HackTheBox - University

Name: HackTheBox - University
Uploaded: 2025-08-09T15:01:33Z
Channel: IppSec
Description: 00:00 - Introduction 01:00 - Start of nmap 04:00 - Looking at the website, discovering it is Django 11:25 - Exporting a profile, discovering it is using...

IppSec · Beginner ·🔐 Cybersecurity ·7mo ago

00:00 - Introduction 01:00 - Start of nmap 04:00 - Looking at the website, discovering it is Django 11:25 - Exporting a profile, discovering it is using ReportLabs and xhtml2pdf 12:30 - Confirming RCE in Report Labs with ping, then getting a reverse shell 24:00 - Shell on the box, downloading the db, ca, and finding a password 33:00 - Running Rusthound and then looking into bloodhound 38:00 - Discovering other machines, getting the IP Addresses via DNS and/or powershell. Then setting up Chisel 54:50 - Testing our WAO Credential against the windows and linux machine, discovering we get on both.…

Watch on YouTube ↗ (saves to browser)

Chapters (15)

Introduction

1:00 Start of nmap

4:00 Looking at the website, discovering it is Django

11:25 Exporting a profile, discovering it is using ReportLabs and xhtml2pdf

12:30 Confirming RCE in Report Labs with ping, then getting a reverse shell

24:00 Shell on the box, downloading the db, ca, and finding a password

33:00 Running Rusthound and then looking into bloodhound

38:00 Discovering other machines, getting the IP Addresses via DNS and/or powershell

54:50 Testing our WAO Credential against the windows and linux machine, discovering

1:00:30 Signing our own certificate with the CA we downloaded earlier, then logging in

1:15:30 Shell as Martin

1:21:40 Showing a good GuidePoint article on Kerberos Delegation

1:22:55 Using mitm6 and ntlmrelayx on the linux host to hijack a wpad request and own

1:29:15 Using getST to give ourselves administrator access to WS-3 then running Rubeus

1:38:45 Using Rose.L's ticket to read GMSA password, then using that account to impers

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →