HackTheBox - Helpline

Name: HackTheBox - Helpline
Uploaded: 2019-08-17T15:00:26Z
Channel: IppSec
Description: 00:35 - Begin of Recon 01:42 - Checking the ManageEngine Page 02:23 - Running Searchsploit to see potential exploits 03:40 - Enumerating valid usernames...

IppSec · Intermediate ·📰 AI News & Updates ·6y ago

00:35 - Begin of Recon 01:42 - Checking the ManageEngine Page 02:23 - Running Searchsploit to see potential exploits 03:40 - Enumerating valid usernames via AjaxDomainServlet 05:40 - Logging in with guest:guest 07:10 - Running the privilege escalation script to get Administrator access 08:00 - Searching for information on this exploit 08:20 - Blog post missing... Searching Archive.org and Google Cache for a mirror 10:00 - Making curl go through burp to step through the exploit in BurpSuite 18:00 - Copying the admin cookies into FireFox 19:25 - Going to Admin then Custom Triggers to execute co…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

0:35 Begin of Recon

1:42 Checking the ManageEngine Page

2:23 Running Searchsploit to see potential exploits

3:40 Enumerating valid usernames via AjaxDomainServlet

5:40 Logging in with guest:guest

7:10 Running the privilege escalation script to get Administrator access

8:00 Searching for information on this exploit

8:20 Blog post missing... Searching Archive.org and Google Cache for a mirror

10:00 Making curl go through burp to step through the exploit in BurpSuite

18:00 Copying the admin cookies into FireFox

19:25 Going to Admin then Custom Triggers to execute code on the server

21:50 Getting a reverse shell via Nishang

22:30 Using iconv to create UTF-16LE encoded Base64 for use with "-EncodedCommand" o

25:45 Reverse Shell as System returned, but EFS Protects the flags

26:45 Finding interesting files with get-childitem -recurse . | select FullName

28:50 Copying mimikatz over to the box to steal NTLM Hashes

31:00 Defender blocked us. Disable defender with Set-MpPreference -DisableRealtimeM

32:50 Using hashes.org to view password of Zachary, checking his groups to see he ca

33:30 Doing some powershell goodness to search event logs!

40:50 Extracting ProcessCommandLine from the logs (Tolu Password), its a shame Nisha

43:00 Using Mimikatz to decrypt the EFS Protected file with Tolu's password

57:25 Need to read Leo's admin-pass.xml, load meterpreter and migrate into his names

1:00:20 admin-pass is the output of SecureString, lets decrypt it to get the admin pas

1:02:20 Using Invoke-Command with the credential object created to execute commands as

1:03:50 Cannot read root.txt because of "Double Hop Problem" (how PowerShell Authentic

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Helpline

Chapters (25)

Playlist

Lesson complete!