HackTheBox - Control

Name: HackTheBox - Control
Uploaded: 2020-04-25T14:59:46Z
Channel: IppSec
Description: 00:00 - Start 01:02 - Begin of nmap 04:00 - Checking out the webpage, notice an IP in the comments and run GoBuster to discover /uploads/. Run GoBuster...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Start 01:02 - Begin of nmap 04:00 - Checking out the webpage, notice an IP in the comments and run GoBuster to discover /uploads/. Run GoBuster on /uploads/ looking for PHP files 07:50 - Begin fuzzing Proxy Headers with wfuzz to access admin.php 12:30 - Using Python's netaddr to generate an IP List based upon subnet, discovering X-Forwarded-For: 192.168.4.28 allows access to admin.php 15:30 - Having BurpSuite automatically add the x-forwarded-for header to our requests 16:45 - Explaining a reason why this header exists in the first palce 19:25 - Discovering Union injection on the admi…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Start

1:02 Begin of nmap

4:00 Checking out the webpage, notice an IP in the comments and run GoBuster to dis

7:50 Begin fuzzing Proxy Headers with wfuzz to access admin.php

12:30 Using Python's netaddr to generate an IP List based upon subnet, discovering X

15:30 Having BurpSuite automatically add the x-forwarded-for header to our requests

16:45 Explaining a reason why this header exists in the first palce

19:25 Discovering Union injection on the admin page

22:45 Telling SQLMap to run in the background, while we manually enumerate this ours

24:00 Using Group_Concat to return multiple rows in a union injection and enumerate

33:30 Using LOAD_FILE and TO_BASE64 in our SQL Injection to extract source code from

39:30 Enumerating who has the FILE privilege in the database, showing SQLMAP gives u

48:50 Grabbing user hashes out of the database with our injection then cracking them

51:30 Using OUTFILE in our injection to drop a php webshell to the server

58:05 Having trouble getting a reverse shell back, assuming it is defender so changi

1:04:02 Using powershell to run a command as hector with the password we cracked from

1:08:15 Running WinPEAS and going over what it finds, looks like it misses some permis

1:14:30 Looking at the PSReadLine directory to get some powershell history and a hint

1:15:40 Running ConvertFrom-SddlString to make sense of the registry permissions

1:21:20 Listing services on the box, then shrinking the number by only showing ones th

1:26:00 Shrink the list some more by only showing the services that our user has perm

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →