HackTheBox - Vault

Name: HackTheBox - Vault
Uploaded: 2019-04-06T17:24:05Z
Channel: IppSec
Description: 01:08 - Begin of Recon 03:08 - Begin of GoBustering 07:15 - Discovery of an image upload script 08:39 - Attempting to bypass the upload filter 12:46 - R...

IppSec · Beginner ·🔐 Cybersecurity ·6y ago

01:08 - Begin of Recon 03:08 - Begin of GoBustering 07:15 - Discovery of an image upload script 08:39 - Attempting to bypass the upload filter 12:46 - Reverse Shell to ubuntu Returned. Examining Web Source 15:28 - ALTERNATIVE: Checking out the host name pollution, setting host header to localhost 19:27 - Resume of poking around the host, discover passwords and other hosts in /home 23:14 - Uploading a static-compiled nmap to the box (static-binaries is a github repo) 24:57 - SSH Local Port Forward and Dynamic, to let our Kali box communicate with the next hop. 27:27 - Discovery of a page that …

Watch on YouTube ↗ (saves to browser)

Chapters (28)

1:08 Begin of Recon

3:08 Begin of GoBustering

7:15 Discovery of an image upload script

8:39 Attempting to bypass the upload filter

12:46 Reverse Shell to ubuntu Returned. Examining Web Source

15:28 ALTERNATIVE: Checking out the host name pollution, setting host header to loca

19:27 Resume of poking around the host, discover passwords and other hosts in /home

23:14 Uploading a static-compiled nmap to the box (static-binaries is a github repo)

24:57 SSH Local Port Forward and Dynamic, to let our Kali box communicate with the n

27:27 Discovery of a page that lets us create ovpn (openvpn) configs and test the VP

28:45 Think i broke the box here, sent unicode to the box.... It stops responding on

32:55 Machine reverted, getting back to where I started.

34:50 Trying this again, and get a shell on ubuntu -- Lets do a Reverse Port Forward

36:12 Shell returned to Kali Box, explaining how to use socat if SSH Forward cannot

38:58 Exploring the DNS Server box.

39:26 Finding a password in /home/dave/ssh

40:15 Discovering Vault's IP Address in /etc/hosts

41:20 Perfoming a NMAP on the vault box, discover two ports closed

41:50 Doing a NMAP with the source port of one of the above ports to test for a lazy

43:20 ALTERNATIVE: Bypassing the firewall by using IPv6

49:47 How to set the source port with SSH via ncat

50:45 Discovering root.txt.gpg on Vault, it is encrypted with RSA Key D1EB1F03

51:35 Dave has the above RSA Key, use SCP to send the file back to Ubuntu

54:45 The file has been copied, using gpg to decrypt the file.

55:39 MAJOR UNINTENDED WAY: Discovering SPICE ports are listening on localhost:5900-

57:05 Using Remote-Viewer to connect to the SPICE Port and getting physical access t

57:42 Rebooting Vault by sending the Ctrl+Alt+delete key

58:00 Editing grub to get a root shel

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →