HackTheBox - Multimaster

Name: HackTheBox - Multimaster
Uploaded: 2020-09-19T14:59:38Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Begin of nmap, going over what videos show KRB/LDAP/SMB enumeration 04:30 - Checking out the web page, finding an API that allows ...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Intro 01:00 - Begin of nmap, going over what videos show KRB/LDAP/SMB enumeration 04:30 - Checking out the web page, finding an API that allows us to search employees 08:45 - Extracting usernames from the database using the above API 11:45 - Using wfuzz to fuzz this endpoing and discover there's a WAF that blocks us on BruteFoce and special characters 18:15 - Sending wfuzz to burpsuite so we can see why the page is giving us an HTTP 415 (hint: Its content-type!) 21:00 - Using unicode to bypass the bad character list, then launching a super slow SQLMap that never finishes 25:30 - While …

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

1:00 Begin of nmap, going over what videos show KRB/LDAP/SMB enumeration

4:30 Checking out the web page, finding an API that allows us to search employees

8:45 Extracting usernames from the database using the above API

11:45 Using wfuzz to fuzz this endpoing and discover there's a WAF that blocks us on

18:15 Sending wfuzz to burpsuite so we can see why the page is giving us an HTTP 415

21:00 Using unicode to bypass the bad character list, then launching a super slow SQ

25:30 While SQLMap runs, lets manually exploit this

28:15 Found a union injection! Start of creating a Python Script, tons of issues aro

35:30 Basic script is done, we can now send unicode data via python - Then convert t

41:00 CmdLoop done, we can now send raw queries to the database. Lets make an optio

44:10 Script now makes it easy to run UNION Commands and get the output, running thr

47:15 Extracting database information (Table Names)

51:30 Extracting Usernames and hashes from the Logins table, then cracking the passw

1:01:15 Performing a RID BruteForce via MS-SQL, getting and explaining the SID of Admi

1:18:25 Bruteforcing RID's to discover more usernames

1:23:08 Using Evil-WinRM to get a shell as Tushikikatomo, then running WinPEAS and Blo

1:39:00 Resetting the Neo4j Password Bloodhound uses by deleting auth dbms file

1:45:45 Discovering a VS Code is running, and some random ports keep opening up. Debu

1:53:34 Testing CEF exploit with ping, then create a powershell cradle. Edit Nishang t

1:58:10 Shell returned as CYORK

2:01:00 Discover a DLL in the web directory, run string

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →