HackTheBox - Cerberus

Name: HackTheBox - Cerberus
Uploaded: 2023-07-29T15:31:32Z
Channel: IppSec
Description: 00:00 - Introduction 01:00 - Start of nmap 02:00 - Looking at the TTL of Ping to see its 127, then making a request to the webserver and seeing it is 62...

IppSec · Beginner ·🔐 Cybersecurity ·2y ago

00:00 - Introduction 01:00 - Start of nmap 02:00 - Looking at the TTL of Ping to see its 127, then making a request to the webserver and seeing it is 62 03:45 - Showing DNS is listening on Cerberos and exposing the 172.16.22.0/24 network 05:15 - Looking at Icinga, testing default credentials 06:20 - Fingerprinting the Icinga release by looking at javascript, using UI.JS since it looks like it changes frequently 09:05 - Cloning the repo, then writing a one-liner to hash all versions of ui.js and finding which commit the version off the webserver is on 12:10 - Finding a File Disclosure vulnerabi…

Watch on YouTube ↗ (saves to browser)

Chapters (18)

Introduction

1:00 Start of nmap

2:00 Looking at the TTL of Ping to see its 127, then making a request to the webser

3:45 Showing DNS is listening on Cerberos and exposing the 172.16.22.0/24 network

5:15 Looking at Icinga, testing default credentials

6:20 Fingerprinting the Icinga release by looking at javascript, using UI.JS since

9:05 Cloning the repo, then writing a one-liner to hash all versions of ui.js and f

12:10 Finding a File Disclosure vulnerability in Icinga CVE-2022-24716, leaking some

16:20 Gaining RCE via CVE-2022-24715, which allows us to write a file to disk then c

25:30 Shell as www-data, doing some basic recon to figure out what type of virtual e

29:00 Looking at running processes and seeing sssd is running which allows this box

30:00 Looking at SetUID Files, discovering FireJail and privesc'ing CVE-2022-31214

36:00 As root on linux, we can now examine the SSSD configuration and get a domain p

44:50 Setting up a SOCKS Proxy via chisel, so we can use Evil-WINRM to log into the

48:50 Discovering ManageEngine ADSelfService Plus is running, finding an exploit

52:50 Fighting with Chisel to get all the port forwards working, have trouble with t

1:00:00 Redoing our tunnels, doing a portforward on linux to get evil-winrm, then a so

1:06:10 Running the Metasploit Exploit against ManageEngine and getting root

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →