HackTheBox - Bounty

IppSec · Beginner ·🔐 Cybersecurity ·7y ago

Skills: Security Basics90%AI Security80%Defensive AI70%

00:38 - Begin of recon 01:48 - Gobuster, using -x aspx to find aspx pages 03:16 - Playing with a file upload form, seeing what can be uploaded 05:15 - Using Burp Intruder to automate checking file extensions 07:00 - Finding a way to execute code from file upload in ASPX (web.config) 10:55 - Executing code via web.config file upload 13:08 - Installing Merlin to be our C2 15:25 - Compiling the Merlin Windows Agent 18:37 - Modifying web.config to upload and execute merlin 21:14 - Merlin Shell returned! 24:18 - Checking for SEImpersonatePrivilege Token then doing Juicy Potato 27:44 - Getting Admin via Juicy Potato 29:44 - Box completed 30:00 - Start of doing this box again, with Metasploit! Creating a payload with Unicorn 33:00 - Having troubles getting the server call back to us, trying Ping to see if the exploit is still working 34:17 - Reverted box. Have to update our payload with some updated VIEWSTATE parameters 36:45 - Metasploit Session Returned! Checking local_exploit_suggester 40:01 - Comparing local_exploit_suggester on x32 and x64 meterpreter sessions 40:30 - Getting Admin via MS10-092 42:05 - Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host #PivotProblems) 47:20 - Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 60 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: Security Basics

View skill →

HackTheBox - Analytics

HackTheBox - Analytics

AWS Security Agent (Preview) Overview - Frontier Agent for Proactive AppSec | Amazon Web Services

AWS Security Agent (Preview) Overview - Frontier Agent for Proactive AppSec | Amazon Web Services

Amazon Web Services

HOW FRCKN' HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128

HOW FRCKN' HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128

Secure Hash Algorithms Using Python- SHA256,SHA384,SHA224,SHA512,SHA1- Hashing In BlockChain

Secure Hash Algorithms Using Python- SHA256,SHA384,SHA224,SHA512,SHA1- Hashing In BlockChain

Bruteforce 32bit Stack Cookie. stack0: part 3 - bin 0x23

Bruteforce 32bit Stack Cookie. stack0: part 3 - bin 0x23

Configure and Deploy AWS Client VPN

Configure and Deploy AWS Client VPN

Related AI Lessons

Structural exclusion is the only defense that scales

Learn why structural exclusion is the only defense that scales in software development

How to Turn Raw Indicators into Actionable Threat Intelligence

Learn to turn raw indicators into actionable threat intelligence to enhance cybersecurity

Medium · Cybersecurity

The Anatomy of Clickjacking: From Basic UI Redressing to Advanced Exploits

Learn the anatomy of clickjacking, from basic UI redressing to advanced exploits, and understand its implications on web application security

Medium · Cybersecurity

Phishing Doesn’t Knock on Your Door Anymore. It Lets Itself In.

Learn about the new generation of phishing scams that operate from inside, using tactics like QR codes, calendar invites, and cloned login pages

Medium · Cybersecurity

Chapters (21)

0:38 Begin of recon

1:48 Gobuster, using -x aspx to find aspx pages

3:16 Playing with a file upload form, seeing what can be uploaded

5:15 Using Burp Intruder to automate checking file extensions

7:00 Finding a way to execute code from file upload in ASPX (web.config)

10:55 Executing code via web.config file upload

13:08 Installing Merlin to be our C2

15:25 Compiling the Merlin Windows Agent

18:37 Modifying web.config to upload and execute merlin

21:14 Merlin Shell returned!

24:18 Checking for SEImpersonatePrivilege Token then doing Juicy Potato

27:44 Getting Admin via Juicy Potato

29:44 Box completed

30:00 Start of doing this box again, with Metasploit! Creating a payload with Unicor

33:00 Having troubles getting the server call back to us, trying Ping to see if the

34:17 Reverted box. Have to update our payload with some updated VIEWSTATE paramete

36:45 Metasploit Session Returned! Checking local_exploit_suggester

40:01 Comparing local_exploit_suggester on x32 and x64 meterpreter sessions

40:30 Getting Admin via MS10-092

42:05 Attempting to pivot through the Firewall using Meterpreter and doing Eternal B

47:20 Creating a Python Script to find valid extensions that handles CSRF Checks if

Ubuntu LTS Randomly Broke 12 Year Old GPUs

Brodie Robertson