HackTheBox - Hancliffe

Name: HackTheBox - Hancliffe
Uploaded: 2022-03-05T15:03:50Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap 02:25 - Identifying it is a windows box via ping and looking at its TTL, and running Gobuster with a lowercase wordl...

IppSec · Beginner ·🛡️ AI Safety & Ethics ·4y ago

00:00 - Intro 01:00 - Start of nmap 02:25 - Identifying it is a windows box via ping and looking at its TTL, and running Gobuster with a lowercase wordlist since windows is not case sensitive. 04:30 - Looking at HashPass to see it just generates static passwords based upon Name/Website/Master Password 08:40 - Identifying a JSESSIONID cookie given when accessing /maintenance/ which enables a weird path traversal vuln [MasterRecon] 12:15 - Identifying the Nuxeo application and searching for the web vulnerability 15:55 - Testing for SSTI in an error message, normal SSTI doesn't work since it is …

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Intro

1:00 Start of nmap

2:25 Identifying it is a windows box via ping and looking at its TTL, and running G

4:30 Looking at HashPass to see it just generates static passwords based upon Name/

8:40 Identifying a JSESSIONID cookie given when accessing /maintenance/ which enabl

12:15 Identifying the Nuxeo application and searching for the web vulnerability

15:55 Testing for SSTI in an error message, normal SSTI doesn't work since it is jav

19:40 Testing an java EL SSTI Payload to get code execution. Don't get output but ca

21:25 Getting a reverse shell

24:25 Looking at listening ports, running a powershell snippet to get process name a

29:15 Looking for an exploit with Unified Remote. Using Chisel to forward the port

33:30 Going over the Unified Remote Exploit script, changing where it writes files t

37:00 What i say here is wrong... I did not notice I got a shell back when writing t

39:09 Converting the Unified Remote script to Python3 with some vim macro magic

42:10 Running WinPEAS and discovering a Firefox credential

50:10 Using HashPash with the creds WinPEAS displayed to get the development users p

55:00 Start of RE of the MyFirstApp Binary. Opening Ghidra

55:30 Searching for Strings to find where Username: is in the program and looking at

1:00:40 Looking at Encrypt1() and discovering it is just Rot47

1:04:30 Looking at Encrypt2() and discovering it is just AtBash

1:12:45 Logging into the application and discovering what is available to us af

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →