HackTheBox - JSON

IppSec · Beginner ·📄 Research Papers Explained ·6y ago
00:52 - Start of recon, NMAP 04:35 - Using SMBClient to look for OpenShares 04:50 - Examining the HTTP Redirect on the page 06:56 - Attemping default credentials 08:25 - Running GoBuster with PHP Extensions 12:45 - Examining the /api/ Requests made in BurpSuite 13:35 - Comparing Requests to notice one has a "BEARER" Header. Researching exactly what it is. 14:45 - Examining the contents of BEARER/OAUTH2 by base64 decoding it. 15:50 - Inducing an error message by placing invalid base64, then trying to get a different error message by putting valid but unexpected bas64 16:50 - See a serialization error, pointing towards JSON.NET, then switching to Windows to install ysoSerial 22:54 - Creating a .net Deserialization exploit that will ping us 27:50 - Base64 encoding the exploit, starting tcpdump, and checking for code execution. Then editing our exploit use a PowerShell webcradle with Nishang to get a reverse shell 32:51 - Reverse Shell Returned, Running WinPEAS from my SMBShare so we don't touch disk 37:00 - Going over WinPEAS.bat, which doesn't have color (we will do EXE later in the video to get colors!) 42:00 - PrivEsc #1: Reversing Sync2Ftp to decrypt a password 50:15 - Decompile SyncLocation.exe via DNSPY, then edit the executable to display the decrypted password. 56:15 - Couldn't use PSEXEC with the decrypted creds. Lets use Powershell Invoke-Command to switch users 1:05:25 - PrivEsc #2: FileZilla Server - This will require us to pop the box from Windows! 1:10:50 - Using Chisel to forward 127.0.0.1:14147 to us 1:15:15 - Running the FileZilla Server and connecting to the box through our tunnel to create new users 1:21:53 - PrivEsc #3: JuicyPotato 1:24:53 - Running JuicyPotato to get a system shell
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
 2 HackTheBox - October
HackTheBox - October
IppSec
 3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
 4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
 5 HackTheBox - Bank
HackTheBox - Bank
IppSec
 6 HackTheBox - Joker
HackTheBox - Joker
IppSec
 7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
 8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
 9 HackTheBox - Devel
HackTheBox - Devel
IppSec
 10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
 11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
 12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
 13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
 14 HackTheBox - Charon
HackTheBox - Charon
IppSec
 15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
 16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
 17 HackTheBox - Europa
HackTheBox - Europa
IppSec
 18 Introduction to tmux
Introduction to tmux
IppSec
 19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
 20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
 21 HackTheBox - Jail
HackTheBox - Jail
IppSec
 22 HackTheBox - Blue
HackTheBox - Blue
IppSec
 23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
 24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
 25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
 26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
 27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
 28 HackTheBox - Node
HackTheBox - Node
IppSec
 29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
 30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
 31 HackTheBox - Sense
HackTheBox - Sense
IppSec
 32 HackTheBox - Minion
HackTheBox - Minion
IppSec
 33 VulnHub - Sokar
VulnHub - Sokar
IppSec
 34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
 35 HackTheBox - Inception
HackTheBox - Inception
IppSec
 36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
 37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
 38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
 39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
 40 HackTheBox - Tally
HackTheBox - Tally
IppSec
 41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
 42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
 43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
 44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
 45 How To Create Empire Modules
How To Create Empire Modules
IppSec
 46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
 47 HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
 48 HackTheBox - Bart
HackTheBox - Bart
IppSec
 49 HackTheBox - Aragog
HackTheBox - Aragog
IppSec
 50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
 51 HackTheBox - Silo
HackTheBox - Silo
IppSec
 52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
 53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
 54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
 55 HackTheBox - Poison
HackTheBox - Poison
IppSec
 56 HackTheBox - Canape
HackTheBox - Canape
IppSec
 57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
 58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
 59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
 60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related AI Lessons

The ABCs of reading medical research and review papers these days
Learn to critically evaluate medical research papers by accepting nothing at face value, believing no one blindly, and checking everything
Medium · LLM
#1 DevLog Meta-research: I Got Tired of Tab Chaos While Reading Research Papers.
Learn to manage research paper tabs efficiently and apply meta-research techniques to improve productivity
Dev.to AI
How to Set Up a Karpathy-Style Wiki for Your Research Field
Learn to set up a Karpathy-style wiki for your research field to organize and share knowledge effectively
Medium · AI
The Non-Optimality of Scientific Knowledge: Path Dependence, Lock-In, and The Local Minimum Trap
Scientific knowledge may be stuck in a local minimum, hindering optimal progress, and understanding this concept is crucial for advancing research
ArXiv cs.AI

Chapters (22)

0:52 Start of recon, NMAP
4:35 Using SMBClient to look for OpenShares
4:50 Examining the HTTP Redirect on the page
6:56 Attemping default credentials
8:25 Running GoBuster with PHP Extensions
12:45 Examining the /api/ Requests made in BurpSuite
13:35 Comparing Requests to notice one has a "BEARER" Header. Researching exactly w
14:45 Examining the contents of BEARER/OAUTH2 by base64 decoding it.
15:50 Inducing an error message by placing invalid base64, then trying to get a diff
16:50 See a serialization error, pointing towards JSON.NET, then switching to Window
22:54 Creating a .net Deserialization exploit that will ping us
27:50 Base64 encoding the exploit, starting tcpdump, and checking for code execution
32:51 Reverse Shell Returned, Running WinPEAS from my SMBShare so we don't touch dis
37:00 Going over WinPEAS.bat, which doesn't have color (we will do EXE later in the
42:00 PrivEsc #1: Reversing Sync2Ftp to decrypt a password
50:15 Decompile SyncLocation.exe via DNSPY, then edit the executable to display the
56:15 Couldn't use PSEXEC with the decrypted creds. Lets use Powershell Invoke-Comm
1:05:25 PrivEsc #2: FileZilla Server - This will require us to pop the box from Window
1:10:50 Using Chisel to forward 127.0.0.1:14147 to us
1:15:15 Running the FileZilla Server and connecting to the box through our tunnel to c
1:21:53 PrivEsc #3: JuicyPotato
1:24:53 Running JuicyPotato to get a system shell
Up next
Cocktail 2 Songs Review: Na Vibe, Na Emotion…Sirf Hype? Where Is The OG Cocktail Magic?
Switch
Watch →