HackTheBox - JSON

Name: HackTheBox - JSON
Uploaded: 2020-02-15T15:00:03Z
Channel: IppSec
Description: 00:52 - Start of recon, NMAP 04:35 - Using SMBClient to look for OpenShares 04:50 - Examining the HTTP Redirect on the page 06:56 - Attemping default cr...

IppSec · Beginner ·📄 Research Papers Explained ·6y ago

00:52 - Start of recon, NMAP 04:35 - Using SMBClient to look for OpenShares 04:50 - Examining the HTTP Redirect on the page 06:56 - Attemping default credentials 08:25 - Running GoBuster with PHP Extensions 12:45 - Examining the /api/ Requests made in BurpSuite 13:35 - Comparing Requests to notice one has a "BEARER" Header. Researching exactly what it is. 14:45 - Examining the contents of BEARER/OAUTH2 by base64 decoding it. 15:50 - Inducing an error message by placing invalid base64, then trying to get a different error message by putting valid but unexpected bas64 16:50 - See a serializatio…

Watch on YouTube ↗ (saves to browser)

Chapters (22)

0:52 Start of recon, NMAP

4:35 Using SMBClient to look for OpenShares

4:50 Examining the HTTP Redirect on the page

6:56 Attemping default credentials

8:25 Running GoBuster with PHP Extensions

12:45 Examining the /api/ Requests made in BurpSuite

13:35 Comparing Requests to notice one has a "BEARER" Header. Researching exactly w

14:45 Examining the contents of BEARER/OAUTH2 by base64 decoding it.

15:50 Inducing an error message by placing invalid base64, then trying to get a diff

16:50 See a serialization error, pointing towards JSON.NET, then switching to Window

22:54 Creating a .net Deserialization exploit that will ping us

27:50 Base64 encoding the exploit, starting tcpdump, and checking for code execution

32:51 Reverse Shell Returned, Running WinPEAS from my SMBShare so we don't touch dis

37:00 Going over WinPEAS.bat, which doesn't have color (we will do EXE later in the

42:00 PrivEsc #1: Reversing Sync2Ftp to decrypt a password

50:15 Decompile SyncLocation.exe via DNSPY, then edit the executable to display the

56:15 Couldn't use PSEXEC with the decrypted creds. Lets use Powershell Invoke-Comm

1:05:25 PrivEsc #2: FileZilla Server - This will require us to pop the box from Window

1:10:50 Using Chisel to forward 127.0.0.1:14147 to us

1:15:15 Running the FileZilla Server and connecting to the box through our tunnel to c

1:21:53 PrivEsc #3: JuicyPotato

1:24:53 Running JuicyPotato to get a system shell

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →