HackTheBox - Nest

Name: HackTheBox - Nest
Uploaded: 2020-06-06T15:06:31Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Showing why we should run NMAP as root or sudo. 04:40 - Running nmap to see only SMB is open, start a full port scan and move on 0...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Intro 01:00 - Showing why we should run NMAP as root or sudo. 04:40 - Running nmap to see only SMB is open, start a full port scan and move on 05:45 - Enumerating SMB (Port 445) with CrackMapExec, SMBClient, and SMBMap to explore how each program works 08:20 - Running SMBClient to mount the share 09:20 - Installing CIFS-Utils so we can mount SMB and run commands like find against the share 11:30 - Discovering a password, doing a credential spray and getting some odd results 17:20 - Mounting the shares with as TempUser to discover we have access to more files 22:00 - Using iconv to cat …

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

1:00 Showing why we should run NMAP as root or sudo.

4:40 Running nmap to see only SMB is open, start a full port scan and move on

5:45 Enumerating SMB (Port 445) with CrackMapExec, SMBClient, and SMBMap to explore

8:20 Running SMBClient to mount the share

9:20 Installing CIFS-Utils so we can mount SMB and run commands like find against t

11:30 Discovering a password, doing a credential spray and getting some odd results

17:20 Mounting the shares with as TempUser to discover we have access to more files

22:00 Using iconv to cat a windows text file because it showed a bunch of bad charac

25:00 Viewing the NotepadPlusPlus files to see the path of a file in the Secure$ Dir

27:00 Downloading the source-code to RUScanner in the User share

29:30 Switching to Windows so we can use Visual Studio to compile the RUScanner appl

32:20 Dropping the config in bin/debug and setting a breakpoint on the line of code

35:55 Using CrackMapExec to validate these are valid credentials, then exploring the

39:50 Exploring the application on port 4386 and showing why we need to use TELNET a

42:30 Playing with the various options on port 4386

44:58 Using SMBClient to mount the Users directory as C.SMITH so we can use "allinfo

50:00 Using the custom program on port 4386 and using the DEBUG Options to download

52:30 Using DNSPY to decompile HqkLdap.exe

56:00 Editing the application to print the password

58:20 Running HqkLdap to get the decrypted password, which is the administrator pass

59:20 Using psexec to get a shell on the box as the SYSTEM user

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →