HackTheBox - Fighter

Name: HackTheBox - Fighter
Uploaded: 2018-10-06T14:58:17Z
Channel: IppSec
Description: 00:00:55 - Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb. 00:02:53 - Using GoBuster and WFUZZ to id...

IppSec · Beginner ·🔐 Cybersecurity ·7y ago

00:00:55 - Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb. 00:02:53 - Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and members.streetfighterclub.htb/old/login.asp 00:08:45 - Begin poking around the members.streetfighterclub.htb page - Find SQL Injection 00:12:00 - Boolean injection to force the query to return "valid login". Play with logins to find it always returns to "Service not available" 00:14:25 - Testing Union Injections for easy exfil of data 00:15:50 - Examining Stacked Queries to make running our own SQL Sta…

Watch on YouTube ↗ (saves to browser)

Chapters (19)

0:55 Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is s

2:53 Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and member

8:45 Begin poking around the members.streetfighterclub.htb page - Find SQL Injectio

12:00 Boolean injection to force the query to return "valid login". Play with login

14:25 Testing Union Injections for easy exfil of data

15:50 Examining Stacked Queries to make running our own SQL Statements easy. Then b

19:30 Some valuable recon/information in debugging our SQL queries. Noticing small t

34:40 Start of making a program to give us a command shell.

1:09:40 Explaining the program we just created. Then fix a small bug.

1:12:45 Begin of popping the box the intended way. Finding powershell is blocked but

1:17:10 Return of 32-bit PowerShell... Identifying we can append data to c:\users\deco

1:32:40 Found the issue! Powershell is encoding in UTF-16 which is confusing cmd promp

1:35:30 Exploiting Capcom Driver to gain root shell, this post is super helpful: http:

1:42:18 Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dl

1:47:25 Looking at the binaries in Ida64 Free

1:51:14 Explaining what's happening and then writing a script to bypass the password c

1:55:35 Start of unintended way (Juicy Potato)

1:58:10 Finding a world write-able spot under System32 for AppLocker Bypass, thanks @B

2:06:10 Start of modifying JuicyPotato to accept uppercase argu

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →