HackTheBox - Sniper

01:05 - Begin of Nmap scans 02:30 - Checking out the website and running a few GoBuster dir searches 04:50 - Examining Links on the blog page and discover a LFI Vulnerability in the LANG Parameter 08:20 - Discovering .. is a bad character, working around it by starting the path with a slash 10:28 - Testing RFI via SMB, then failing to steal a hash and use impackets SMBServer 12:50 - Configuring SMBd to host a share that is accessible by anonymous users 15:00 - Testing the SMB Share locally, then testing the RFI with just text, and finally putting a PHP Script for code execution. 19:10 - Powershell Reverse Shells fail, find out we are in constrained language mode, switch to netcat for reverse shell 24:30 - Reverse Shell Returned! 29:00 - Discovering Chris's password then using Powershell to run a command as him to upgrade the shell. 40:10 - Going over to Windows to create a malicious CHM file with Nishang's out-chm (via NC on a SMB Share) 46:55 - Copying the malicious CHM File to c:\Docs and not getting any shell. Simplify the exploit to run ping instead. 51:30 - Using Out-CHM to have it execute NC out of c:\users\chris\downloads\ instead of a SMB Share and getting shell as administrator 53:25 - Start of doing the box the second way. 54:15 - Explaining the LFI + PHP Session Exploit Chain 56:30 - Identify bad characters by creating a in python to to create accounts and test logins 1:07:00 - Testing minimal php code for code execution 1:08:30 - Testing Code exeuction with Powershell Encoded commands 1:18:26 - Downloading Netcat to the box then executing it for a reverse shell 1:23:00 - Uploading Chisel to the box then forwarding ports 3306 and 5985 to us 1:31:40 - Using Evil-WinRM to get a shell on the box as chris through our chisel tunnel 1:32:20 - Creating a CHM File that includes a file off a SMB Server so we can use Responder to steal the hash 1:40:00 - Uploading the CHM and stealing the hash with Responder 1:31:20 - Using Hashcat to crack a NetNTLMv2 hash fro