the password because that is what signs/encrypts kerberos tickets
43:00 - Using Ticketer.py to generate a silver ticket which lets us log into MSSQL as Administrator

https://www.youtube.com/watch?v=PS2duvVcjws