HackThebox - Eighteen

IppSec · Beginner ·🔧 Backend Engineering ·2mo ago

Skills: Backend Performance70%Auth & Authorisation60%

00:00 - Introduction 00:45 - Start of nmap 02:20 - Taking a look at the page, manually decoding the Flask Cookie 06:15 - Running NetExec with MSSQL Priv module which lets us know we can impersonate, switching to mssqlclient 09:30 - Impersonating appdev, which can read the financial_planner table 12:25 - Converting the PBKDF2 hash to the Django format so we can try to crack it 16:20 - Using NXC to run RID BRUTE through MSSQL and get other users to spray the password with 20:50 - Using Evil-WinRM to access the box as Adam.Scott then poke at the webserver files, nothing here 22:45 - Getting the Windows Patch Level, noticing windows 2025 and searching exploits to find BadSuccessor 30:00 - Setting up Chisel so we can tunnel back to our box to run the badsuccessor module with nxc 32:50 - Looking at NXC Issues to see the support for BadSuccessor is still a PR, installing the special branch with uv 39:15 - Setting our system time to the time on the webserver based upon the Date Header from Curl 40:15 - Running BadSuccessor getting the NTLM hash of administrator and using psexec to get on the box

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: Backend Performance

View skill →

Build Real Time Chat Rooms With Node.js And Socket.io

Build Real Time Chat Rooms With Node.js And Socket.io

Web Dev Simplified

Yet Another "Highly Technical Talk" with Hanselman and Toub | BRK121

Yet Another "Highly Technical Talk" with Hanselman and Toub | BRK121

Microsoft Developer

Build an Online Auction Server with ExpressJS

Build an Online Auction Server with ExpressJS

Setting up a Proxy for Google Cloud SQL (P5D71) - Live Coding with Jesse

Setting up a Proxy for Google Cloud SQL (P5D71) - Live Coding with Jesse

freeCodeCamp.org

"Highly Technical Talk" with Hanselman and Toub | BRK194

"Highly Technical Talk" with Hanselman and Toub | BRK194

Microsoft Developer

GraphQL Server Intermediate Tutorial - Boilerplate with Typescript, PostgreSQL, and Redis

GraphQL Server Intermediate Tutorial - Boilerplate with Typescript, PostgreSQL, and Redis

freeCodeCamp.org

Related AI Lessons

How I Chose My Web Development Path as a Beginner

Learn how to choose a web development path as a beginner and start building your skills

How I Eliminated Race Conditions in a High-Concurrency Ticketing API

Learn how to eliminate race conditions in high-concurrency systems using synchronization techniques and design principles

Dev.to · Alif Akbar

Wiring DeepSeek Into Spring Boot: A Backend Engineer's Notes

Learn how to integrate DeepSeek into a Spring Boot application for enhanced backend functionality

Dev.to · loyaldash

Backend Interview Question: Why Offset Pagination Breaks in Production Systems (And How Top…

Learn why offset pagination breaks in production systems and how to fix it for scalable backend development

Medium · Programming

Chapters (13)

Introduction

0:45 Start of nmap

2:20 Taking a look at the page, manually decoding the Flask Cookie

6:15 Running NetExec with MSSQL Priv module which lets us know we can impersonate,

9:30 Impersonating appdev, which can read the financial_planner table

12:25 Converting the PBKDF2 hash to the Django format so we can try to crack it

16:20 Using NXC to run RID BRUTE through MSSQL and get other users to spray the pass

20:50 Using Evil-WinRM to access the box as Adam.Scott then poke at the webserver fi

22:45 Getting the Windows Patch Level, noticing windows 2025 and searching exploits

30:00 Setting up Chisel so we can tunnel back to our box to run the badsuccessor mod

32:50 Looking at NXC Issues to see the support for BadSuccessor is still a PR, insta

39:15 Setting our system time to the time on the webserver based upon the Date Heade

40:15 Running BadSuccessor getting the NTLM hash of administrator and using psexec t

🚨 Swiggy Hiring Associate SDE 2025 | Java & Go Backend | Freshers Eligible #hiring #swiggy

hackathonwalebhaiya