HackTheBox - Outdated

Name: HackTheBox - Outdated
Uploaded: 2022-12-10T15:02:06Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Running nmap 02:40 - Running CrackMapExec to enumerate the share 04:10 - Talking about a common misconception about "Null SMB Auth...

IppSec · Beginner ·🤖 AI Agents & Automation ·3y ago

00:00 - Intro 01:00 - Running nmap 02:40 - Running CrackMapExec to enumerate the share 04:10 - Talking about a common misconception about "Null SMB Authentication" 08:00 - Downloading a PDF off the open share 08:55 - Using SWAKS to send an emailw ith a link to see if anything clicks it 10:30 - Exploring the CVE's mentioned in the PDF to see one of them is Folina 11:55 - Someone clicked our link! The User Agent Shows WindowsPowerShell/5.1.19041.906, which leaks the patch level of the box 14:00 - Building a Folina Payload 17:00 - Using ConPtyShell as our payload for Folina, so we have a proper P…

Watch on YouTube ↗ (saves to browser)

Chapters (24)

Intro

1:00 Running nmap

2:40 Running CrackMapExec to enumerate the share

4:10 Talking about a common misconception about "Null SMB Authentication"

8:00 Downloading a PDF off the open share

8:55 Using SWAKS to send an emailw ith a link to see if anything clicks it

10:30 Exploring the CVE's mentioned in the PDF to see one of them is Folina

11:55 Someone clicked our link! The User Agent Shows WindowsPowerShell/5.1.19041.906

14:00 Building a Folina Payload

17:00 Using ConPtyShell as our payload for Folina, so we have a proper PTY with tab

21:50 Reverse Shell obtained, discover we are btables and a little enumeration shows

27:30 Running SharpHound

32:20 Importing the results into Bloodhound and seeing we have AddKeyCredentialLink

34:00 Using Invoke-Whisker.ps1 to create shadow credentials for a user, then using E

35:30 Running Invoke-Whisker

41:40 Discovering we are in WSUS Administrators Group, checking if other tools highl

45:50 Going into a SharpWSUS blog post that talks about adding a malicious windows u

46:45 Compiling SharpWSUS

48:30 Making sure SharpWSUS Runs, copying PSExec to the box

50:00 Explaining the SharpWSUS Attack Path

52:00 In typical ippsec fashion, I have a typo in my payload psexec.nexe lol.

55:50 The payload did not work, lets simplify it by removing special characters and

59:55 Shell returned as admin!

1:01:10 Beyond Root: Enable RDP then showing the WSUS Administration Panel

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →