#hackthebox
#htb
#hacking
HackTheBox - Escape
00:00 - Introduction
01:00 - Start of nmap
03:10 - Examining SSL Certificates and seeing "sequel-DC-CA", which hints towards there being a Certificate Authority
05:45 - Using CrackMapExec to enumerate file shares
06:30 - Accessing the Public Share, downloading a PDF File and finding credentials in it, using CME again and using CME to test smb, winrm, and mssql
10:00 - Using mssqlclient to login to access MSSQL
10:50 - Using XP_DIRTREE to request a file off an SMB Share in order to intercept the hash of the user running MSSQL, then cracking it
18:45 - Using Evil-WinRM to login to the box with SQL_SVC account, uploading Certify.exe and not finding a vulnerable certificate
20:45 - Looking at the error logs and discovering a user entered their password as a username so it got logged. Logging in as Ryan.Cooper
23:40 - Running Certify again as Ryan and finding a vulnerable UserAuthentication Certificate
25:00 - Using Certify Scenario #3 to create a UserAuthentication certificate with Administrator as the Alt Name which lets us authenticate as them
26:00 - Cannot use the certificate for WinRM because there isn't SSL (5986)
30:00 - Uploading Rubeus and the PFX File to the box, so we can use the PFX to obtain the local administrator NTLM Hash
33:30 - Showing an alternative method with Certipy which lets us run this attack from our attacker box without uploading files to the box
37:40 - Showing an alternate way to root via Silver Tickets and MSSQL, Explaining what a TGS Ticket is and why this attack works
41:10 - Generating the NTLM Hash from the password because that is what signs/encrypts kerberos tickets
43:00 - Using Ticketer.py to generate a silver ticket which lets us log into MSSQL as Administrator
https://www.youtube.com/watch?v=PS2duvVcjws
#htb
#hacking
HackTheBox - Escape
00:00 - Introduction
01:00 - Start of nmap
03:10 - Examining SSL Certificates and seeing "sequel-DC-CA", which hints towards there being a Certificate Authority
05:45 - Using CrackMapExec to enumerate file shares
06:30 - Accessing the Public Share, downloading a PDF File and finding credentials in it, using CME again and using CME to test smb, winrm, and mssql
10:00 - Using mssqlclient to login to access MSSQL
10:50 - Using XP_DIRTREE to request a file off an SMB Share in order to intercept the hash of the user running MSSQL, then cracking it
18:45 - Using Evil-WinRM to login to the box with SQL_SVC account, uploading Certify.exe and not finding a vulnerable certificate
20:45 - Looking at the error logs and discovering a user entered their password as a username so it got logged. Logging in as Ryan.Cooper
23:40 - Running Certify again as Ryan and finding a vulnerable UserAuthentication Certificate
25:00 - Using Certify Scenario #3 to create a UserAuthentication certificate with Administrator as the Alt Name which lets us authenticate as them
26:00 - Cannot use the certificate for WinRM because there isn't SSL (5986)
30:00 - Uploading Rubeus and the PFX File to the box, so we can use the PFX to obtain the local administrator NTLM Hash
33:30 - Showing an alternative method with Certipy which lets us run this attack from our attacker box without uploading files to the box
37:40 - Showing an alternate way to root via Silver Tickets and MSSQL, Explaining what a TGS Ticket is and why this attack works
41:10 - Generating the NTLM Hash from the password because that is what signs/encrypts kerberos tickets
43:00 - Using Ticketer.py to generate a silver ticket which lets us log into MSSQL as Administrator
https://www.youtube.com/watch?v=PS2duvVcjws
YouTube
HackTheBox - Escape
00:00 - Introduction
01:00 - Start of nmap
03:10 - Examining SSL Certificates and seeing "sequel-DC-CA", which hints towards there being a Certificate Authority
05:45 - Using CrackMapExec to enumerate file shares
06:30 - Accessing the Public Share, downloading…
01:00 - Start of nmap
03:10 - Examining SSL Certificates and seeing "sequel-DC-CA", which hints towards there being a Certificate Authority
05:45 - Using CrackMapExec to enumerate file shares
06:30 - Accessing the Public Share, downloading…
#hackthebox
#htb
#hacking
HackTheBox - Stocker
00:00 - Introduction
00:56 - Start of nmap
02:15 - Running Gobuster in VHOST Detection mode to find the dev subdomain
03:50 - Intercepting a request to dev.stocker.htb and seeing an connect.sid cookie and x-powered-by header saying express, both indicating it uses NodeJS/Express
05:00 - Explaining why I'm trying these injections
07:00 - Bypassing login with mongodb injection by setting both username and password to not equals instead of equals
09:10 - Playing with the e-commerce store and seeing it gives us a PDF
10:45 - Using exiftool to see how the PDF was generated
12:05 - Inserting an HTML IFRAME when we purchase an item to see if the PDF Generated will include local files
17:00 - Extracting /var/www/dev/index.js and getting the mongodb password which lets us log into the server
19:50 - The order numbers don't appear to be that random, looking at the source code to identify how this is generated. It's just mongo's object ID which is heavily based upon time stamps
26:00 - Looking at sudo, we can perform a directory traversal to execute run any .js file as root
27:50 - Showing that you can now put regex in the Sudoers file which would fix this exploit
https://www.youtube.com/watch?v=fWMHh8GYqJE
#htb
#hacking
HackTheBox - Stocker
00:00 - Introduction
00:56 - Start of nmap
02:15 - Running Gobuster in VHOST Detection mode to find the dev subdomain
03:50 - Intercepting a request to dev.stocker.htb and seeing an connect.sid cookie and x-powered-by header saying express, both indicating it uses NodeJS/Express
05:00 - Explaining why I'm trying these injections
07:00 - Bypassing login with mongodb injection by setting both username and password to not equals instead of equals
09:10 - Playing with the e-commerce store and seeing it gives us a PDF
10:45 - Using exiftool to see how the PDF was generated
12:05 - Inserting an HTML IFRAME when we purchase an item to see if the PDF Generated will include local files
17:00 - Extracting /var/www/dev/index.js and getting the mongodb password which lets us log into the server
19:50 - The order numbers don't appear to be that random, looking at the source code to identify how this is generated. It's just mongo's object ID which is heavily based upon time stamps
26:00 - Looking at sudo, we can perform a directory traversal to execute run any .js file as root
27:50 - Showing that you can now put regex in the Sudoers file which would fix this exploit
https://www.youtube.com/watch?v=fWMHh8GYqJE
YouTube
HackTheBox - Stocker
00:00 - Introduction
00:56 - Start of nmap
02:15 - Running Gobuster in VHOST Detection mode to find the dev subdomain
03:50 - Intercepting a request to dev.stocker.htb and seeing an connect.sid cookie and x-powered-by header saying express, both indicating…
00:56 - Start of nmap
02:15 - Running Gobuster in VHOST Detection mode to find the dev subdomain
03:50 - Intercepting a request to dev.stocker.htb and seeing an connect.sid cookie and x-powered-by header saying express, both indicating…
#hackthebox
#hacking
#htb
HackTheBox - Busqueda
00:00 - Introduction
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing
08:20 - Discovering we can append to the string, then trying for executing code with print to test for eval statements
10:00 - Getting a reverse shell
15:00 - Reverse shell returned
17:00 - Looking at apache virtualhosts to discover a hidden vhost that is running gitea
19:00 - Finding creds in the .git folder which lets us run sudo
22:00 - Inspecting the docker containers to discover passwords in environment variables which lets us log into gitea as administrator and view the script we are running as sudo
25:30 - Discovering the system-checkup.py script is not using an absolute path, so we can execute a shell script in our CWD as root
https://www.youtube.com/watch?v=5dHgfviJWmg
#hacking
#htb
HackTheBox - Busqueda
00:00 - Introduction
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing
08:20 - Discovering we can append to the string, then trying for executing code with print to test for eval statements
10:00 - Getting a reverse shell
15:00 - Reverse shell returned
17:00 - Looking at apache virtualhosts to discover a hidden vhost that is running gitea
19:00 - Finding creds in the .git folder which lets us run sudo
22:00 - Inspecting the docker containers to discover passwords in environment variables which lets us log into gitea as administrator and view the script we are running as sudo
25:30 - Discovering the system-checkup.py script is not using an absolute path, so we can execute a shell script in our CWD as root
https://www.youtube.com/watch?v=5dHgfviJWmg
YouTube
HackTheBox - Busqueda
00:00 - Introduction
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing…
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing…
#hackthebox
#htb
#hacking
HackTheBox - Pikatwoo
00:00 - Introduction
01:00 - Start of nmap
03:15 - Identifying all the technologies used in the box
10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-38155
12:15 - Pulling up API DOCS to see how to login to Keystone, then testing lockout
14:00 - Taking the Burpsuite Request, sending it to FFUF and using a trick to try each password multiple times
25:30 - Attempting to access Swift as a vendor to bypass auth, using GoBuster and discovering an Android directory with Pokatmon app in it
35:10 - Start of analyzing the Pokatmon App, examining DNS, setting up a MITM with Burpsuite and Socat
40:15 - Using Frida to disable TLS Certificate Pinning on Flutter
45:20 - Discovering the App Signs every request, grabbing the certificate out of the app, and signing our own request
49:20 - Performing an SQL Injection, getting an email address then looking for vulnerabilities in Forgot Password on the main website
58:48 - Discovering CVE-2021-43557 in APISIX, which gives us an idea to URLEncode Paths to bypass blacklists and gaining access to the /private/ directory which has a /forgot-password we can use to reset Roger's password
1:04:45 - Logging into the docs, gaining access to the API and finding an LFI
1:09:45 - Looking into CVE-2021-35368, which is a ModSecurity Bypass that allows us to abuse the LFI
1:18:10 - Using NGINX's temporary files with our PHP LFI to gain code execution
1:27:55 - Shell returned on Pokatdex-API, exporting Kubernetes secrets
1:34:20 - Discovering an APISIX admin key and exploiting this service by creating a route that executes code
1:59:20 - Shell returned on the APISIX box, discovering credentials we can SSH with
2:11:10 - Explioting the CRI-O with Kubernetes to set a kernel param to execute a script when a core dump is created (CVE-2022-0811)
https://www.youtube.com/watch?v=gRj9Uz8_EOY
#htb
#hacking
HackTheBox - Pikatwoo
00:00 - Introduction
01:00 - Start of nmap
03:15 - Identifying all the technologies used in the box
10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-38155
12:15 - Pulling up API DOCS to see how to login to Keystone, then testing lockout
14:00 - Taking the Burpsuite Request, sending it to FFUF and using a trick to try each password multiple times
25:30 - Attempting to access Swift as a vendor to bypass auth, using GoBuster and discovering an Android directory with Pokatmon app in it
35:10 - Start of analyzing the Pokatmon App, examining DNS, setting up a MITM with Burpsuite and Socat
40:15 - Using Frida to disable TLS Certificate Pinning on Flutter
45:20 - Discovering the App Signs every request, grabbing the certificate out of the app, and signing our own request
49:20 - Performing an SQL Injection, getting an email address then looking for vulnerabilities in Forgot Password on the main website
58:48 - Discovering CVE-2021-43557 in APISIX, which gives us an idea to URLEncode Paths to bypass blacklists and gaining access to the /private/ directory which has a /forgot-password we can use to reset Roger's password
1:04:45 - Logging into the docs, gaining access to the API and finding an LFI
1:09:45 - Looking into CVE-2021-35368, which is a ModSecurity Bypass that allows us to abuse the LFI
1:18:10 - Using NGINX's temporary files with our PHP LFI to gain code execution
1:27:55 - Shell returned on Pokatdex-API, exporting Kubernetes secrets
1:34:20 - Discovering an APISIX admin key and exploiting this service by creating a route that executes code
1:59:20 - Shell returned on the APISIX box, discovering credentials we can SSH with
2:11:10 - Explioting the CRI-O with Kubernetes to set a kernel param to execute a script when a core dump is created (CVE-2022-0811)
https://www.youtube.com/watch?v=gRj9Uz8_EOY
YouTube
HackTheBox - Pikatwoo
00:00 - Introduction
01:00 - Start of nmap
03:15 - Identifying all the technologies used in the box
10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-38155
12:15 - Pulling up API DOCS to see how to login to Keystone, then testing…
01:00 - Start of nmap
03:15 - Identifying all the technologies used in the box
10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-38155
12:15 - Pulling up API DOCS to see how to login to Keystone, then testing…
#hackthebox
#htb
#hacking
HackThebox - Wifinetic
00:00 - Introduction
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec to spray SSH with our password and getting a success with netadmin
09:15 - Running LinPeas to discover Reaver has the capability cap_net_raw
13:15 - Explaining why Reaver has this capability is interesting
14:40 - Running Reaver to attempt to brute force the WPS Pin and getting the WPA PSK which is also the root password
15:30 - Start of building a bash script to spray a single password across valid users with su
22:00 - Converting our script into a Bash Function so its easier to run without touching disk
24:55 - Talking about WPS and how this exploit worked
25:30 - The first vulnerability in the WPS Pin, the eighth digit is just a checksum
28:30 - The second flaw in WPS, the PIN is broken in half if the first four digits are wrong the responses tell you. Making the possibilities of hashes from 10^7 to 10^4 + 10^3.
30:00 - Showing the WSC Nack gets sent after Message 4 if the first four of the pin is wrong
31:15 - Changing the PIN and playing more with reaver to showcase how reaver works.
https://www.youtube.com/watch?v=jj4r5lwnCp8
#htb
#hacking
HackThebox - Wifinetic
00:00 - Introduction
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec to spray SSH with our password and getting a success with netadmin
09:15 - Running LinPeas to discover Reaver has the capability cap_net_raw
13:15 - Explaining why Reaver has this capability is interesting
14:40 - Running Reaver to attempt to brute force the WPS Pin and getting the WPA PSK which is also the root password
15:30 - Start of building a bash script to spray a single password across valid users with su
22:00 - Converting our script into a Bash Function so its easier to run without touching disk
24:55 - Talking about WPS and how this exploit worked
25:30 - The first vulnerability in the WPS Pin, the eighth digit is just a checksum
28:30 - The second flaw in WPS, the PIN is broken in half if the first four digits are wrong the responses tell you. Making the possibilities of hashes from 10^7 to 10^4 + 10^3.
30:00 - Showing the WSC Nack gets sent after Message 4 if the first four of the pin is wrong
31:15 - Changing the PIN and playing more with reaver to showcase how reaver works.
https://www.youtube.com/watch?v=jj4r5lwnCp8
YouTube
HackThebox - Wifinetic
00:00 - Introduction
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec…
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec…
#hackthebox
#htb
#hacking
HackTheBox - Snoopy
00:00 - Introduction
01:00 - Start of nmap, discovering ssh/dns/http
02:30 - Taking a look at the website
04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled
09:40 - Identifying the website is running with PHP Enabled, then running gobuster
13:00 - Attacking the file download and discovering File Disclosure
15:35 - We got lucky discovering the File Disclosure filter bypass, using FFUF which would be make catching this more consistent
19:30 - Automating the File Disclosure by creating a python script
24:30 - Looking at files on the target, discovering the DNS Configuration which has the RNDC Key to update DNS
30:40 - Looking at the NSUPDATE Man page and then adding a the DNS Record mail.snoopy.htb and pointing it to us
34:24 - Using python to run a SMTP Server and then having Mattermost's forgot password email us the password reset
39:50 - Using the Mattermost bot to provision a server via SSH which causes it to SSH back to us
42:30 - Backdooring PAM with pam_exec and a bash script to log passwords of users logging into our box, and grabbing CBROWN's password
50:40 - cbrown can run Git apply as sbrown, looking for exploits around it and discovering CVE-2023-23946.
1:08:50 - sbrown can run clamscan in debug mode as root
1:11:45 - Looking at CVE's in clamav and discovering an XXE in the DMG Parser (CVE-2023-20052)
1:23:30 - Downloading a DMG File (sublime), then modifying the XML to put an XXE in, scanning, then exfiltrating the root ssh key
https://www.youtube.com/watch?v=6tn30O0SjVQ
#htb
#hacking
HackTheBox - Snoopy
00:00 - Introduction
01:00 - Start of nmap, discovering ssh/dns/http
02:30 - Taking a look at the website
04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled
09:40 - Identifying the website is running with PHP Enabled, then running gobuster
13:00 - Attacking the file download and discovering File Disclosure
15:35 - We got lucky discovering the File Disclosure filter bypass, using FFUF which would be make catching this more consistent
19:30 - Automating the File Disclosure by creating a python script
24:30 - Looking at files on the target, discovering the DNS Configuration which has the RNDC Key to update DNS
30:40 - Looking at the NSUPDATE Man page and then adding a the DNS Record mail.snoopy.htb and pointing it to us
34:24 - Using python to run a SMTP Server and then having Mattermost's forgot password email us the password reset
39:50 - Using the Mattermost bot to provision a server via SSH which causes it to SSH back to us
42:30 - Backdooring PAM with pam_exec and a bash script to log passwords of users logging into our box, and grabbing CBROWN's password
50:40 - cbrown can run Git apply as sbrown, looking for exploits around it and discovering CVE-2023-23946.
1:08:50 - sbrown can run clamscan in debug mode as root
1:11:45 - Looking at CVE's in clamav and discovering an XXE in the DMG Parser (CVE-2023-20052)
1:23:30 - Downloading a DMG File (sublime), then modifying the XML to put an XXE in, scanning, then exfiltrating the root ssh key
https://www.youtube.com/watch?v=6tn30O0SjVQ
YouTube
HackTheBox - Snoopy
00:00 - Introduction
01:00 - Start of nmap, discovering ssh/dns/http
02:30 - Taking a look at the website
04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled
09:40 - Identifying the website is running…
01:00 - Start of nmap, discovering ssh/dns/http
02:30 - Taking a look at the website
04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled
09:40 - Identifying the website is running…
#hackthebox
#htb
#hacking
HackTheBox - Aero
00:00 - Introduction
00:56 - Start of nmap
04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 - Showing the exports of the DLL to confirm it is there, then hiding the ReverseShell export
12:30 - Testing our DLL from our windows computer
13:30 - Creating the malicious Windows Theme
17:20 - Setting up a SOCAT forward to send port 445 from our linux box to our Windows Box
19:20 - Updating the IP Address in our DLL and then getting a shell
22:10 - Downloading the PDF by converting it to base64 and then copy and pasting it to our box
23:45 - Researching CVE-2023-28252, which is a Windows Local Privesc in the Common Log File System (CLFS) and patched back in April 2023
26:30 - Opening the CLFS Exploit up in Visual Studio and placing a Powershell Web Cradle to send a reverse shell and getting Root
32:30 - Beyond root: Changing up the DLL we used for the foothold to just execute code upon DLL Attach and not export anything.
https://www.youtube.com/watch?v=g01cZciFI9o
#htb
#hacking
HackTheBox - Aero
00:00 - Introduction
00:56 - Start of nmap
04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 - Showing the exports of the DLL to confirm it is there, then hiding the ReverseShell export
12:30 - Testing our DLL from our windows computer
13:30 - Creating the malicious Windows Theme
17:20 - Setting up a SOCAT forward to send port 445 from our linux box to our Windows Box
19:20 - Updating the IP Address in our DLL and then getting a shell
22:10 - Downloading the PDF by converting it to base64 and then copy and pasting it to our box
23:45 - Researching CVE-2023-28252, which is a Windows Local Privesc in the Common Log File System (CLFS) and patched back in April 2023
26:30 - Opening the CLFS Exploit up in Visual Studio and placing a Powershell Web Cradle to send a reverse shell and getting Root
32:30 - Beyond root: Changing up the DLL we used for the foothold to just execute code upon DLL Attach and not export anything.
https://www.youtube.com/watch?v=g01cZciFI9o
YouTube
HackTheBox - Aero
00:00 - Introduction
00:56 - Start of nmap
04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 - Showing the exports of the…
00:56 - Start of nmap
04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 - Showing the exports of the…
#hackthebox
#htb
#hacking
HackTheBox - Format
00:00 - Introduction
01:00 - Start of nmap
04:00 - Downloading source code from gitea
04:30 - Examining the website via browser to see what it does
07:30 - Making sense of how the sitebuilder works
14:20 - Examining the source code, discovering a file disclosure
24:00 - Creating a python script to automate the File Disclosure
48:00 - Script is done, downloading nginx configs. Then trying to find any directory we can write a PHP Script to
55:00 - Looking at how the site adds a pro license to users
58:50 - Explaining how we can do a protocol smuggling attack and access the REDIS socket to manipulate our user
1:05:19 - Showing that the plus is not being URL Decoded in the path of a URL but %20 is
1:08:48 - Uploading a PHP Script to get code execution
1:13:55 - Dumping the REDIS Database and getting cooper's password
1:17:10 - Looking at the License Python script cooper can execute with sudo and seeing a Python Format String vulnerability
https://www.youtube.com/watch?v=WiTgB9BRrmM
#htb
#hacking
HackTheBox - Format
00:00 - Introduction
01:00 - Start of nmap
04:00 - Downloading source code from gitea
04:30 - Examining the website via browser to see what it does
07:30 - Making sense of how the sitebuilder works
14:20 - Examining the source code, discovering a file disclosure
24:00 - Creating a python script to automate the File Disclosure
48:00 - Script is done, downloading nginx configs. Then trying to find any directory we can write a PHP Script to
55:00 - Looking at how the site adds a pro license to users
58:50 - Explaining how we can do a protocol smuggling attack and access the REDIS socket to manipulate our user
1:05:19 - Showing that the plus is not being URL Decoded in the path of a URL but %20 is
1:08:48 - Uploading a PHP Script to get code execution
1:13:55 - Dumping the REDIS Database and getting cooper's password
1:17:10 - Looking at the License Python script cooper can execute with sudo and seeing a Python Format String vulnerability
https://www.youtube.com/watch?v=WiTgB9BRrmM
YouTube
HackTheBox - Format
For some reason, the last video got stuck encoding on YT's side and was 360p. Reuploaded and it worked the second time.
00:00 - Introduction
01:00 - Start of nmap
04:00 - Downloading source code from gitea
04:30 - Examining the website via browser to see…
00:00 - Introduction
01:00 - Start of nmap
04:00 - Downloading source code from gitea
04:30 - Examining the website via browser to see…
#hackthebox
#htb
#hacking
HackTheBox - PC
00:00 - Introduction
01:05 - Start of nmap
03:00 - Googling the port number, and reading more about gRPC
04:45 - Install GRPCurl so we can access the gRPC interface
06:30 - Enumerating the grpc interface
10:30 - Registering a user and logging in
13:45 - Using Verbose with GRPCurl to get extra information which includes an JWT
16:20 - Discovering an SQL Injection in the SimpleApp.GetInfo, enumerating the database to discover SQLite
19:45 - Enumerating the SQLite Database (similar to Information_schema with mysql)
21:45 - Using Group_Concat with a union injection to dump all users and passwords, then SSH into the box
24:45 - Discovering PyLoad is running on localhost, setting up an SSH Tunnel to access it
26:00 - Finding a public POC and running it to exploit PyLoad
https://www.youtube.com/watch?v=AQSLvalzW8g
#htb
#hacking
HackTheBox - PC
00:00 - Introduction
01:05 - Start of nmap
03:00 - Googling the port number, and reading more about gRPC
04:45 - Install GRPCurl so we can access the gRPC interface
06:30 - Enumerating the grpc interface
10:30 - Registering a user and logging in
13:45 - Using Verbose with GRPCurl to get extra information which includes an JWT
16:20 - Discovering an SQL Injection in the SimpleApp.GetInfo, enumerating the database to discover SQLite
19:45 - Enumerating the SQLite Database (similar to Information_schema with mysql)
21:45 - Using Group_Concat with a union injection to dump all users and passwords, then SSH into the box
24:45 - Discovering PyLoad is running on localhost, setting up an SSH Tunnel to access it
26:00 - Finding a public POC and running it to exploit PyLoad
https://www.youtube.com/watch?v=AQSLvalzW8g
YouTube
HackTheBox - PC
00:00 - Introduction
01:05 - Start of nmap
03:00 - Googling the port number, and reading more about gRPC
04:45 - Install GRPCurl so we can access the gRPC interface
06:30 - Enumerating the grpc interface
10:30 - Registering a user and logging in
13:45 - Using…
01:05 - Start of nmap
03:00 - Googling the port number, and reading more about gRPC
04:45 - Install GRPCurl so we can access the gRPC interface
06:30 - Enumerating the grpc interface
10:30 - Registering a user and logging in
13:45 - Using…
#hackthebox
#htb
#hacking
HackTheBox - Intentions
00:00 - Introduction
01:00 - Start of nmap
02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header
08:10 - Playing with updating genre and viewing feed to discover an error
10:04 - Opening up SQL Fiddle to explain what I think is going on, its using FIND_IN_SET
14:20 - Discovering space is a bad character and when this happens using the -- comment is bad
17:48 - Manually dumping the database with union statements
25:18 - Using SQL Map showing this SQL Injection
30:54 - Going over our recon and discovering a v2 admin login endpoint which lets us login with the password hash
38:28 - Logged in as an admin (Steve)
42:10 - Talking about Exploiting PHP Object Instanatiations then exploiting ImageMagick
1:01:20 - Shell returned, downloading .git, looking at commits and finding Greg's password
1:07:05 - Talking about the Scanner Binary and showing how we can leak the file one byte at a time
1:10:07 - Creating a python program to run the scanner binary thousands of times to leak files one byte at a time
https://www.youtube.com/watch?v=YmRDV0JR4qg
#htb
#hacking
HackTheBox - Intentions
00:00 - Introduction
01:00 - Start of nmap
02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header
08:10 - Playing with updating genre and viewing feed to discover an error
10:04 - Opening up SQL Fiddle to explain what I think is going on, its using FIND_IN_SET
14:20 - Discovering space is a bad character and when this happens using the -- comment is bad
17:48 - Manually dumping the database with union statements
25:18 - Using SQL Map showing this SQL Injection
30:54 - Going over our recon and discovering a v2 admin login endpoint which lets us login with the password hash
38:28 - Logged in as an admin (Steve)
42:10 - Talking about Exploiting PHP Object Instanatiations then exploiting ImageMagick
1:01:20 - Shell returned, downloading .git, looking at commits and finding Greg's password
1:07:05 - Talking about the Scanner Binary and showing how we can leak the file one byte at a time
1:10:07 - Creating a python program to run the scanner binary thousands of times to leak files one byte at a time
https://www.youtube.com/watch?v=YmRDV0JR4qg
YouTube
HackTheBox - Intentions
00:00 - Introduction
01:00 - Start of nmap
02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header
08:10 - Playing with updating genre and viewing feed to discover an error
10:04 - Opening up SQL Fiddle to explain…
01:00 - Start of nmap
02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header
08:10 - Playing with updating genre and viewing feed to discover an error
10:04 - Opening up SQL Fiddle to explain…
#hackthebox
#htb
#hacking
HackTheBox - Jupiter
00:00 - Introduction
03:40 - Using gobuster to enum
05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL
08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell
12:45 - Got a shell as the PostgreSQL user
15:08 - Got a SSH Shell as the PostgreSQL user, then finding port 8888 and enumerating that port
17:00 - Discovered a Jupityr Notebook, using find to discover what users are doing on the box and seeing Juno has network-simulation.yml
18:45 - Putting a shell on Network-Simulation.yml and getting a shell as juno
23:45 - Shell as Juno, looking for jupityr files and discovering the token, which enables us login to Jupityr notebooks and get a shell as
28:45 - Jovian can run sattrack as as root (via sudo), running strace to discover that it reads the config from /tmp
31:30 - Editing the sattrick config to download an authorized_keys file to root's .ssh directory
33:15 - Pretending /root/.ssh didn't exist, getting a shell through cron
https://www.youtube.com/watch?v=HOvVjVw3pww
#htb
#hacking
HackTheBox - Jupiter
00:00 - Introduction
03:40 - Using gobuster to enum
05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL
08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell
12:45 - Got a shell as the PostgreSQL user
15:08 - Got a SSH Shell as the PostgreSQL user, then finding port 8888 and enumerating that port
17:00 - Discovered a Jupityr Notebook, using find to discover what users are doing on the box and seeing Juno has network-simulation.yml
18:45 - Putting a shell on Network-Simulation.yml and getting a shell as juno
23:45 - Shell as Juno, looking for jupityr files and discovering the token, which enables us login to Jupityr notebooks and get a shell as
28:45 - Jovian can run sattrack as as root (via sudo), running strace to discover that it reads the config from /tmp
31:30 - Editing the sattrick config to download an authorized_keys file to root's .ssh directory
33:15 - Pretending /root/.ssh didn't exist, getting a shell through cron
https://www.youtube.com/watch?v=HOvVjVw3pww
YouTube
HackTheBox - Jupiter
00:00 - Introduction
03:40 - Using gobuster to enum
05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL
08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell
12:45…
03:40 - Using gobuster to enum
05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL
08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell
12:45…
#hackthebox
#htb
#hacking
HackTheBox - Visual
00:00 - Introduction
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create a project and adding a solutions file to it
13:00 - Having the webapp download our repo, then looking at PreBuildEvents to execute commands before it is compiled
16:00 - Talking about why this PreBuildEvent exists
19:20 - Looking at why our build failed
21:30 - Adding a nishang reverse shell to the prebuild event
26:40 - Reverse Shell Returned!
29:45 - Writing a webshell as Enox, to get a shell as the Apache Service User
34:00 - Using FullPowers to restore our tokens while will enable the SeImpersonate privilege
36:00 - Grabbing a good PHP Reverse Shell Script that supports Windows!
39:15 - Using GotPotato to abuse the SeImpersonate Privilege and run code as system
https://www.youtube.com/watch?v=ZJDefj0K9Jw
#htb
#hacking
HackTheBox - Visual
00:00 - Introduction
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create a project and adding a solutions file to it
13:00 - Having the webapp download our repo, then looking at PreBuildEvents to execute commands before it is compiled
16:00 - Talking about why this PreBuildEvent exists
19:20 - Looking at why our build failed
21:30 - Adding a nishang reverse shell to the prebuild event
26:40 - Reverse Shell Returned!
29:45 - Writing a webshell as Enox, to get a shell as the Apache Service User
34:00 - Using FullPowers to restore our tokens while will enable the SeImpersonate privilege
36:00 - Grabbing a good PHP Reverse Shell Script that supports Windows!
39:15 - Using GotPotato to abuse the SeImpersonate Privilege and run code as system
https://www.youtube.com/watch?v=ZJDefj0K9Jw
YouTube
HackTheBox - Visual
00:00 - Introduction
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create…
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create…
#hackthebox
#htb
#hacking
HackTheBox - Hospital
00:00 - Introduction
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files
13:48 - Uploading a php shell, discovering there are disabled functions blocking system
17:15 - Using dfunc bypass to identify proc_open is not disabled and then getting code execution
23:00 - Reverse shell returned on the linux host
26:00 - Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password
29:20 - Talking about Man Pages and how they are organized to identify $y$ is yescrypt
33:40 - Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit
36:00 - Building a malicious EPS File with a powershell reverse shell
43:40 - PRIVESC 1: Uploading a shell in XAMPP and getting system
52:30 - PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password
1:01:50 - While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen
1:10:08 - PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password
https://www.youtube.com/watch?v=E8h0qWsBz6c
#htb
#hacking
HackTheBox - Hospital
00:00 - Introduction
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files
13:48 - Uploading a php shell, discovering there are disabled functions blocking system
17:15 - Using dfunc bypass to identify proc_open is not disabled and then getting code execution
23:00 - Reverse shell returned on the linux host
26:00 - Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password
29:20 - Talking about Man Pages and how they are organized to identify $y$ is yescrypt
33:40 - Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit
36:00 - Building a malicious EPS File with a powershell reverse shell
43:40 - PRIVESC 1: Uploading a shell in XAMPP and getting system
52:30 - PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password
1:01:50 - While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen
1:10:08 - PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password
https://www.youtube.com/watch?v=E8h0qWsBz6c
YouTube
HackTheBox - Hospital
00:00 - Introduction
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files…
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files…