HackTheBox - Fulcrum

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·7y ago

Skills: LLM Foundations85%Prompt Craft80%LLM Engineering70%Fine-tuning LLMs60%Prompting Basics50%

02:08 - Begin of Recon 14:00 - XXE Detection on Fulcrum API 17:40 - XXE Get Files 23:40 - XXE File Retrieval Working 24:30 - Lets Code a Python WebServer to Aid in XXE Exploitation 39:45 - Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution 47:28 - Shell Returned + Go Over LinEnum 56:49 - Finding WebUser's Password and using WinRM to pivot 01:06:00 - Getting Shell via WinRM, finding LDAP Credentials 01:14:00 - Using PowerView to Enumerate AD Users 01:27:06 - Start of getting a Shell on FILE (TroubleShooting FW) 01:35:35 - Getting shell over TCP/53 on FILE 01:37:58 - Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare 01:58:10 - Troubleshooting the error correctly and getting Domain Admin! 02:03:54 - Begin of unintended method (Rooting the initial Linux Hop) 02:09:54 - Root Exploit Found 02:12:25 - Mounting the VMDK Files and accessing AD.

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 42 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: LLM Foundations

View skill →

Getting Started with Vertex AI Gemini 1.5 Flash

I TRAINED AN AI TO SOLVE 2+2 (w/ Live Coding)

I TRAINED AN AI TO SOLVE 2+2 (w/ Live Coding)

How to use the ChatGPT API with Python!!

How to use the ChatGPT API with Python!!

Nicholas Renotte

Gemini 2.5: Create an interactive plot of economic data

Gemini 2.5: Create an interactive plot of economic data

Google DeepMind

LangChain Chatbots: Building a Personalized AI Assistant

LangChain Chatbots: Building a Personalized AI Assistant

Analytics Vidhya

Auto-generating meeting notes with Python

Auto-generating meeting notes with Python

Related AI Lessons

Before I Wrote a Single Line of Code, I Did This And It Changed Everything

Learn how a data analyst's pre-coding research phase transformed their approach to data science and discover the importance of exploratory data analysis

Medium · Data Science

From Spite to a Double Offer: Data Science Intern at Adobe Research

Learn how to land a data science internship at a top company like Adobe Research by following the author's journey from initial rejection to ultimately receiving a double offer

Medium · Data Science

Stop Wasting Cloud Budget: How Polars Cut Our AWS Bill by 90%?

Learn how Polars optimized their AWS bill by 90% by processing only necessary data

Medium · Python

Why Chennai Is Emerging as a Major Center for Data Science Talent in South India

Chennai is emerging as a major center for data science talent in South India, driven by its growing technology economy

Medium · Data Science

Chapters (17)

2:08 Begin of Recon

14:00 XXE Detection on Fulcrum API

17:40 XXE Get Files

23:40 XXE File Retrieval Working

24:30 Lets Code a Python WebServer to Aid in XXE Exploitation

39:45 Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution

47:28 Shell Returned + Go Over LinEnum

56:49 Finding WebUser's Password and using WinRM to pivot

1:06:00 Getting Shell via WinRM, finding LDAP Credentials

1:14:00 Using PowerView to Enumerate AD Users

1:27:06 Start of getting a Shell on FILE (TroubleShooting FW)

1:35:35 Getting shell over TCP/53 on FILE

1:37:58 Finding credentials on scripts in Active Directories NetLogon Share, then find

1:58:10 Troubleshooting the error correctly and getting Domain Admin!

2:03:54 Begin of unintended method (Rooting the initial Linux Hop)

2:09:54 Root Exploit Found

2:12:25 Mounting the VMDK Files and accessing AD.

SQL End of Life migration factory offer | Data Exposed

Microsoft Developer