#hackthebox
#hacking
#htb
HackTheBox - Busqueda
00:00 - Introduction
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing
08:20 - Discovering we can append to the string, then trying for executing code with print to test for eval statements
10:00 - Getting a reverse shell
15:00 - Reverse shell returned
17:00 - Looking at apache virtualhosts to discover a hidden vhost that is running gitea
19:00 - Finding creds in the .git folder which lets us run sudo
22:00 - Inspecting the docker containers to discover passwords in environment variables which lets us log into gitea as administrator and view the script we are running as sudo
25:30 - Discovering the system-checkup.py script is not using an absolute path, so we can execute a shell script in our CWD as root
https://www.youtube.com/watch?v=5dHgfviJWmg
#hacking
#htb
HackTheBox - Busqueda
00:00 - Introduction
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing
08:20 - Discovering we can append to the string, then trying for executing code with print to test for eval statements
10:00 - Getting a reverse shell
15:00 - Reverse shell returned
17:00 - Looking at apache virtualhosts to discover a hidden vhost that is running gitea
19:00 - Finding creds in the .git folder which lets us run sudo
22:00 - Inspecting the docker containers to discover passwords in environment variables which lets us log into gitea as administrator and view the script we are running as sudo
25:30 - Discovering the system-checkup.py script is not using an absolute path, so we can execute a shell script in our CWD as root
https://www.youtube.com/watch?v=5dHgfviJWmg
YouTube
HackTheBox - Busqueda
00:00 - Introduction
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing…
01:00 - Start of the nmap
04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz
06:00 - Just testing for SSTI
06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing…
#hackthebox
#htb
#hacking
HackTheBox - Pikatwoo
00:00 - Introduction
01:00 - Start of nmap
03:15 - Identifying all the technologies used in the box
10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-38155
12:15 - Pulling up API DOCS to see how to login to Keystone, then testing lockout
14:00 - Taking the Burpsuite Request, sending it to FFUF and using a trick to try each password multiple times
25:30 - Attempting to access Swift as a vendor to bypass auth, using GoBuster and discovering an Android directory with Pokatmon app in it
35:10 - Start of analyzing the Pokatmon App, examining DNS, setting up a MITM with Burpsuite and Socat
40:15 - Using Frida to disable TLS Certificate Pinning on Flutter
45:20 - Discovering the App Signs every request, grabbing the certificate out of the app, and signing our own request
49:20 - Performing an SQL Injection, getting an email address then looking for vulnerabilities in Forgot Password on the main website
58:48 - Discovering CVE-2021-43557 in APISIX, which gives us an idea to URLEncode Paths to bypass blacklists and gaining access to the /private/ directory which has a /forgot-password we can use to reset Roger's password
1:04:45 - Logging into the docs, gaining access to the API and finding an LFI
1:09:45 - Looking into CVE-2021-35368, which is a ModSecurity Bypass that allows us to abuse the LFI
1:18:10 - Using NGINX's temporary files with our PHP LFI to gain code execution
1:27:55 - Shell returned on Pokatdex-API, exporting Kubernetes secrets
1:34:20 - Discovering an APISIX admin key and exploiting this service by creating a route that executes code
1:59:20 - Shell returned on the APISIX box, discovering credentials we can SSH with
2:11:10 - Explioting the CRI-O with Kubernetes to set a kernel param to execute a script when a core dump is created (CVE-2022-0811)
https://www.youtube.com/watch?v=gRj9Uz8_EOY
#htb
#hacking
HackTheBox - Pikatwoo
00:00 - Introduction
01:00 - Start of nmap
03:15 - Identifying all the technologies used in the box
10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-38155
12:15 - Pulling up API DOCS to see how to login to Keystone, then testing lockout
14:00 - Taking the Burpsuite Request, sending it to FFUF and using a trick to try each password multiple times
25:30 - Attempting to access Swift as a vendor to bypass auth, using GoBuster and discovering an Android directory with Pokatmon app in it
35:10 - Start of analyzing the Pokatmon App, examining DNS, setting up a MITM with Burpsuite and Socat
40:15 - Using Frida to disable TLS Certificate Pinning on Flutter
45:20 - Discovering the App Signs every request, grabbing the certificate out of the app, and signing our own request
49:20 - Performing an SQL Injection, getting an email address then looking for vulnerabilities in Forgot Password on the main website
58:48 - Discovering CVE-2021-43557 in APISIX, which gives us an idea to URLEncode Paths to bypass blacklists and gaining access to the /private/ directory which has a /forgot-password we can use to reset Roger's password
1:04:45 - Logging into the docs, gaining access to the API and finding an LFI
1:09:45 - Looking into CVE-2021-35368, which is a ModSecurity Bypass that allows us to abuse the LFI
1:18:10 - Using NGINX's temporary files with our PHP LFI to gain code execution
1:27:55 - Shell returned on Pokatdex-API, exporting Kubernetes secrets
1:34:20 - Discovering an APISIX admin key and exploiting this service by creating a route that executes code
1:59:20 - Shell returned on the APISIX box, discovering credentials we can SSH with
2:11:10 - Explioting the CRI-O with Kubernetes to set a kernel param to execute a script when a core dump is created (CVE-2022-0811)
https://www.youtube.com/watch?v=gRj9Uz8_EOY
YouTube
HackTheBox - Pikatwoo
00:00 - Introduction
01:00 - Start of nmap
03:15 - Identifying all the technologies used in the box
10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-38155
12:15 - Pulling up API DOCS to see how to login to Keystone, then testing…
01:00 - Start of nmap
03:15 - Identifying all the technologies used in the box
10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-38155
12:15 - Pulling up API DOCS to see how to login to Keystone, then testing…
#hackthebox
#htb
#hacking
HackThebox - Wifinetic
00:00 - Introduction
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec to spray SSH with our password and getting a success with netadmin
09:15 - Running LinPeas to discover Reaver has the capability cap_net_raw
13:15 - Explaining why Reaver has this capability is interesting
14:40 - Running Reaver to attempt to brute force the WPS Pin and getting the WPA PSK which is also the root password
15:30 - Start of building a bash script to spray a single password across valid users with su
22:00 - Converting our script into a Bash Function so its easier to run without touching disk
24:55 - Talking about WPS and how this exploit worked
25:30 - The first vulnerability in the WPS Pin, the eighth digit is just a checksum
28:30 - The second flaw in WPS, the PIN is broken in half if the first four digits are wrong the responses tell you. Making the possibilities of hashes from 10^7 to 10^4 + 10^3.
30:00 - Showing the WSC Nack gets sent after Message 4 if the first four of the pin is wrong
31:15 - Changing the PIN and playing more with reaver to showcase how reaver works.
https://www.youtube.com/watch?v=jj4r5lwnCp8
#htb
#hacking
HackThebox - Wifinetic
00:00 - Introduction
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec to spray SSH with our password and getting a success with netadmin
09:15 - Running LinPeas to discover Reaver has the capability cap_net_raw
13:15 - Explaining why Reaver has this capability is interesting
14:40 - Running Reaver to attempt to brute force the WPS Pin and getting the WPA PSK which is also the root password
15:30 - Start of building a bash script to spray a single password across valid users with su
22:00 - Converting our script into a Bash Function so its easier to run without touching disk
24:55 - Talking about WPS and how this exploit worked
25:30 - The first vulnerability in the WPS Pin, the eighth digit is just a checksum
28:30 - The second flaw in WPS, the PIN is broken in half if the first four digits are wrong the responses tell you. Making the possibilities of hashes from 10^7 to 10^4 + 10^3.
30:00 - Showing the WSC Nack gets sent after Message 4 if the first four of the pin is wrong
31:15 - Changing the PIN and playing more with reaver to showcase how reaver works.
https://www.youtube.com/watch?v=jj4r5lwnCp8
YouTube
HackThebox - Wifinetic
00:00 - Introduction
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec…
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec…
#hackthebox
#htb
#hacking
HackTheBox - Snoopy
00:00 - Introduction
01:00 - Start of nmap, discovering ssh/dns/http
02:30 - Taking a look at the website
04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled
09:40 - Identifying the website is running with PHP Enabled, then running gobuster
13:00 - Attacking the file download and discovering File Disclosure
15:35 - We got lucky discovering the File Disclosure filter bypass, using FFUF which would be make catching this more consistent
19:30 - Automating the File Disclosure by creating a python script
24:30 - Looking at files on the target, discovering the DNS Configuration which has the RNDC Key to update DNS
30:40 - Looking at the NSUPDATE Man page and then adding a the DNS Record mail.snoopy.htb and pointing it to us
34:24 - Using python to run a SMTP Server and then having Mattermost's forgot password email us the password reset
39:50 - Using the Mattermost bot to provision a server via SSH which causes it to SSH back to us
42:30 - Backdooring PAM with pam_exec and a bash script to log passwords of users logging into our box, and grabbing CBROWN's password
50:40 - cbrown can run Git apply as sbrown, looking for exploits around it and discovering CVE-2023-23946.
1:08:50 - sbrown can run clamscan in debug mode as root
1:11:45 - Looking at CVE's in clamav and discovering an XXE in the DMG Parser (CVE-2023-20052)
1:23:30 - Downloading a DMG File (sublime), then modifying the XML to put an XXE in, scanning, then exfiltrating the root ssh key
https://www.youtube.com/watch?v=6tn30O0SjVQ
#htb
#hacking
HackTheBox - Snoopy
00:00 - Introduction
01:00 - Start of nmap, discovering ssh/dns/http
02:30 - Taking a look at the website
04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled
09:40 - Identifying the website is running with PHP Enabled, then running gobuster
13:00 - Attacking the file download and discovering File Disclosure
15:35 - We got lucky discovering the File Disclosure filter bypass, using FFUF which would be make catching this more consistent
19:30 - Automating the File Disclosure by creating a python script
24:30 - Looking at files on the target, discovering the DNS Configuration which has the RNDC Key to update DNS
30:40 - Looking at the NSUPDATE Man page and then adding a the DNS Record mail.snoopy.htb and pointing it to us
34:24 - Using python to run a SMTP Server and then having Mattermost's forgot password email us the password reset
39:50 - Using the Mattermost bot to provision a server via SSH which causes it to SSH back to us
42:30 - Backdooring PAM with pam_exec and a bash script to log passwords of users logging into our box, and grabbing CBROWN's password
50:40 - cbrown can run Git apply as sbrown, looking for exploits around it and discovering CVE-2023-23946.
1:08:50 - sbrown can run clamscan in debug mode as root
1:11:45 - Looking at CVE's in clamav and discovering an XXE in the DMG Parser (CVE-2023-20052)
1:23:30 - Downloading a DMG File (sublime), then modifying the XML to put an XXE in, scanning, then exfiltrating the root ssh key
https://www.youtube.com/watch?v=6tn30O0SjVQ
YouTube
HackTheBox - Snoopy
00:00 - Introduction
01:00 - Start of nmap, discovering ssh/dns/http
02:30 - Taking a look at the website
04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled
09:40 - Identifying the website is running…
01:00 - Start of nmap, discovering ssh/dns/http
02:30 - Taking a look at the website
04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled
09:40 - Identifying the website is running…
#hackthebox
#htb
#hacking
HackTheBox - Aero
00:00 - Introduction
00:56 - Start of nmap
04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 - Showing the exports of the DLL to confirm it is there, then hiding the ReverseShell export
12:30 - Testing our DLL from our windows computer
13:30 - Creating the malicious Windows Theme
17:20 - Setting up a SOCAT forward to send port 445 from our linux box to our Windows Box
19:20 - Updating the IP Address in our DLL and then getting a shell
22:10 - Downloading the PDF by converting it to base64 and then copy and pasting it to our box
23:45 - Researching CVE-2023-28252, which is a Windows Local Privesc in the Common Log File System (CLFS) and patched back in April 2023
26:30 - Opening the CLFS Exploit up in Visual Studio and placing a Powershell Web Cradle to send a reverse shell and getting Root
32:30 - Beyond root: Changing up the DLL we used for the foothold to just execute code upon DLL Attach and not export anything.
https://www.youtube.com/watch?v=g01cZciFI9o
#htb
#hacking
HackTheBox - Aero
00:00 - Introduction
00:56 - Start of nmap
04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 - Showing the exports of the DLL to confirm it is there, then hiding the ReverseShell export
12:30 - Testing our DLL from our windows computer
13:30 - Creating the malicious Windows Theme
17:20 - Setting up a SOCAT forward to send port 445 from our linux box to our Windows Box
19:20 - Updating the IP Address in our DLL and then getting a shell
22:10 - Downloading the PDF by converting it to base64 and then copy and pasting it to our box
23:45 - Researching CVE-2023-28252, which is a Windows Local Privesc in the Common Log File System (CLFS) and patched back in April 2023
26:30 - Opening the CLFS Exploit up in Visual Studio and placing a Powershell Web Cradle to send a reverse shell and getting Root
32:30 - Beyond root: Changing up the DLL we used for the foothold to just execute code upon DLL Attach and not export anything.
https://www.youtube.com/watch?v=g01cZciFI9o
YouTube
HackTheBox - Aero
00:00 - Introduction
00:56 - Start of nmap
04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 - Showing the exports of the…
00:56 - Start of nmap
04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)
06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux
10:50 - Showing the exports of the…
#hackthebox
#htb
#hacking
HackTheBox - Format
00:00 - Introduction
01:00 - Start of nmap
04:00 - Downloading source code from gitea
04:30 - Examining the website via browser to see what it does
07:30 - Making sense of how the sitebuilder works
14:20 - Examining the source code, discovering a file disclosure
24:00 - Creating a python script to automate the File Disclosure
48:00 - Script is done, downloading nginx configs. Then trying to find any directory we can write a PHP Script to
55:00 - Looking at how the site adds a pro license to users
58:50 - Explaining how we can do a protocol smuggling attack and access the REDIS socket to manipulate our user
1:05:19 - Showing that the plus is not being URL Decoded in the path of a URL but %20 is
1:08:48 - Uploading a PHP Script to get code execution
1:13:55 - Dumping the REDIS Database and getting cooper's password
1:17:10 - Looking at the License Python script cooper can execute with sudo and seeing a Python Format String vulnerability
https://www.youtube.com/watch?v=WiTgB9BRrmM
#htb
#hacking
HackTheBox - Format
00:00 - Introduction
01:00 - Start of nmap
04:00 - Downloading source code from gitea
04:30 - Examining the website via browser to see what it does
07:30 - Making sense of how the sitebuilder works
14:20 - Examining the source code, discovering a file disclosure
24:00 - Creating a python script to automate the File Disclosure
48:00 - Script is done, downloading nginx configs. Then trying to find any directory we can write a PHP Script to
55:00 - Looking at how the site adds a pro license to users
58:50 - Explaining how we can do a protocol smuggling attack and access the REDIS socket to manipulate our user
1:05:19 - Showing that the plus is not being URL Decoded in the path of a URL but %20 is
1:08:48 - Uploading a PHP Script to get code execution
1:13:55 - Dumping the REDIS Database and getting cooper's password
1:17:10 - Looking at the License Python script cooper can execute with sudo and seeing a Python Format String vulnerability
https://www.youtube.com/watch?v=WiTgB9BRrmM
YouTube
HackTheBox - Format
For some reason, the last video got stuck encoding on YT's side and was 360p. Reuploaded and it worked the second time.
00:00 - Introduction
01:00 - Start of nmap
04:00 - Downloading source code from gitea
04:30 - Examining the website via browser to see…
00:00 - Introduction
01:00 - Start of nmap
04:00 - Downloading source code from gitea
04:30 - Examining the website via browser to see…
#hackthebox
#htb
#hacking
HackTheBox - PC
00:00 - Introduction
01:05 - Start of nmap
03:00 - Googling the port number, and reading more about gRPC
04:45 - Install GRPCurl so we can access the gRPC interface
06:30 - Enumerating the grpc interface
10:30 - Registering a user and logging in
13:45 - Using Verbose with GRPCurl to get extra information which includes an JWT
16:20 - Discovering an SQL Injection in the SimpleApp.GetInfo, enumerating the database to discover SQLite
19:45 - Enumerating the SQLite Database (similar to Information_schema with mysql)
21:45 - Using Group_Concat with a union injection to dump all users and passwords, then SSH into the box
24:45 - Discovering PyLoad is running on localhost, setting up an SSH Tunnel to access it
26:00 - Finding a public POC and running it to exploit PyLoad
https://www.youtube.com/watch?v=AQSLvalzW8g
#htb
#hacking
HackTheBox - PC
00:00 - Introduction
01:05 - Start of nmap
03:00 - Googling the port number, and reading more about gRPC
04:45 - Install GRPCurl so we can access the gRPC interface
06:30 - Enumerating the grpc interface
10:30 - Registering a user and logging in
13:45 - Using Verbose with GRPCurl to get extra information which includes an JWT
16:20 - Discovering an SQL Injection in the SimpleApp.GetInfo, enumerating the database to discover SQLite
19:45 - Enumerating the SQLite Database (similar to Information_schema with mysql)
21:45 - Using Group_Concat with a union injection to dump all users and passwords, then SSH into the box
24:45 - Discovering PyLoad is running on localhost, setting up an SSH Tunnel to access it
26:00 - Finding a public POC and running it to exploit PyLoad
https://www.youtube.com/watch?v=AQSLvalzW8g
YouTube
HackTheBox - PC
00:00 - Introduction
01:05 - Start of nmap
03:00 - Googling the port number, and reading more about gRPC
04:45 - Install GRPCurl so we can access the gRPC interface
06:30 - Enumerating the grpc interface
10:30 - Registering a user and logging in
13:45 - Using…
01:05 - Start of nmap
03:00 - Googling the port number, and reading more about gRPC
04:45 - Install GRPCurl so we can access the gRPC interface
06:30 - Enumerating the grpc interface
10:30 - Registering a user and logging in
13:45 - Using…
#hackthebox
#htb
#hacking
HackTheBox - Intentions
00:00 - Introduction
01:00 - Start of nmap
02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header
08:10 - Playing with updating genre and viewing feed to discover an error
10:04 - Opening up SQL Fiddle to explain what I think is going on, its using FIND_IN_SET
14:20 - Discovering space is a bad character and when this happens using the -- comment is bad
17:48 - Manually dumping the database with union statements
25:18 - Using SQL Map showing this SQL Injection
30:54 - Going over our recon and discovering a v2 admin login endpoint which lets us login with the password hash
38:28 - Logged in as an admin (Steve)
42:10 - Talking about Exploiting PHP Object Instanatiations then exploiting ImageMagick
1:01:20 - Shell returned, downloading .git, looking at commits and finding Greg's password
1:07:05 - Talking about the Scanner Binary and showing how we can leak the file one byte at a time
1:10:07 - Creating a python program to run the scanner binary thousands of times to leak files one byte at a time
https://www.youtube.com/watch?v=YmRDV0JR4qg
#htb
#hacking
HackTheBox - Intentions
00:00 - Introduction
01:00 - Start of nmap
02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header
08:10 - Playing with updating genre and viewing feed to discover an error
10:04 - Opening up SQL Fiddle to explain what I think is going on, its using FIND_IN_SET
14:20 - Discovering space is a bad character and when this happens using the -- comment is bad
17:48 - Manually dumping the database with union statements
25:18 - Using SQL Map showing this SQL Injection
30:54 - Going over our recon and discovering a v2 admin login endpoint which lets us login with the password hash
38:28 - Logged in as an admin (Steve)
42:10 - Talking about Exploiting PHP Object Instanatiations then exploiting ImageMagick
1:01:20 - Shell returned, downloading .git, looking at commits and finding Greg's password
1:07:05 - Talking about the Scanner Binary and showing how we can leak the file one byte at a time
1:10:07 - Creating a python program to run the scanner binary thousands of times to leak files one byte at a time
https://www.youtube.com/watch?v=YmRDV0JR4qg
YouTube
HackTheBox - Intentions
00:00 - Introduction
01:00 - Start of nmap
02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header
08:10 - Playing with updating genre and viewing feed to discover an error
10:04 - Opening up SQL Fiddle to explain…
01:00 - Start of nmap
02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header
08:10 - Playing with updating genre and viewing feed to discover an error
10:04 - Opening up SQL Fiddle to explain…
#hackthebox
#htb
#hacking
HackTheBox - Jupiter
00:00 - Introduction
03:40 - Using gobuster to enum
05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL
08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell
12:45 - Got a shell as the PostgreSQL user
15:08 - Got a SSH Shell as the PostgreSQL user, then finding port 8888 and enumerating that port
17:00 - Discovered a Jupityr Notebook, using find to discover what users are doing on the box and seeing Juno has network-simulation.yml
18:45 - Putting a shell on Network-Simulation.yml and getting a shell as juno
23:45 - Shell as Juno, looking for jupityr files and discovering the token, which enables us login to Jupityr notebooks and get a shell as
28:45 - Jovian can run sattrack as as root (via sudo), running strace to discover that it reads the config from /tmp
31:30 - Editing the sattrick config to download an authorized_keys file to root's .ssh directory
33:15 - Pretending /root/.ssh didn't exist, getting a shell through cron
https://www.youtube.com/watch?v=HOvVjVw3pww
#htb
#hacking
HackTheBox - Jupiter
00:00 - Introduction
03:40 - Using gobuster to enum
05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL
08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell
12:45 - Got a shell as the PostgreSQL user
15:08 - Got a SSH Shell as the PostgreSQL user, then finding port 8888 and enumerating that port
17:00 - Discovered a Jupityr Notebook, using find to discover what users are doing on the box and seeing Juno has network-simulation.yml
18:45 - Putting a shell on Network-Simulation.yml and getting a shell as juno
23:45 - Shell as Juno, looking for jupityr files and discovering the token, which enables us login to Jupityr notebooks and get a shell as
28:45 - Jovian can run sattrack as as root (via sudo), running strace to discover that it reads the config from /tmp
31:30 - Editing the sattrick config to download an authorized_keys file to root's .ssh directory
33:15 - Pretending /root/.ssh didn't exist, getting a shell through cron
https://www.youtube.com/watch?v=HOvVjVw3pww
YouTube
HackTheBox - Jupiter
00:00 - Introduction
03:40 - Using gobuster to enum
05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL
08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell
12:45…
03:40 - Using gobuster to enum
05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL
08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell
12:45…
#hackthebox
#htb
#hacking
HackTheBox - Visual
00:00 - Introduction
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create a project and adding a solutions file to it
13:00 - Having the webapp download our repo, then looking at PreBuildEvents to execute commands before it is compiled
16:00 - Talking about why this PreBuildEvent exists
19:20 - Looking at why our build failed
21:30 - Adding a nishang reverse shell to the prebuild event
26:40 - Reverse Shell Returned!
29:45 - Writing a webshell as Enox, to get a shell as the Apache Service User
34:00 - Using FullPowers to restore our tokens while will enable the SeImpersonate privilege
36:00 - Grabbing a good PHP Reverse Shell Script that supports Windows!
39:15 - Using GotPotato to abuse the SeImpersonate Privilege and run code as system
https://www.youtube.com/watch?v=ZJDefj0K9Jw
#htb
#hacking
HackTheBox - Visual
00:00 - Introduction
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create a project and adding a solutions file to it
13:00 - Having the webapp download our repo, then looking at PreBuildEvents to execute commands before it is compiled
16:00 - Talking about why this PreBuildEvent exists
19:20 - Looking at why our build failed
21:30 - Adding a nishang reverse shell to the prebuild event
26:40 - Reverse Shell Returned!
29:45 - Writing a webshell as Enox, to get a shell as the Apache Service User
34:00 - Using FullPowers to restore our tokens while will enable the SeImpersonate privilege
36:00 - Grabbing a good PHP Reverse Shell Script that supports Windows!
39:15 - Using GotPotato to abuse the SeImpersonate Privilege and run code as system
https://www.youtube.com/watch?v=ZJDefj0K9Jw
YouTube
HackTheBox - Visual
00:00 - Introduction
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create…
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create…
#hackthebox
#htb
#hacking
HackTheBox - Hospital
00:00 - Introduction
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files
13:48 - Uploading a php shell, discovering there are disabled functions blocking system
17:15 - Using dfunc bypass to identify proc_open is not disabled and then getting code execution
23:00 - Reverse shell returned on the linux host
26:00 - Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password
29:20 - Talking about Man Pages and how they are organized to identify $y$ is yescrypt
33:40 - Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit
36:00 - Building a malicious EPS File with a powershell reverse shell
43:40 - PRIVESC 1: Uploading a shell in XAMPP and getting system
52:30 - PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password
1:01:50 - While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen
1:10:08 - PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password
https://www.youtube.com/watch?v=E8h0qWsBz6c
#htb
#hacking
HackTheBox - Hospital
00:00 - Introduction
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files
13:48 - Uploading a php shell, discovering there are disabled functions blocking system
17:15 - Using dfunc bypass to identify proc_open is not disabled and then getting code execution
23:00 - Reverse shell returned on the linux host
26:00 - Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password
29:20 - Talking about Man Pages and how they are organized to identify $y$ is yescrypt
33:40 - Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit
36:00 - Building a malicious EPS File with a powershell reverse shell
43:40 - PRIVESC 1: Uploading a shell in XAMPP and getting system
52:30 - PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password
1:01:50 - While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen
1:10:08 - PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password
https://www.youtube.com/watch?v=E8h0qWsBz6c
YouTube
HackTheBox - Hospital
00:00 - Introduction
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files…
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files…