HackTheBox - HackBack

00:00:00 - Intro 00:01:30 - Begin of Recon, discovery of an HTTP API that has a few commands 00:06:00 - Using JQ to parse json output, use NetStat/Proc to find GoPhish 00:15:00 - Logging into GoPhish with default creds admin:gophish, finding DNS Names 00:21:15 - Discovery of Obfuscated JavaScript Deobfuscating it to find a hidden section 00:33:20 - Using wfuzz to bruteforce the password for webadmin.php 00:37:10 - Finding Code Execution in WebAdmin.php 00:44:00 - Creating a Python Script to give a pseudo shell to cat, ls, and upload 01:10:45 - Script finished, uploading reGeorg to create a proxy onto the box to bypass FW 01:16:20 - Using WinRM to access low privilege shell as Simple User 01:25:08 - Exploring /Util/Scripts to find a way to privesc to Hacker 01:30:29 - Exploring GetSystem functionality of meterpreter 01:37:20 - Starting to create program to steal a token from NamedPipe Clients 01:41:00 - Creating XOR Encrypter for payloads in C (There is a bug used & instead of %) 01:48:20 - Using MSFVenom to generate raw payload to XOR then generate in C Format 01:51:38 - Creating the Stager to execute meterpreter, with some fun old AV Evasion tactics (Testing/Bug Hunting) 02:03:45 - Found the issue, AND'd the payload instead of XOR'd in encrypt.c 02:08:30 - Creating the NamedPipe portion of code 02:28:30 - Creating the Pipe Impersonation part of the code 02:43:16 - Had some weird errors, adding the ability to enable token privileges (more troubleshooting....) 03:01:00 - Editing the /util/scripts/clean.ini to execute our NamedPipe Creation File 03:06:10 - Meterpreter Session Loaded. Unfortunately it grab the impersonation token, more troubleshooting. 03:08:20 - Found the bug that caused us to not pass the token 03:09:45 - Re-Explaining all the code 03:14:57 - Meterpreter loaded, using incognito to grab our impersonation token for HACKER user - https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html 03:30:15 - Creating a bat file to run Ne