HackTheBox - Heist
Key Takeaways
The video demonstrates a cybersecurity challenge, specifically the HackTheBox - Heist, which requires a strong foundation in legacy knowledge to solve, including RID brute forcing attacks and Active Directory enumeration. The challenge involves using various tools such as Nmap, procdump, and hashcat to exploit vulnerabilities and gain access to the system.
Full Transcript
What's going on, YouTube? This is Ipsac doing Heist from Hack the Box, which was marked as a easy box. I think it'd be bumped up to a medium, mainly because it either requires a really strong foundation or some legacy knowledge. For instance, it doesn't really guide you down the path to do a RID brute forcing attack to enumerate local users on the box. And if you search around for that type of attack and don't know the name of it, you can get overshadowed by the heaps of attacks about Active Directory, like just running get ad user, blood hound, etc. It's really hard to find blog post on the lesserk known and packet tools like lookup sids.py. So unless you knew to do rid brute forcing, it's hard to use Google to go down that path. Additionally, dumping the memory from Firefox isn't that straightforward when you want to use like procdump 64.exe and it doesn't exist on the box. So you have to know to download that tool, upload the tool, and then run it. A lot of the steps just aren't intuitive to run, I think, in this box. But that being said, I really like the box and all the password spraying. It's super realistic and a fun box and I think a great one to learn from. So, let's just jump in. As always, we begin with the N map. So, - SC for default scripts. SV enumerate versions OA output all formats. Put in the N map directory and call it heist. And then the IP address, which is 101049. Can take some time to run. So, I've already ran it. Looking at the results, we have just three ports open. The first one being HTTP on port 80. Its banner tells us it's Microsoft III. It's telling us that the IS version is 10.0, which is Windows 10 or 2016. If you didn't know that, you can just go over to Google and search um IIS versions and then go down to the Microsoft link and this will tell us that like version 1.0 would be Windows NT351 SP1 or 7.0 is 2008, 75208R2 or 8.0 0 is 2012. It looks like this page hasn't been updated since 2017. So 10.0 isn't here, but they skipped 9 because I believe like regular expressions because you used to have like Windows 98 or 95. So if they did 9, there may be just a regular expression that hits 95 98. So they just skip that all together to go to 10. I think that makes sense. If not, think about it a little more or Google why they skipped nine. There's a bunch of reasons. Anyways, let's get back to this. We have the HTTP-Cookie flags and PHP session ID is being set, which is a bit unique because this means that the Windows web server is running PHP. Generally, it runs like ASP or something. Um, going down a little further, we have the HTTP-it telling us that login.php was requested. So combining this file name with this cookie and it being Microsoft kind of says this is most likely a Windows server running PHP. Unless there's a big deception campaign and one of those things is just a flatout lie. Generally doesn't happen. Next thing we have is MSRPC running on port 135. Then we have Microsoft DS question mark because NAP can't 100% verify this is SMB running on 445. So I'm guessing like anonymous or null authentication's disabled. So it can't really identify this port. Uh we have a clock skew of 51 minutes. So either my machine or the server is way off in time. Uh then this SMB2 security mode says message signings enabled but not required. And in order to exploit this, you need multiple machines because it something called an NLM relay where you relay authentication packet. Since this is Hack the Box and it's only a single machine, we can probably ignore that. So, let's go over and just check out the website because that has the largest attack surface. So, going back to Firefox and going to 1010149, we get this login page. So, I'm just going to try like admin admin and it wants us to enter an email address. And we don't even know the host name of this box yet. If anonymous authentication was enabled for SMB, it would probably run some SMB scripts to tell us the host name of the box. If SSL was, then the SSL certificate would tell us the host name, but none of those are. So, we don't even know the host name is Heist. So, don't have an email, can't really do anything, but there is this login as guest button. So, clicking that brings us to what looks like a help desk page. We see the user hazard is saying he's experiencing problems with the Cisco router. Here's part of the configuration the previous admin left us. I'm new here and don't know how to fix it. So if we look at this configuration, we can see it is indeed a Cisco config and we have two type seven passwords and type seven are just um think of it like XRO encoded. Maybe that's it. Maybe it actually is XROID, but there's a secret key that Cisco has that deoffiscates this and reveals the password because it's not real encryption. And well, if there is a key uh if you do reversible encryption, it will be broken one day. So, we'll just Google Cisco type 7 decrypt and see if we find a Python file. Maybe we can do like Python GitHub. I always hate running like the websites that decrypt it for you because they may configure it in a way that you send them the password and I always hate sending websites my password. So when possible I run it locally if I can think while typing. So we're here we have the script. If we do Python Cisco T7 and then specify I think dash decrypt for this one uh dash D and then the string. So going back here type seven decrypt this uh config file. That should have worked. Let's see. dash e uh dashp or let's see dashp. There we go. So if you do dash e-p it's going to encrypt the password. If you just do dashp it'll decrypt and dash d is default. So if you do dash d-p it's still going to do it. So we have one password. It's super password. So, I'm going to do Vim passwords.ext and I'm just going to copy this password. So, copy this, paste it, and then let's go and do the other one. So, going back here, go to this attachment, next one. Paste and see 408 408 023 023. That is what I copied. It is just a relatively good password. I don't even think that's a keyboard walk. So, random password there. Then the next one we have is five, which is a MD5M. So, I'm going to bring this over to the Kraken. So, SSH Kraken. And then we'll just go into the hashcat directory. CD hashes. Not hashes. Oh, yeah. It hashes. Ignore me sometimes. uh vi we'll call this heist- cisco-md5 paste it and then dot /hashcat d-ample hashes gp for dollar1 oh man there's a lot of these let's see okay only one so the reason why I'm doing this is because a little bit weird I know with like ASAs and it's a different um MD5 crypt. So with this it looks like it's fine. If we search for uh ASA uh Cisco G- I Cisco. Okay. So let's do - A3. So Cisco's ASA is going to be I believe this is the um password hash and then colon username. So it's a little bit unique with ASAs but for I guess routers it's straight MD5 crypt. So let's just go back here. MD5 crypt is 500. So, dot /hashcat-m500 hashes heist cisco md5 and then opt word list rocku. So, we'll just throw this real quick. It shouldn't take too long at all. And there we go. It's already done. And we get the password stealth one agent. So, we can just exit this. Exit. and then paste this password. So, we have three passwords. We don't have any emails and we don't have any usernames. So, these passwords don't really do us too good. Looking at this, we have enable secret. We get the username of router and potential username of admin. That looks like a default one, but we'll do users.ext router admin. And then if we go back to the recent issues, we have a user called Hazard. So we can use him. And he is asking the help desk to create an account for him on the Windows server. So chances are that is true. Um I can't tell if support admin is the username or admin username or admin is a group here. So I don't know what this one is, but we have a few passwords and a few users. So what I generally like doing here is using crack map exec and this will enumerate all the credentials we have. So I do dash u and then specify either a username or a file. In this case we have a few users so I'm specifying a file and then -p same exact thing for passwords. Then I'm going to do d-shares because I want the shares module. And then 10 1010 149. And the reason why I specify the shares module is because upon a successful login, it's going to tell us or enumerate all the shares we have right access to. And if we see right access to either admin or civ, it's these two, then we can follow up with the PS exec because that means we're local admin most likely. In this case, we don't have that access, so we can't gain it. Generally in Windows, the way a unprivileged user may have lateral movement is through Windows remoting or like a WinRM. That's port 5985986. It's not on the NAPAP default 1000. So you miss it if you don't do like -p and end mapap, but I'm just going to test for it. And the way I normally test for it is u metas-ploit. So msfdb run. And the reason why I like doing it through MSFDB other than just jumping straight to like a program like evil- winrm is because this is more like scriptable and it also has a handy feature called the creds. So it'll save things. So if we just do use auxiliary scanner uh winrm uh actually since we're doing creds let's do exactly what we did in impact. So, scanner SMB SMB login and then we're going to show options. And I think I want set-g because that's global. Uh, let's do help set G. Okay, we want set G. So, set G. I think maybe set-g G is the same. So, two ways to do it. I'm just going to do set G user file users.ext text and then set G pass file. Um, this is going to be passwords.ext and then set Ghost 10 101049. I'm going to do run. And what the global did is when I switch metas-ploit scripts, it's going to save those variables hopefully so we don't have to retype them all. So it's running and failed a lot but we got a success with hazard and stealth one agent just like crackmap exec if I do creds it now saved that in the database for me so I don't have to worry about logging what is successful it saved the host the origin service uh username password everything so comes in really handy so if now we do use uh scanner oh auxiliary scanner WinRM and we want winrm login. If we do show options because we use the set G, we have users.ext and password.ext already here. Our host is already set. It's using port 5985. And we can just do run and see if we get a shell. And we got nothing. So at this case, we're kind of at a dead end. And whenever I get to a dead end, I go back into the enumeration phase. What can I enumerate more? Well, we got a login to SMB. There weren't any shares. It was just admin IPC and C. So, um I'm going to go over to impact. So, whenever I want to find impact, I do locate psex.py because I can't remember this path to save my life. And we go user share docu python 3-mpacket and then examples. I do ls and look at what things are here. One of the things we can do is look up SID. So if we do Python 3 lookup SID a valid user. So hazard stealth 1 agent at 10 1010 149. It's going to do something called a RI brute force or a SID brute force. And we'll go over this manually right after this finishes. But it's going to get us a bunch more usernames. So we got hazard support chase and JSON. And I don't know why it said JSON. It JSON, not JSON. But we got a few more accounts. So, let's do dash. And then after this, we'll go over exactly what this just did. So, if we do uh vi users, so support chase and JSON. Support chase. And that was my email. My apologies if that sound came through, but support Chase and JSON. JSON. So, let's go over exactly what a uh red brute force is. To do that, we're going to connect to the RPC port. So, RPC client-u hazard percent stealth one agent. For some reason, it does percent between username password, but 1010 149. And I'm just curious if this uses port 139 or uh SMB. So that's what I'm doing here. Just a TCP dump because I'm not positive off the top of my head. So we run this and it looks like it's going over SMB. We search for 139. I guess the very one of the first packets is 139, not even the first. So in Windows, my mind, it's always SMB when you do these type of things. So, if you hit tab, you get a bunch of um functions you can do. The one we want is look up names. And I'm just going to specify the default name for anything, which is administrator. And it's going to give us the SID for that account. I think that's called stands for the security identifier. Essentially, I think it's always going to be like S15. S means SID one is um just the version and Microsoft never changed the version so it's always S1 I think it's normally going to be five it may not always be five forget what these two are but how I generally think of it is this is the domain or wait this is the domain and this is the user so the last one I always think of is the user ID and everything before that is just domain to So, it's not technically correct because I think it's only uh this that is unique to the domain, but in my mind, I only got two. So, the default user for Windows, the uh you may hear it called the RID 500 account is administrator. Administrator is always going to be 500. So, if we do lookup names guest, you'll see that is 501. That's the second account in Windows. if you do um look up SIDS and see what the third account's going to be. So, we can just copy the SID and brute force the next one up. We got to put a space after SIDS. We'll see this account is called default account. So, that's essentially how brute forcing works. Um the very first user is generally 1,00 but we have a valid username which is Hazard. So, we can look at what his is. His is 108. So we can just go on from there. So we do the lookup SIDs instead of 503 we can do 108 we get hazard 1009 we get support 1,0 unknown 11 12 J 13 Jason 14 15 16 and you can just go on to see how many accounts you can get. But that's all this red brute force is. So, when it says a max number, it's asking for what the max number you want to be here is. So, we got a few more usernames. So, what we're going to do is go back into um metas-ploit and we're going to use the SMB exec. So, SMB login and then just do run because we updated a user.tax file with the new usernames. So, we just do this and we'll see if we get anything new. It's now doing the hazard user and we get another user chase. So, what I'm going to do is switch back to WinRM. And to speed this up, I'm just going to create valid users.ext. And I'm going to do chase. Actually, we don't have to do that. We can just do show options and then set username chase and run. So, we get a valid login with winrm and it's going to go on and do the username file. Next, we could just control C to stop that. But we see the winrm told us that Chase can log in. So we now have a low priv shell. So to log into WinRM, I'm going to just use a program called Evil Winrm. And the reason why I'm not logging it because I did creds and it's already logged it. And we even got the WinRM logged. It says it's HTTP because it just doesn't know that's winrm. But yeah, that's how it logs winm and metas-ploit. So let's do GitHub. So GitHub evil-writ. And we can install something. So I'm just going to do bundle install. It didn't work. Let's just cat the gem file and then gem install winrm winrm-fs colorize and stringil. So we just got to install all the dependencies. This is the same as like pip install for python. So we got them all. Now we can do ruby evoinrm.rb and we can see how to use this. So, dash u-p and IP. Easy enough. So, Ruby or dash i for IP. So, you it was chase I think dashp. Uh, let's go grab his password. So, Ruby evil winm you chase p that I'm going to put this in single quotes because we have a backslash and a asterisk. So, who knows how that's going to get interpreted. So, doing it in single quotes make sure it gets interpreted how we want it. 10 10 10 149. And let's get a login shell if we're lucky. And there we go. And we see we're in the documents folder. We can do gci for get child items. It's just PowerShell way of doing the diir. You could also do ls. There's a 100 ways to list directories. I do gci, but I'm going to get out of the documents directory and we'll do gci-recurse. So I go into every directory and then I'm going to do a period and then pipe this and do select full name. And that's just going to list all the files. So, we got links, downloads, uh, nothing really other than user.ext and to-do.ext. So, if I go to desktop, we can do, I think, GC for get content on to-do.ext. There we go. You can also do the shell way of uh, type birth work stuff to do. Keep checking the issues list. fix the router config. There's nothing really here. So, I'm going to go up to directories, do a diir. We got other users. So, hazard has a directory. If we do hazard do a diir, we get a permission denied. So, nothing really there. If we were in like um Cobbler or something, we could potentially like make a token for this user and try switching to him and then going into that directory. But with just this evil winrm, I don't think we can do that easily. So, let's think of another way. Um there was a web server, so let's enumerate the files there. So, inpub cdubdub. If you're confused what cobbler is, it's just a C2 framework innet. Uh I'm sure if you go to ipsseack.ros you can find various things on it. So cd dubdubdub root do a diir we get a permission denied. So we can't list files in here. If we go back to firefox and look at the files issues.php. So if we do gc issues.php we can get the file. So we can read what this is. There's also a login.php. PHP and I'm just looking at the source to see if there's anything we missed. So, we got cookie for admin and guest. Nothing really there. If we type login.php, PHP let's see we get login usernames admin and hash SHA 256 request login password is equal to this SHA 256 hash so we get a SHA 256 hash we go to like hashes.org and search for it to see if it's a known thing. We could also send this into hashcat, but I don't think I'm going to crack this one. So, and I just Okay, it's not case sensitive, but hashes.org doesn't know it. So, I'm just going to move on. And the reason why I was trying to get access in this directory is because maybe there's a config file that has another password or if I can write to a file then I can escalate to this user and potentially do um like rotten potato or something or juicy potato. So I want to get to that IIS user is what I'm doing here. So we echo test to test to see if we can write here. We can't. Um there is also this attachments directory. So if I do cd attachments, we can do gci here and we see there is config.ext. This is that Cisco router that we started out at. If we type to echo test to test, we can't write here. So this is probably going to be a dead end and we can't write to like login.php PHP or anything. So, we don't have any right access in this directory. So, we can't drop a shell script and then execute it to gain access. I also didn't see any vulnerabilities in the PHP code we looked at. So, that's a bust. If we do GCI at the root, we could go into like program files and do GCI. And at this point, we realize Firefox is installed. That's not a normal thing. So, we could go and check if it's running with get-process and then look at all the processes on this box. A lot of SVC host. Holy crap. And we see a few Firefox processes. So, the first one is 4656. So that would be the one I go for, but probably want to enumerate all these if we don't see anything. So vim uh ffpid.txt paste. Okay. Uh that's where I was. Okay. So in order to dump that process, we need to use um a cis internal tool called proc dump. And you could do it with PowerShell. You could do it a hundred ways. Bunch of ways to dump processes on Windows. I like doing um CIS internals because it's a Microsoft sign binary which means it generally works and doesn't set up as many flags. So zip. So we go here and download the suite. Its license prohibits redistribution. It wants you to download from Microsoft's website. So I don't think it's bundled in Cali or anything. Uh, we can exit metas-loit at this point. We guess we should have probably used metas-loit to get a winm shell potentially. I wonder if it has that option. I've never really done it. Um, we can move downloads. Uh, what is it? What download as internal suite here? maker sis internals and then unzip suite and we got everything. So at this point we can upload it. So let's go to users. We are chase. We'll go in documents and we can upload root htb boxes heist cis internals and procd dump 64.exe. And this will take a little bit to upload. And once it's uploaded, we can dump the process. There we go. So, dot slash procdump64.exe. It wants us to accept the ULA. We can do it through the command line. Be aware that this creates a registry entry on the box. So if they've never used says internals before, u there's a forensic artifact there. And if you're curious, always monitor your boxes for that registry entry to see when people using SIS internals. Um we want to do the - MA flag to write a full dump file. So we'll do dot slashprockdump64.exe exe uh - ma and cat ffid. We'll do 4656 first. And notice we didn't have to do the accept yol flag. If we do procdump 64.exe-h exe-H it works because that registry entry set. But if we do diir, we see it created that filefox whatever.dump. We can just download this. So download, paste. It'll probably take even longer to download because the dump file is much bigger than procdump 64. So I'm just going to pause the video while this downloads. So this has been going on quite some time, probably almost 10 minutes, and it's still not done. So I'm just going to see if the information I seek is here. So it's saving to opt evil winrm. Do a ls. We can see that dump file is there. And the reason why I knew that is because we cd to that directory before running this program. We can see the dumps 05491.dmp going here. And same thing. So what I'm going to do is just strings the Firefox binary and or not binary but um process and just dump its memory. If we gp for like HTTP oh we get a lot. So um that is a lot. So maybe dp for password and we get still quite a bit. So let's do less and go down where it is. So I just type slash password. Did I type with that? There we go. So now it's going to highlight and right at the very top we can see login username admin at support.htb and login is equal to this. So we could test this off real quick by going to um 1010 1049. See my session is dead. So, admin at what is it? Support.htb and then paste the password and we get logged in as that user. There's no additional features, but we got the username of admin. We already had that saved in um user.ext, text, but we don't have the default account, which is administrator. That's the red 500 account. So, we can go back. Do we still have metas-loit open? We closed it when we did ps exec. So, what we'll do is crack map exec because it's just going to be quicker. So, crackmap exec- users p passwords d-shares 10 1010 149 and we'll see if we get any valid login. And it's not looking like it. Let's see. Did I paste that password correctly? I think I did. So, oh, uh, crack mapap exec by default stops after the very first login. I forget the flag. Let's just do msfdb run and we'll do the winrm module. So, winrm set user file users.ext. Like if I just do pass file our host I'm just hitting controlR and it has recursive history. So run we'll see if we get any new hits. I don't think it's doing the new password. Uh v passwords.ext text. It was not. I think I just entered it in user.ext. That would definitely help. So, we do this and we get a login success as administrator. So, what we can do is a winrm as him. But we could probably do a um PS exec if he has access over sea or um admin. So crackmap exec do this now that we have the um password and password.ext and logged in. It's telling us pawned. Let's see if it gets the shares. It normally says parent when you have a shell and we have readwrite to admin and c. So we should be able to do ps exec- administrator and then 10 10 or I think it's just psexc that's not my path. Let's go locate psex.py Pi CD here and then Python 3 ps exec administrator at 101010 149 and then paste this password requesting share found writable uploading opening creating and we should get the shell very soon. There we go. If we go cd backslash users administrator diir little slow probably should have done the powershell module but eh cd desktop diir root.ext it's 32 bytes. So there you have it. Um, pretty sure we can read this. I'll actually test it to make sure there's no like um encrypted file system with cipher. We do a type. There we go. Does read it. So, that's the flag. Hope you guys enjoyed the box. Take care and I will see you all next week.
Original Description
01:05 - Begin of recon
04:25 - Logging into the webpage as guest and viewing attachments
04:45 - Examining the cisco type 7 passwords, using ciscot7
07:00 - Decrypting the MD5Crypt password using Hashcat
10:20 - Using CrackMapExec to perform a SMB password spray with users/credentials we have
11:30 - Using Metasploit to do the same thing (smb_login), to show it keeps tracks of creds. Then doing a WinRM Login
14:10 - WinRM Login was unsuccessful. Lets see if we can enumerate users with Impacket's lookupsid
15:15 - Using RPCClient to replicate how LookupSID did the RID/SID Bruteforce, so we can understand it
19:25 - Doing the Winrm_Login again with new usernames and see Chase can login
20:25 - Using Evil WinRM to login to the box
22:00 - Low Priv shell returned
24:00 - Examining wwwroot, and sourcecode to see if we can get a shell as the IIS User (cannot)
26:45 - See firefox running with Get-Process
29:00 - Upload procdump64.exe to dump firefox's memory
31:00 - Running strings against the binary and finding the administrator password
34:35 - Testing logins with WinRM and CME, to see Administrator could PSEXEC or WinRM
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: AI Security
View skill →Related AI Lessons
Chapters (16)
1:05
Begin of recon
4:25
Logging into the webpage as guest and viewing attachments
4:45
Examining the cisco type 7 passwords, using ciscot7
7:00
Decrypting the MD5Crypt password using Hashcat
10:20
Using CrackMapExec to perform a SMB password spray with users/credentials we h
11:30
Using Metasploit to do the same thing (smb_login), to show it keeps tracks of
14:10
WinRM Login was unsuccessful. Lets see if we can enumerate users with Impacke
15:15
Using RPCClient to replicate how LookupSID did the RID/SID Bruteforce, so we c
19:25
Doing the Winrm_Login again with new usernames and see Chase can login
20:25
Using Evil WinRM to login to the box
22:00
Low Priv shell returned
24:00
Examining wwwroot, and sourcecode to see if we can get a shell as the IIS User
26:45
See firefox running with Get-Process
29:00
Upload procdump64.exe to dump firefox's memory
31:00
Running strings against the binary and finding the administrator password
34:35
Testing logins with WinRM and CME, to see Administrator could PSEXEC or WinRM
🎓
Tutor Explanation
DeepCamp AI