HackTheBox - HackBack

IppSec · Beginner ·📰 AI News & Updates ·6y ago

00:00:00 - Intro 00:01:30 - Begin of Recon, discovery of an HTTP API that has a few commands 00:06:00 - Using JQ to parse json output, use NetStat/Proc to find GoPhish 00:15:00 - Logging into GoPhish with default creds admin:gophish, finding DNS Names 00:21:15 - Discovery of Obfuscated JavaScript Deobfuscating it to find a hidden section 00:33:20 - Using wfuzz to bruteforce the password for webadmin.php 00:37:10 - Finding Code Execution in WebAdmin.php 00:44:00 - Creating a Python Script to give a pseudo shell to cat, ls, and upload 01:10:45 - Script finished, uploading reGeorg to create a proxy onto the box to bypass FW 01:16:20 - Using WinRM to access low privilege shell as Simple User 01:25:08 - Exploring /Util/Scripts to find a way to privesc to Hacker 01:30:29 - Exploring GetSystem functionality of meterpreter 01:37:20 - Starting to create program to steal a token from NamedPipe Clients 01:41:00 - Creating XOR Encrypter for payloads in C (There is a bug used & instead of %) 01:48:20 - Using MSFVenom to generate raw payload to XOR then generate in C Format 01:51:38 - Creating the Stager to execute meterpreter, with some fun old AV Evasion tactics (Testing/Bug Hunting) 02:03:45 - Found the issue, AND'd the payload instead of XOR'd in encrypt.c 02:08:30 - Creating the NamedPipe portion of code 02:28:30 - Creating the Pipe Impersonation part of the code 02:43:16 - Had some weird errors, adding the ability to enable token privileges (more troubleshooting....) 03:01:00 - Editing the /util/scripts/clean.ini to execute our NamedPipe Creation File 03:06:10 - Meterpreter Session Loaded. Unfortunately it grab the impersonation token, more troubleshooting. 03:08:20 - Found the bug that caused us to not pass the token 03:09:45 - Re-Explaining all the code 03:14:57 - Meterpreter loaded, using incognito to grab our impersonation token for HACKER user - https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html 03:30:15 - Creating a bat file to run Ne

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

Related AI Lessons

Meta has hired five founding members of Mira Murati’s Thinking Machines Lab in a systematic talent raid

Meta hires top AI talent from Thinking Machines Lab after a rejected $1 billion acquisition offer, highlighting the intense competition for AI expertise

The Next Web AI

OrangeQS raises €15M and brings hardware makers into the solution

OrangeQS raises €15M for quantum chip testing solutions and partners with hardware makers to shape future test equipment

The Next Web AI

Nobody Wants to Learn AI (They Just Don’t Want to Fall Behind)

People may claim to be interested in AI, but their actions suggest otherwise, highlighting a gap between intention and actual engagement

Medium · Python

Big Tech firms are accelerating AI investments and integration, while regulators and companies focus on safety and responsible adoption.

Big Tech firms are investing heavily in AI, driving growth and transformation, while emphasizing safety and responsible adoption

Chapters (26)

Intro

1:30 Begin of Recon, discovery of an HTTP API that has a few commands

6:00 Using JQ to parse json output, use NetStat/Proc to find GoPhish

15:00 Logging into GoPhish with default creds admin:gophish, finding DNS Names

21:15 Discovery of Obfuscated JavaScript Deobfuscating it to find a hidden section

33:20 Using wfuzz to bruteforce the password for webadmin.php

37:10 Finding Code Execution in WebAdmin.php

44:00 Creating a Python Script to give a pseudo shell to cat, ls, and upload

1:10:45 Script finished, uploading reGeorg to create a proxy onto the box to bypass FW

1:16:20 Using WinRM to access low privilege shell as Simple User

1:25:08 Exploring /Util/Scripts to find a way to privesc to Hacker

1:30:29 Exploring GetSystem functionality of meterpreter

1:37:20 Starting to create program to steal a token from NamedPipe Clients

1:41:00 Creating XOR Encrypter for payloads in C (There is a bug used & instead of %)

1:48:20 Using MSFVenom to generate raw payload to XOR then generate in C Format

1:51:38 Creating the Stager to execute meterpreter, with some fun old AV Evasion tacti

2:03:45 Found the issue, AND'd the payload instead of XOR'd in encrypt.c

2:08:30 Creating the NamedPipe portion of code

2:28:30 Creating the Pipe Impersonation part of the code

2:43:16 Had some weird errors, adding the ability to enable token privileges

3:01:00 Editing the /util/scripts/clean.ini to execute our NamedPipe Creation File

3:06:10 Meterpreter Session Loaded. Unfortunately it grab the impersonation token, mo

3:08:20 Found the bug that caused us to not pass the token

3:09:45 Re-Explaining all the code

3:14:57 Meterpreter loaded, using incognito to grab our impersonation token for HACKER

3:30:15 Creating a bat file to run Ne

Data, Decisions, And Digital Transformation With AI In 2026 | AI Strategy Webinar | Simplilearn