HackTheBox - Sniper

Name: HackTheBox - Sniper
Uploaded: 2020-03-28T15:01:00Z
Channel: IppSec
Description: 01:05 - Begin of Nmap scans 02:30 - Checking out the website and running a few GoBuster dir searches 04:50 - Examining Links on the blog page and discov...

IppSec · Beginner ·🔐 Cybersecurity ·6y ago

01:05 - Begin of Nmap scans 02:30 - Checking out the website and running a few GoBuster dir searches 04:50 - Examining Links on the blog page and discover a LFI Vulnerability in the LANG Parameter 08:20 - Discovering .. is a bad character, working around it by starting the path with a slash 10:28 - Testing RFI via SMB, then failing to steal a hash and use impackets SMBServer 12:50 - Configuring SMBd to host a share that is accessible by anonymous users 15:00 - Testing the SMB Share locally, then testing the RFI with just text, and finally putting a PHP Script for code execution. 19:10 - Powe…

Watch on YouTube ↗ (saves to browser)

Chapters (24)

1:05 Begin of Nmap scans

2:30 Checking out the website and running a few GoBuster dir searches

4:50 Examining Links on the blog page and discover a LFI Vulnerability in the LANG

8:20 Discovering .. is a bad character, working around it by starting the path with

10:28 Testing RFI via SMB, then failing to steal a hash and use impackets SMBServer

12:50 Configuring SMBd to host a share that is accessible by anonymous users

15:00 Testing the SMB Share locally, then testing the RFI with just text, and finall

19:10 Powershell Reverse Shells fail, find out we are in constrained language mode,

24:30 Reverse Shell Returned!

29:00 Discovering Chris's password then using Powershell to run a command as him to

40:10 Going over to Windows to create a malicious CHM file with Nishang's out-chm (v

46:55 Copying the malicious CHM File to c:\Docs and not getting any shell. Simplify

51:30 Using Out-CHM to have it execute NC out of c:\users\chris\downloads\ instead o

53:25 Start of doing the box the second way.

54:15 Explaining the LFI + PHP Session Exploit Chain

56:30 Identify bad characters by creating a in python to to create accounts and test

1:07:00 Testing minimal php code for code execution

1:08:30 Testing Code exeuction with Powershell Encoded commands

1:18:26 Downloading Netcat to the box then executing it for a reverse shell

1:23:00 Uploading Chisel to the box then forwarding ports 3306 and 5985 to us

1:31:40 Using Evil-WinRM to get a shell on the box as chris through our chisel tunnel

1:32:20 Creating a CHM File that includes a file off a SMB Server so we can use Respon

1:40:00 Uploading the CHM and stealing the hash with Responder

1:31:20 Using Hashcat to crack a NetNTLMv2 hash fro

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →