HackTheBox - Unbalanced

Name: HackTheBox - Unbalanced
Uploaded: 2020-12-05T15:00:10Z
Channel: IppSec
Description: 00:00 - Introduction 01:03 - Start of nmap 02:27 - Setting Squid up to do a portscan while we work on something else 07:00 - Poking at RSYNC and seeing ...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Introduction 01:03 - Start of nmap 02:27 - Setting Squid up to do a portscan while we work on something else 07:00 - Poking at RSYNC and seeing we can download encrypted config backups 09:40 - Examining files downloaded from RSYNC, specifically looking at entropy to validate encryption 14:30 - Finding the EncFS Config file, and then using John to Crack it 18:15 - Decrypting the config directory and finding a squid password and some hostnames 22:30 - Examining the new website exposed to us, configuring BurpSuite to use the squid proxy 24:00 - Showing the Intranet-Host header is changing…

Watch on YouTube ↗ (saves to browser)

Chapters (29)

Introduction

1:03 Start of nmap

2:27 Setting Squid up to do a portscan while we work on something else

7:00 Poking at RSYNC and seeing we can download encrypted config backups

9:40 Examining files downloaded from RSYNC, specifically looking at entropy to vali

14:30 Finding the EncFS Config file, and then using John to Crack it

18:15 Decrypting the config directory and finding a squid password and some hostname

22:30 Examining the new website exposed to us, configuring BurpSuite to use the squi

24:00 Showing the Intranet-Host header is changing, then accessing Squid Cache Manag

26:15 Using curl to view Squid Cache Information

28:25 Finding a new IP Address for a decomissioned server. Looks like this one has

32:15 Poking at the login form on the intranet-host1, looks like its vulnerable to S

37:30 Trying SQL Injection in the Password Field since the User was behaving weirdly

38:20 Examining what XPATH Injection is

39:15 Confirming it is XPATH Injection by using standard XPATH Payloads

44:10 Using a XPATH Payload to extract the password length for a user

46:00 Using XPATH Injection to bruteforce the password one character at a time

48:40 Using Python to Automate the XPATH Injection to dump passwords

1:01:30 Script near done, grabbing the password for all users

1:06:40 Using Hydra to find one of the users had SSH Access

1:08:30 Reading the TODO and finding pi-hole by checking arp with ip neigh

1:10:10 Creating an SSH Port Forward to access Pi-Hole

1:13:55 Finding Pi-Hole Exploits

1:15:00 Using FFUF to bruteforce the Pi Hole login form

1:17:50 Failing to use public exploits for this

1:19:45 Finding a blog post to examine how this exploit works

1:21:45 Using CyberChef to edit the payload for our Pi Hole exploit

1:23:55 Manually sending the exploit and getting a shell

1:25:00 Findin

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →