HackTheBox - RE

Name: HackTheBox - RE
Uploaded: 2020-02-01T15:00:07Z
Channel: IppSec
Description: 00:30 - Begin of Recon 01:55 - Creating an entry in /etc/hosts for reblog.htb (found on webpage) 04:00 - Reading each blog post and taking notes 07:50 -...

IppSec · Beginner ·🖊️ Copywriting & Content Strategy ·6y ago

00:30 - Begin of Recon 01:55 - Creating an entry in /etc/hosts for reblog.htb (found on webpage) 04:00 - Reading each blog post and taking notes 07:50 - Poking at SMB to see MALWARE_DROPBOX 08:30 - Digging into why SMBMAP says READ_ONLY. Don't get anywhere but its an impacket thing? 12:45 - Installing LibreOffice, then creating a macro to ping us 16:45 - Obfuscating the macro by placing it over multiple lines (do LOLBINS at end of video) 18:00 - Converting our obfuscated macro to a powershell cradle/one lienr (iconv to make it UTF-16LE) 22:20 - Reverse Shell returned as LUKE, showing a way to…

Watch on YouTube ↗ (saves to browser)

Chapters (26)

0:30 Begin of Recon

1:55 Creating an entry in /etc/hosts for reblog.htb (found on webpage)

4:00 Reading each blog post and taking notes

7:50 Poking at SMB to see MALWARE_DROPBOX

8:30 Digging into why SMBMAP says READ_ONLY. Don't get anywhere but its an impacke

12:45 Installing LibreOffice, then creating a macro to ping us

16:45 Obfuscating the macro by placing it over multiple lines (do LOLBINS at end of

18:00 Converting our obfuscated macro to a powershell cradle/one lienr (iconv to mak

22:20 Reverse Shell returned as LUKE, showing a way to get a logged in users hash an

26:25 Running WinPEAS.bat (will do EXE at the end of the video)

35:45 Going over the process_sample.ps1 script to discover a potential WinRAR Vulner

38:09 Using evilWinRAR to generate a ZipSlip like file, forget a trailing slash and

49:00 Switching up the ASPX Shell by using one from the TennC Repository

52:35 Reverse shell as the IIS User

53:30 Doing a Ghidra XXE Vulnerability to steal the users hash

57:00 Copying the XXE Vulnerability in POC

1:04:45 Lol. Found what out i was zipping the file incorrectly

1:07:30 Cracking the new hash we just got

1:09:20 Using Powershell to Invoke-Command with a different user

1:12:55 Begin of unattended route (Changing macro to be RevSvr32 with an SCT File inst

1:21:20 Downloading SharpUp and WinPEAS to compile executables

1:27:30 Using rlwrap for our reverse shell so we have a semi-proper TTY on Windows

1:28:45 Running PowerUp to identify the bad service and playing with a few commands to

1:33:10 Running WinPEASEXE to show the output

1:35:30 Enabling RDP so we can see the error message SharpUp threw

1:37:50 Changing DotNet version in the project properties to get SharpUp working on th

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →