HackTheBox - PivotAPI

Name: HackTheBox - PivotAPI
Uploaded: 2021-11-06T15:00:13Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap, downloading files over FTP 05:25 - The contents of all the PDF's don't really help. Using exiftool to extract autho...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·4y ago

00:00 - Intro 01:00 - Start of nmap, downloading files over FTP 05:25 - The contents of all the PDF's don't really help. Using exiftool to extract authors. 08:20 - Using Kerbrute to bruteforce valid users and getting ASREP Hash. It is ETYPE 18, which hashcat doesn't support. Use downgrade to generate ETYPE 23 and crack the hash 11:15 - Going into what ETPE Means 16:40 - Using CrackMapExec to dump a list of file shares, then using Spider_Plus plugin to dump files 17:30 - Doing some JQ Magic navigate the Spider_Plus data 20:15 - Converting the Outlook Message Files (MSG) to plaintext with msgcon…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Intro

1:00 Start of nmap, downloading files over FTP

5:25 The contents of all the PDF's don't really help. Using exiftool to extract aut

8:20 Using Kerbrute to bruteforce valid users and getting ASREP Hash. It is ETYPE 1

11:15 Going into what ETPE Means

16:40 Using CrackMapExec to dump a list of file shares, then using Spider_Plus plugi

17:30 Doing some JQ Magic navigate the Spider_Plus data

20:15 Converting the Outlook Message Files (MSG) to plaintext with msgconvert

25:00 Running Restart-Oracle.exe with Process Monitor to find out the process is wri

27:00 Removing delete permissions on the Windows Temp Directory, so the Restart-Orac

32:00 Running the extracted executable with Process Monitor to discover it loads dot

34:50 METHOD 1: Opening the extracted executable in x64debug, setting it to break up

38:48 METHOD 1: Opening the dotnet in DNSPY to discover the password

40:25 METHOD 2: Using API MONITOR to examine the API Calls the program makes and fin

47:41 Fixing the permissions on our TEMP Directory with icacls so our user can delet

49:45 Using CrackMapExec to dump a list of all users because the Oracle credentials

53:00 Discovering the MSSQL User and changing oracles password scheme to fit MSSQL

55:25 Downloading Alamot's MSSQL_Shell and getting a shell on the box (unintended wa

58:40 Downloading and running MSSQL Proxy, which will let us create a SOCKS Proxy th

1:12:10 Setting proxychains up to utilize MSSQL Proxy and using Evil-WinRM to get a sh

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →