HackTheBox - Hancliffe

IppSec · Beginner ·🛡️ AI Safety & Ethics ·4y ago
00:00 - Intro 01:00 - Start of nmap 02:25 - Identifying it is a windows box via ping and looking at its TTL, and running Gobuster with a lowercase wordlist since windows is not case sensitive. 04:30 - Looking at HashPass to see it just generates static passwords based upon Name/Website/Master Password 08:40 - Identifying a JSESSIONID cookie given when accessing /maintenance/ which enables a weird path traversal vuln [MasterRecon] 12:15 - Identifying the Nuxeo application and searching for the web vulnerability 15:55 - Testing for SSTI in an error message, normal SSTI doesn't work since it is java. Going to payloadallthethings to get a valid payload 19:40 - Testing an java EL SSTI Payload to get code execution. Don't get output but can validate we run code via ping 21:25 - Getting a reverse shell 24:25 - Looking at listening ports, running a powershell snippet to get process name and the port they listen on 29:15 - Looking for an exploit with Unified Remote. Using Chisel to forward the port it listens on to us. 33:30 - Going over the Unified Remote Exploit script, changing where it writes files to and using msfvenom to generate a malicious exe for us 37:00 - What i say here is wrong... I did not notice I got a shell back when writing to C:\Windows\Temp... lol. 39:09 - Converting the Unified Remote script to Python3 with some vim macro magic 42:10 - Running WinPEAS and discovering a Firefox credential 50:10 - Using HashPash with the creds WinPEAS displayed to get the development users password. Using chisel to forward WinRM to us and accessing the box as development 55:00 - Start of RE of the MyFirstApp Binary. Opening Ghidra 55:30 - Searching for Strings to find where Username: is in the program and looking at code around it to see how authentication works 1:00:40 - Looking at Encrypt1() and discovering it is just Rot47 1:04:30 - Looking at Encrypt2() and discovering it is just AtBash 1:12:45 - Logging into the application and discovering what is available to us af
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
 2 HackTheBox - October
HackTheBox - October
IppSec
 3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
 4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
 5 HackTheBox - Bank
HackTheBox - Bank
IppSec
 6 HackTheBox - Joker
HackTheBox - Joker
IppSec
 7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
 8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
 9 HackTheBox - Devel
HackTheBox - Devel
IppSec
 10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
 11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
 12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
 13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
 14 HackTheBox - Charon
HackTheBox - Charon
IppSec
 15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
 16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
 17 HackTheBox - Europa
HackTheBox - Europa
IppSec
 18 Introduction to tmux
Introduction to tmux
IppSec
 19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
 20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
 21 HackTheBox - Jail
HackTheBox - Jail
IppSec
 22 HackTheBox - Blue
HackTheBox - Blue
IppSec
 23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
 24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
 25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
 26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
 27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
 28 HackTheBox - Node
HackTheBox - Node
IppSec
 29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
 30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
 31 HackTheBox - Sense
HackTheBox - Sense
IppSec
 32 HackTheBox - Minion
HackTheBox - Minion
IppSec
 33 VulnHub - Sokar
VulnHub - Sokar
IppSec
 34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
 35 HackTheBox - Inception
HackTheBox - Inception
IppSec
 36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
 37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
 38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
 39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
 40 HackTheBox - Tally
HackTheBox - Tally
IppSec
 41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
 42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
 43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
 44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
 45 How To Create Empire Modules
How To Create Empire Modules
IppSec
 46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
 47 HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
 48 HackTheBox - Bart
HackTheBox - Bart
IppSec
 49 HackTheBox - Aragog
HackTheBox - Aragog
IppSec
 50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
 51 HackTheBox - Silo
HackTheBox - Silo
IppSec
 52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
 53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
 54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
 55 HackTheBox - Poison
HackTheBox - Poison
IppSec
 56 HackTheBox - Canape
HackTheBox - Canape
IppSec
 57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
 58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
 59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
 60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related AI Lessons

AI is slowly destroying open source and its not even done yet
AI's impact on open source is a growing concern, threatening the foundation of collaborative software development
Dev.to · Bridget Amana
NEES Core Engine: An Appeal to Builders, Companies, and Researchers Who Believe AI Needs Governance
Learn about the need for governance in production AI and how the NEES Core Engine addresses this issue
Medium · Startup
MYTHOS ERA
Learn about the Mythos Era, a paradigm shift in cybersecurity driven by AI-capable models, and its significance in the industry
Medium · AI
AI + Formal Verification: The Final Form of Secure Software Development – Lessons from Vitalik Buterin
Learn how AI-assisted formal verification is revolutionizing secure software development, as discussed by Vitalik Buterin, and apply it to your own projects for enhanced security and optimization
Dev.to AI

Chapters (21)

Intro
1:00 Start of nmap
2:25 Identifying it is a windows box via ping and looking at its TTL, and running G
4:30 Looking at HashPass to see it just generates static passwords based upon Name/
8:40 Identifying a JSESSIONID cookie given when accessing /maintenance/ which enabl
12:15 Identifying the Nuxeo application and searching for the web vulnerability
15:55 Testing for SSTI in an error message, normal SSTI doesn't work since it is jav
19:40 Testing an java EL SSTI Payload to get code execution. Don't get output but ca
21:25 Getting a reverse shell
24:25 Looking at listening ports, running a powershell snippet to get process name a
29:15 Looking for an exploit with Unified Remote. Using Chisel to forward the port
33:30 Going over the Unified Remote Exploit script, changing where it writes files t
37:00 What i say here is wrong... I did not notice I got a shell back when writing t
39:09 Converting the Unified Remote script to Python3 with some vim macro magic
42:10 Running WinPEAS and discovering a Firefox credential
50:10 Using HashPash with the creds WinPEAS displayed to get the development users p
55:00 Start of RE of the MyFirstApp Binary. Opening Ghidra
55:30 Searching for Strings to find where Username: is in the program and looking at
1:00:40 Looking at Encrypt1() and discovering it is just Rot47
1:04:30 Looking at Encrypt2() and discovering it is just AtBash
1:12:45 Logging into the application and discovering what is available to us af
Up next
Deeply Evaluate Healthcare Data to Improve Medical AI Model Safety with Lumos and Google Cloud
Google Cloud
Watch →