HackTheBox - Quick

Name: HackTheBox - Quick
Uploaded: 2020-08-29T15:15:07Z
Channel: IppSec
Description: 00:00 - Intro 00:48 - Begin of Nmap, examining the page and running gobuster 03:30 - Identifying some extra care 04:30 - Adding portal.quick.htb to the ...

IppSec · Intermediate ·🔐 Cybersecurity ·5y ago

00:00 - Intro 00:48 - Begin of Nmap, examining the page and running gobuster 03:30 - Identifying some extra care 04:30 - Adding portal.quick.htb to the host file so we can resolve hostname 06:00 - Trying to identify if the web application will tell us if an account is valid 07:20 - Building an email list based upon clients and then running wfuzz to try and identify valid emails 12:00 - Searching for the latest HTTP and seeing HTTP3 utilizes UDP instead of TCP 16:30 - Installing Quiche so we can navigate to the http3 site 19:40 - Having Quiche download files, discoving an initial password then …

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

0:48 Begin of Nmap, examining the page and running gobuster

3:30 Identifying some extra care

4:30 Adding portal.quick.htb to the host file so we can resolve hostname

6:00 Trying to identify if the web application will tell us if an account is valid

7:20 Building an email list based upon clients and then running wfuzz to try and id

12:00 Searching for the latest HTTP and seeing HTTP3 utilizes UDP instead of TCP

16:30 Installing Quiche so we can navigate to the http3 site

19:40 Having Quiche download files, discoving an initial password then revisiting th

30:30 Using wfuzz to search the helpdesk for all tickets

35:50 Finding ESIGATE is vulnerable to xml entity injection

40:20 Testing the XXE Attack to see if it connects to our webserver

41:50 The server keeps putting the full URL in its GET Request, which messes with py

45:20 Failing to get a reverse shell to execute via XSLT, switching to download a fi

56:45 Reverse Shell Returned as SAM

58:30 Finding printerv2.quick.htb and a little apache confusion its only listening o

1:04:20 Dumping password hashes from MySQL to discover the server does some mangling o

1:07:45 Creating a cracking script in PHP

1:13:15 Logging into the application and seeing we can print jobs, then looking at sou

1:16:40 Creating a script to abuse the race condition of printing a document. To repl

1:25:20 Printing out the SRVADM SSH Key

1:27:30 Finding a password in the cups configuration file, which is the root password

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →