HackTheBox - Outdated

IppSec · Beginner ·🤖 AI Agents & Automation ·3y ago
00:00 - Intro 01:00 - Running nmap 02:40 - Running CrackMapExec to enumerate the share 04:10 - Talking about a common misconception about "Null SMB Authentication" 08:00 - Downloading a PDF off the open share 08:55 - Using SWAKS to send an emailw ith a link to see if anything clicks it 10:30 - Exploring the CVE's mentioned in the PDF to see one of them is Folina 11:55 - Someone clicked our link! The User Agent Shows WindowsPowerShell/5.1.19041.906, which leaks the patch level of the box 14:00 - Building a Folina Payload 17:00 - Using ConPtyShell as our payload for Folina, so we have a proper PTY with tab auto complete on windows rev shells 21:50 - Reverse Shell obtained, discover we are btables and a little enumeration shows we are in a HyperV Container 27:30 - Running SharpHound 32:20 - Importing the results into Bloodhound and seeing we have AddKeyCredentialLink which is a shadow credentials to a user 34:00 - Using Invoke-Whisker.ps1 to create shadow credentials for a user, then using Evil-WinRM to login 35:30 - Running Invoke-Whisker 41:40 - Discovering we are in WSUS Administrators Group, checking if other tools highlight this 45:50 - Going into a SharpWSUS blog post that talks about adding a malicious windows update 46:45 - Compiling SharpWSUS 48:30 - Making sure SharpWSUS Runs, copying PSExec to the box 50:00 - Explaining the SharpWSUS Attack Path 52:00 - In typical ippsec fashion, I have a typo in my payload psexec.nexe lol. 55:50 - The payload did not work, lets simplify it by removing special characters and just executing netcat 59:55 - Shell returned as admin! 1:01:10 - Beyond Root: Enable RDP then showing the WSUS Administration Panel
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
 2 HackTheBox - October
HackTheBox - October
IppSec
 3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
 4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
 5 HackTheBox - Bank
HackTheBox - Bank
IppSec
 6 HackTheBox - Joker
HackTheBox - Joker
IppSec
 7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
 8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
 9 HackTheBox - Devel
HackTheBox - Devel
IppSec
 10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
 11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
 12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
 13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
 14 HackTheBox - Charon
HackTheBox - Charon
IppSec
 15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
 16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
 17 HackTheBox - Europa
HackTheBox - Europa
IppSec
 18 Introduction to tmux
Introduction to tmux
IppSec
 19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
 20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
 21 HackTheBox - Jail
HackTheBox - Jail
IppSec
 22 HackTheBox - Blue
HackTheBox - Blue
IppSec
 23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
 24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
 25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
 26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
 27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
 28 HackTheBox - Node
HackTheBox - Node
IppSec
 29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
 30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
 31 HackTheBox - Sense
HackTheBox - Sense
IppSec
 32 HackTheBox - Minion
HackTheBox - Minion
IppSec
 33 VulnHub - Sokar
VulnHub - Sokar
IppSec
 34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
 35 HackTheBox - Inception
HackTheBox - Inception
IppSec
 36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
 37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
 38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
 39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
 40 HackTheBox - Tally
HackTheBox - Tally
IppSec
 41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
 42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
 43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
 44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
 45 How To Create Empire Modules
How To Create Empire Modules
IppSec
 46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
 47 HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
 48 HackTheBox - Bart
HackTheBox - Bart
IppSec
 49 HackTheBox - Aragog
HackTheBox - Aragog
IppSec
 50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
 51 HackTheBox - Silo
HackTheBox - Silo
IppSec
 52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
 53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
 54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
 55 HackTheBox - Poison
HackTheBox - Poison
IppSec
 56 HackTheBox - Canape
HackTheBox - Canape
IppSec
 57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
 58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
 59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
 60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related AI Lessons

AI Basics You MUST Understand Before Building AI Agent
Learn the essential AI basics before building an AI agent to ensure a strong foundation
Dev.to · Yisak Bule
AiFinPay: Autonomous Payments for ruvnet/ruflo
Learn how AiFinPay enables autonomous payments for AI agents in multi-agent swarms, streamlining workflows and monetization
Dev.to AI
AiFinPay: Autonomous Payments for cirosantilli/china-dictatorship
Learn how AiFinPay enables autonomous payments for AI agents with a one-line payment SDK, empowering seamless transactions and promoting awareness on cirosantilli/china-dictatorship platform
Dev.to AI
Shopify Just Gave AI Agents an Operating Manual. We Built One for WooCommerce.
Shopify's SKILL.md file provides instructions for AI agents to behave when shopping on Shopify, and a similar manual can be built for WooCommerce
Dev.to AI

Chapters (24)

Intro
1:00 Running nmap
2:40 Running CrackMapExec to enumerate the share
4:10 Talking about a common misconception about "Null SMB Authentication"
8:00 Downloading a PDF off the open share
8:55 Using SWAKS to send an emailw ith a link to see if anything clicks it
10:30 Exploring the CVE's mentioned in the PDF to see one of them is Folina
11:55 Someone clicked our link! The User Agent Shows WindowsPowerShell/5.1.19041.906
14:00 Building a Folina Payload
17:00 Using ConPtyShell as our payload for Folina, so we have a proper PTY with tab
21:50 Reverse Shell obtained, discover we are btables and a little enumeration shows
27:30 Running SharpHound
32:20 Importing the results into Bloodhound and seeing we have AddKeyCredentialLink
34:00 Using Invoke-Whisker.ps1 to create shadow credentials for a user, then using E
35:30 Running Invoke-Whisker
41:40 Discovering we are in WSUS Administrators Group, checking if other tools highl
45:50 Going into a SharpWSUS blog post that talks about adding a malicious windows u
46:45 Compiling SharpWSUS
48:30 Making sure SharpWSUS Runs, copying PSExec to the box
50:00 Explaining the SharpWSUS Attack Path
52:00 In typical ippsec fashion, I have a typo in my payload psexec.nexe lol.
55:50 The payload did not work, lets simplify it by removing special characters and
59:55 Shell returned as admin!
1:01:10 Beyond Root: Enable RDP then showing the WSUS Administration Panel
Up next
Build next-gen AI experiences with Google AI Studio and Google Antigravity
Google for Developers
Watch →