HackTheBox - Worker

Name: HackTheBox - Worker
Uploaded: 2021-01-30T15:04:37Z
Channel: IppSec
Description: 00:00 - Intro 01:05 - Start of nmap 02:50 - Checkign out the open SVN Port 03:45 - Adding the discovered domains to /etc/hosts and checking out the webs...

IppSec · Beginner ·🛡️ AI Safety & Ethics ·5y ago

00:00 - Intro 01:05 - Start of nmap 02:50 - Checkign out the open SVN Port 03:45 - Adding the discovered domains to /etc/hosts and checking out the websites 05:30 - Some grep magic to show only what we want, which is URLS 09:15 - Using GoBuster to see if there are any more more VHOSTS 11:00 - Checking out the SVN and seeing creds in a previous revision (commit) 13:00 - Logging into Azure Devops (devops.worker.htb) and discovering the pipelin to deploy master branch to a server 15:00 - Pushing our webshell to the git master branch and getting shell on the box 16:10 - Choosing the revshell out o…

Watch on YouTube ↗ (saves to browser)

Chapters (24)

Intro

1:05 Start of nmap

2:50 Checkign out the open SVN Port

3:45 Adding the discovered domains to /etc/hosts and checking out the websites

5:30 Some grep magic to show only what we want, which is URLS

9:15 Using GoBuster to see if there are any more more VHOSTS

11:00 Checking out the SVN and seeing creds in a previous revision (commit)

13:00 Logging into Azure Devops (devops.worker.htb) and discovering the pipelin to d

15:00 Pushing our webshell to the git master branch and getting shell on the box

16:10 Choosing the revshell out of the tennc github page

21:40 Creating a powershell one liner to get a reverse shell via Nishang

24:30 Discovering SVN Credentials and using CrackMapExec to find valid passwords

28:50 CrackMapExec was giving me issues, installing it from source with Poetry

30:00 Using CrackMapExec to test a list of credentials without bruteforcing all pass

32:10 Using WinRM to get a shell as Robisl

35:10 Logging into Azure Devops as Robisl and discovering we can edit the build pipe

39:45 Copying our reverse shell to the box, so we can easily execute it from the bui

41:30 UNINTENDED: Doing the box via RoguePotato

42:50 Poorly explaining why we need to use chisel

45:50 Running Chisel to setup a reverse port forward between the target and our box

52:15 Setting up SoCAT to go through our tunnel

52:50 Executing RoguePotato to get an admin shell

53:30 Explaining the tunneling again in MSPaint. Hope this helps.

1:01:40 Doing RoguePotato without socat, just a single Chisel tunnel

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →