HackTheBox - Acute

Name: HackTheBox - Acute
Uploaded: 2022-07-16T15:27:56Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap, the Server Header changes based upon DNS 04:00 - Navigating to the website, discovering the "New Starter Form" whic...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 01:00 - Start of nmap, the Server Header changes based upon DNS 04:00 - Navigating to the website, discovering the "New Starter Form" which has some key information like a welcome password and username convention 07:00 - Password spraying the Powershell Web Access (PSWA), discovering a valid credential but wrong host, word document had another host which is valid for edavies 09:15 - Playing around in the PSWA 10:00 - Looking at hidden files, discovering c:\utils\desktop.ini which states its a directory that is excluded by AV 12:00 - Making the mistake of running WinPEAS inside th…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Intro

1:00 Start of nmap, the Server Header changes based upon DNS

4:00 Navigating to the website, discovering the "New Starter Form" which has some k

7:00 Password spraying the Powershell Web Access (PSWA), discovering a valid creden

9:15 Playing around in the PSWA

10:00 Looking at hidden files, discovering c:\utils\desktop.ini which states its a d

12:00 Making the mistake of running WinPEAS inside the PSWA

14:45 Setting up ConPtyShell to get a proper PTY reverse shell on windows

15:40 Making some light modifications to ConPtyShell in order to evade antivirus

16:50 Getting the ConPtyShell and showing the colors/tab autocomplete

19:30 Running WinPEAS to show another user is logged on (and the AV Exclusions)

21:55 Switching to Metasploit, because it makes it easier to migrate into an interac

24:30 Using Screenshot and Screenshare inside of meterpreter to record the screen an

29:00 Creating a credential object with imonks, so we can Invoke-Command on the doma

31:00 When specifying the correct configurationname our enter-pssession fails becaus

35:00 Discovering wm.ps1, which we can modify to get a shell as jmorgan on our deskt

40:00 Creating a powershell one-liner to replace a string in a file with cat and set

44:40 Screwed up our fail because of a random line break. Playing around with it un

47:30 Shell returned as JMorgan, dumping the SAM/SYSTEM files and cracking local pas

58:30 Looking at other Domain Users, attempting to password spray the users we don't

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →