HackTheBox - Freelancer

Name: HackTheBox - Freelancer
Uploaded: 2024-10-05T15:00:20Z
Channel: IppSec
Description: 00:00 - Introduction 01:10 - Start of nmap 04:45 - Discovering the website is Django, Wappalyzer tells us but also talking about how we could manually i...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·1y ago

00:00 - Introduction 01:10 - Start of nmap 04:45 - Discovering the website is Django, Wappalyzer tells us but also talking about how we could manually identify with the help 08:00 - Creating an account, discovering we need to activate it, using Forgot Password to activate it 09:50 - There is a QR Code that lets users login by scanning it, looking at the URL it appears there could be an IDOR 11:28 - Discovering ID 2 is an admin, crafting a QR Code with the admin ID in it and gaining access to the Django Admin 14:30 - Enumerating the MSSQL Database, discovering we can impersonate SA and then ena…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Introduction

1:10 Start of nmap

4:45 Discovering the website is Django, Wappalyzer tells us but also talking about

8:00 Creating an account, discovering we need to activate it, using Forgot Password

9:50 There is a QR Code that lets users login by scanning it, looking at the URL it

11:28 Discovering ID 2 is an admin, crafting a QR Code with the admin ID in it and g

14:30 Enumerating the MSSQL Database, discovering we can impersonate SA and then ena

24:30 Trying to get a Reverse Shell, AV is blocking it, do some light obfuscation to

31:40 Shell returned as the webapp user, can't get WinPEAS Running due to AV

40:40 Discovering a password left behind by the SQL Express Install, password spray

45:10 Showing the NxcDb, which logs all the successful logins with nxc

50:00 Discovering a Memory Dump, downloading it to our box then using MemProcFs

55:20 Installing PyPyKatz which will have it automatically use pypykatz (mimikatz) t

1:02:40 More password sprays to get access to Lorra199, then using WinRM and discoveri

1:05:30 Restoring Liza Kazanof from the recycle bin, then resetting the password due t

1:11:15 Liza has the SeBackup privilege, using DiskShadow and Robocopy to download ntd

1:23:20 The issue we had with DiskShadow is because of how the script file was encoded

1:29:30 Running SecretsDump to get the administrator hash and login to the box

1:30:45 BEYOND ROOT: Abusing GenericWrite to the Domain as Lorra199 to get a shell

1:32:40 Going back to the memprocfs and showing we could have just ran secretsdump on

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →