HackTheBox - Sekhmet

Name: HackTheBox - Sekhmet
Uploaded: 2023-04-01T15:26:32Z
Channel: IppSec
Description: 00:00 - Intro 01:11 - Start of nmap 04:00 - Running ffuf to discover the portal virtual host 06:40 - Logging in with admin:admin and discovering a new c...

IppSec · Beginner ·🔐 Cybersecurity ·2y ago

00:00 - Intro 01:11 - Start of nmap 04:00 - Running ffuf to discover the portal virtual host 06:40 - Logging in with admin:admin and discovering a new cookie 09:15 - Looking at the Node-Serialize exploit 10:20 - Attempting to do the exploit and discovering modsecurity blocks us, then putting some unicode in the payload to evade it 16:20 - Whoops forgot to end the payload with (), so thats why we didn't get our shell 17:11 - EDIT Looking at how modsecurity is configured 19:33 - Showing the NGINX Error Log with modsecurity blocking, taking the unique ID going to the modsecurity log to get more i…

Watch on YouTube ↗ (saves to browser)

Chapters (23)

Intro

1:11 Start of nmap

4:00 Running ffuf to discover the portal virtual host

6:40 Logging in with admin:admin and discovering a new cookie

9:15 Looking at the Node-Serialize exploit

10:20 Attempting to do the exploit and discovering modsecurity blocks us, then putti

16:20 Whoops forgot to end the payload with (), so thats why we didn't get our shell

17:11 EDIT Looking at how modsecurity is configured

19:33 Showing the NGINX Error Log with modsecurity blocking, taking the unique ID go

25:00 Looking at the JSDECODE transform for modsecurity to fix the rule

30:30 Switching ModSecurity to Detection Only mode or Permissive so we don't block b

31:42 END OF EDIT, putting an SSH Key on the box

34:15 Attempting to unzip the backup.zip, discovering a password but is using ZipCry

40:00 Dumping the sssd.ldb database used to join the linux server to the domain. Get

44:20 Using kinit to get a kerberos ticket, then ksu to switch to root

47:00 Having trouble with tunneling, looking at iptables to see it blocks non-root u

52:30 Looking at the shares to discover a powershell program to reset mobile phone n

1:02:30 Modifying a phone number via ldap and seeing a script will execute what we put

1:11:40 Attempting to steal a NTLMv2 Hash, having trouble because NTLM is disabled

1:14:15 Forwarding port 445 from the webserver to us, so we can use its DNS Name, but

1:20:05 Building a list of users with ldapsearch, then password spraying the password

1:27:00 Downloading dpapi keys and chrome/edge files then using pypykatz to decrypt sa

1:36:11 Got all the files on our box, using pypykatz to

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →