HackTheBox - Mentor

Name: HackTheBox - Mentor
Uploaded: 2023-03-11T15:00:15Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of Nmap 03:30 - Enumerating for virtual hosts with ffuf to find the api.mentorquotes.htb page 05:30 - Talking about FastAPI,...

IppSec · Beginner ·🧠 Large Language Models ·3y ago

00:00 - Intro 01:00 - Start of Nmap 03:30 - Enumerating for virtual hosts with ffuf to find the api.mentorquotes.htb page 05:30 - Talking about FastAPI, attempting to utilize the endpoints but Authentication is required. Create an account 07:00 - Logging into the endpoint, discovering how to send authentication to the endpoints. Don't really gain anything 10:40 - Using ffuf to search for extra endpoints and discover /admin/ but can't do anything 14:00 - Running NMAP again with UDP to discover SNMP 17:10 - EDIT: Showing the minrate with nmap to scan UDP much quicker 18:30 - Using SNMP Walk 19:…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

Intro

1:00 Start of Nmap

3:30 Enumerating for virtual hosts with ffuf to find the api.mentorquotes.htb page

5:30 Talking about FastAPI, attempting to utilize the endpoints but Authentication

7:00 Logging into the endpoint, discovering how to send authentication to the endpo

10:40 Using ffuf to search for extra endpoints and discover /admin/ but can't do any

14:00 Running NMAP again with UDP to discover SNMP

17:10 EDIT: Showing the minrate with nmap to scan UDP much quicker

18:30 Using SNMP Walk

19:40 Using SNMP-BRUTE to bruteforce other community strings

20:45 EDIT: Showing Hydra and OneSixtyOne fail to enumerate the second community str

23:05 Using SNMPBruteWalk to dump the SNMP Database, showing how much faster it is t

25:00 SNMP Shows running processes and arguments, there was a password passed via ST

28:15 Accessing the Admin Endpoint, and figuring out what parameters it expects via

30:50 Discovering command injection in the backup endpoint

35:19 Shell returned!

37:30 Editing the User Endpoint in FastAPI to dump password hashes. Talking about Py

40:45 EDIT: Showing how we could background out reverse shell with nohup so we don't

47:15 Cracking the hashes and getting svc's password and then logging into the serve

53:00 Doing some light forensics looking for files edited on the box shortly after l

56:45 Finding a password in the snmpd password which gets us root

1:01:10 Editing LinPEAS to add an extra regex to pull passwords out of SNMPd configura

1:04:30 Rebuilding the LinPEAS Shell script and then running LinPEAS to discover we no

1:06:40 Forwarding PostGres to our server with chisel so we can dump the database

1:12:20 Enumerating PostGres manually to dump

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Mentor

Chapters (25)

Playlist

Lesson complete!