HackTheBox - Hathor

Name: HackTheBox - Hathor
Uploaded: 2022-11-19T14:58:27Z
Channel: IppSec
Description: 00:00 - Intro 00:50 - Start of nmap 04:00 - Navigating to the page 05:00 - Discovering the forgot password feature enables people to enumerate valid us...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 00:50 - Start of nmap 04:00 - Navigating to the page 05:00 - Discovering the forgot password feature enables people to enumerate valid users 06:45 - Finding the default credentials for mojo portal and then logging in as admin 07:50 - Uploading an ASPX Webshell but finding out the aspx extension is blacklisted 10:30 - Looking at the GitHub issues for MojoPortal 12:00 - Copying a file to bypass the bad extension filter of uploaded material and getting our webshell 12:50 - Showing the importance of redirecting STDERR to STDOUT on web shells to discover why some commands fail 15:00 …

Watch on YouTube ↗ (saves to browser)

Chapters (25)

Intro

0:50 Start of nmap

4:00 Navigating to the page

5:00 Discovering the forgot password feature enables people to enumerate valid user

6:45 Finding the default credentials for mojo portal and then logging in as admin

7:50 Uploading an ASPX Webshell but finding out the aspx extension is blacklisted

10:30 Looking at the GitHub issues for MojoPortal

12:00 Copying a file to bypass the bad extension filter of uploaded material and get

12:50 Showing the importance of redirecting STDERR to STDOUT on web shells to discov

15:00 Failing to run a Powershell Reverse Shell bypassing AV, only to find out it is

18:30 Attempting to upload netcat to find out its blocked via group policy

20:30 Enumerating Applocker with Powershell Get-AppLockerPolicy -Effective -xml

26:50 Looking at the Get-BadPasswords directory, finding an NTLM Hash

31:30 Logging into the box via kerberos because NTLM is Disabled

38:40 Using CrackMapExec's Spider_Plus module to enumerate all the files on the shar

43:20 Enumerating the Windows Firewall to discover only bginfo64 will be able to com

47:00 Creating a DLL to use with DLL Injection to 7zip

53:45 Running a bunch of icacls commands with our DLL to identify permissions

57:00 We have WriteOwner to BGInfo64.exe, which was allowed through the firewall. We

1:09:00 Shell returned as GinaWild, finding an encrypted pfx file in the Recycle Bin

1:15:30 Cracking the PFX File with CrackPkcs12 to discover it is a code signing certif

1:22:30 Importing the code-signing certificate so we can sign powershell scripts letti

1:26:50 Telling the Get-BadPasswords program to run, and getting a shell as BPassRunne

1:27:30 Identifying how Get-BadPasswords pulls the NTLM Hashes and then getting Admini

1:29:50 Using Impacket's GetTGT to get a t

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →