HackTheBox - Arkham

Name: HackTheBox - Arkham
Uploaded: 2019-08-10T15:00:06Z
Channel: IppSec
Description: 00:55 - Begin of Recon 02:20 - Checking the WebPages 03:50 - Examining /userSubscribe.faces, to discover potential deserialization 05:00 - Exploring ja...

IppSec · Intermediate ·📰 AI News & Updates ·6y ago

Tool Use & Function Calling90%LLM Engineering80%Fine-tuning LLMs70%

00:55 - Begin of Recon 02:20 - Checking the WebPages 03:50 - Examining /userSubscribe.faces, to discover potential deserialization 05:00 - Exploring javax.faces.ViewState 05:50 - Googling around to see what an unencrypted serialized object should look like 07:15 - Checking out SMB to discover an openshare 09:00 - Downloading appserver.zip from batshare via smbclient 11:00 - Cracking a luks encrypted file with dd and hashcat 14:00 - Luks cracked, mounting the disk with luksOpen 16:20 - Discovery of the secret used to encrypt the java object 18:10 - Creating a python script to decrypt the ViewS…

Watch on YouTube ↗ (saves to browser)

Chapters (28)

0:55 Begin of Recon

2:20 Checking the WebPages

3:50 Examining /userSubscribe.faces, to discover potential deserialization

5:00 Exploring javax.faces.ViewState

5:50 Googling around to see what an unencrypted serialized object should look like

7:15 Checking out SMB to discover an openshare

9:00 Downloading appserver.zip from batshare via smbclient

11:00 Cracking a luks encrypted file with dd and hashcat

14:00 Luks cracked, mounting the disk with luksOpen

16:20 Discovery of the secret used to encrypt the java object

18:10 Creating a python script to decrypt the ViewState to verify we have correct cr

23:10 Script completed, lets test the decryption!

24:15 Downloading ysoserial to create a deserialization CommonCollections gadget

26:00 Creating a python script to exploit the deserialization vuln

31:00 Script complete! We got a ping, testing the MyFaces serialization objects (di

33:00 Modifying the script to run commands other than what ySoSerial provided

41:10 Script updates finished, trying to get a reverse shell via nishang (did not wo

42:40 Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for co

45:00 Downloading netcat to upload to the box

46:00 Netcat returned a powershell reverse shell

47:20 Discovering Backup.zip, downloading, using readpst to convert it to a plaintex

50:00 Using evolution to view mbox file and find Batman's password

52:45 Using Powershell's Invoke-Command to execute commands as Batman (like runas)

55:40 Reverse shell as batman returned! Running a few commands to find out he is lo

58:10 Unintended: Using net use to mount c$ and view the flag

59:30 Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HT

1:02:10 Using GreatSCT/MSBuild to launch Meterpreter

1:02:45 While GreatSCT installs, create a DLL to return a reverse shell

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Arkham

Chapters (28)

Playlist

Lesson complete!