HackTheBox - Nightmare

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·7y ago

Skills: Network Security80%

Edit: Whoops forgot @stefano_118 helped create this machine! 01:50 - Start of Recon 04:58 - /documents and /secret rabbit hole enumeration 08:13 - Using wfuzz on the /secret rabbit hole to find argument for download.php 13:40 - Begin of Web Application Enumeration, some XSS Found 18:23 - Throwing bad characters in username and finding Second-Order SQL Injection. 23:50 - Begin of Union Injection to dump the database via second order sql injection 39:36 - Dumping users and passwords from SysAdmin table and using Hydra to bruteforce SSH 43:54 - Enumerating SFTP (Using SSHFS to Dump a File Listing) 53:00 - Converting 64-Bit SFTP Exploit to 32-Bit 01:11:46 - Reverse Shell Returned, some stuff and finding Set-GID Binary 01:22:55 - Reversing SLS binary with Radare2 (r2) 01:47:53 - Exploiting SLS Binary with new line character (Get to Decoder User) 01:51:47 - Begin of Kernel Exploitation (CVE-2017-1000112) 01:56:00 - Kernel Exploit Compiled (silly mistake before) 01:59:52 - Creating a new lsb-release file so exploit can identify kernel 02:07:03 - Recap of Box 02:09:56 - Creating a Tamper Script to do Second-Order SQL Injection ### #Referenced Videos: ## Holiday Hack Analytics - https://www.youtube.com/watch?v=zcJyhDC9kgo/watch?v=zcJyhDC9kgo ## Charon (Union Injection) - https://www.youtube.com/watch?v=_csbKuOlmdE

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 46 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: Network Security

View skill →

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

Building a High-throughput VPN

Configuring Network Connectivity Center as a Transit Hub

VPC Flow Logs - Analyzing Network Traffic

HackTheBox - Intentions

HackTheBox - Intentions

Google Cloud Packet Mirroring with OpenSource IDS

Related AI Lessons

Beyond the 80% Grind: Automated ETL and the Instant Synthetic Data Revolution

Automate ETL processes and generate synthetic data instantly to boost data science productivity

Medium · Data Science

Day 27 of 100 Days of ClickHouse® - Optimizing ClickHouse® Queries for Faster Execution

Optimize ClickHouse queries for faster execution by applying best practices and techniques

Dev.to · Kanishga Subramani

From SQL Beginner to Intermediate: My SQL Learning Journey (Part 2)

Learn how to improve your SQL skills from beginner to intermediate level and why it's crucial for data engineering

Medium · Programming

Data Analytics vs Data Science vs Business Intelligence

Learn the differences between Data Analytics, Data Science, and Business Intelligence to make informed decisions in your organization

Chapters (17)

1:50 Start of Recon

4:58 /documents and /secret rabbit hole enumeration

8:13 Using wfuzz on the /secret rabbit hole to find argument for download.php

13:40 Begin of Web Application Enumeration, some XSS Found

18:23 Throwing bad characters in username and finding Second-Order SQL Injection.

23:50 Begin of Union Injection to dump the database via second order sql injection

39:36 Dumping users and passwords from SysAdmin table and using Hydra to bruteforce

43:54 Enumerating SFTP (Using SSHFS to Dump a File Listing)

53:00 Converting 64-Bit SFTP Exploit to 32-Bit

1:11:46 Reverse Shell Returned, some stuff and finding Set-GID Binary

1:22:55 Reversing SLS binary with Radare2 (r2)

1:47:53 Exploiting SLS Binary with new line character (Get to Decoder User)

1:51:47 Begin of Kernel Exploitation (CVE-2017-1000112)

1:56:00 Kernel Exploit Compiled (silly mistake before)

1:59:52 Creating a new lsb-release file so exploit can identify kernel

2:07:03 Recap of Box

2:09:56 Creating a Tamper Script to do Second-Order SQL Injection

Stop Watching SQL Tutorials (Do This Instead)