HackTheBox - Reel2

Name: HackTheBox - Reel2
Uploaded: 2021-03-13T15:00:22Z
Channel: IppSec
Description: 00:00 - Intro 01:10 - Start of NMAP 04:20 - Gobuster using a case insensitive wordlist because windows 08:50 - Checking out the application on port 8080...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Intro 01:10 - Start of NMAP 04:20 - Gobuster using a case insensitive wordlist because windows 08:50 - Checking out the application on port 8080, wallstant 10:30 - OWA Discovering the Exchange version based upon login interface 12:00 - OWA How the "User Enumeration" of Exchange may work... It's time based 14:20 - Troubleshooting the Metasploit Module, SSL Error prevents it from loading ECONNRESET SSL_CONNECT 19:00 - Using Wallstant to build a username list to perform password spray 24:15 - Using Username Anarchy to take our list of names and build a wordlist of usernames 32:00 - For s…

Watch on YouTube ↗ (saves to browser)

Chapters (24)

Intro

1:10 Start of NMAP

4:20 Gobuster using a case insensitive wordlist because windows

8:50 Checking out the application on port 8080, wallstant

10:30 OWA Discovering the Exchange version based upon login interface

12:00 OWA How the "User Enumeration" of Exchange may work... It's time based

14:20 Troubleshooting the Metasploit Module, SSL Error prevents it from loading ECON

19:00 Using Wallstant to build a username list to perform password spray

24:15 Using Username Anarchy to take our list of names and build a wordlist of usern

32:00 For some reason when using Metasploit's OWA Password Spray, OWA_2010 is broken

34:30 Showing SprayingToolkit to bruteforce OWA without metasploit

39:10 Sending an email address to all users and seeing if anyone clicks the link

41:40 Using Responder to attempt to force the user's computer to give up an NTLMv2 H

47:00 Cracking the NTLMv2 Hash of k.svensson

49:50 Failing to use Evil-WinRM to access the box, switching to powershell on linux

54:10 Using Powershell on Linux to Enter-PSSession on a Windows Box then finding out

56:20 Breaking out of ConstrainedLanguage Mode by creating a function

1:00:00 Getting a reverse shell in FullLanguage mode, then looking at some PSRC and PS

1:04:20 Finding a link to StickyNotes on the desktop

1:06:50 Doing a hex dump of the stickynote log to see there is a password written

1:08:30 Attempting to use the JEA_TEST_ACCOUNT but failing without ConfigurationName p

1:11:50 Using an LFI Vulnerability in the function JEA can do in order to access any f

1:13:30 Using the LFI to get root.txt

1:14:30 Box is done.. Trying to dump the proces and flailing, never get it working but

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →