HackTheBox - Tally
Key Takeaways
Exploits a SharePoint vulnerability using GoBuster and cracks a keypass password to gain access to an ACCT share
Original Description
01:45 - Start of NMAP
04:17 - Begin of Sharepoint/GoBuster (Special Sharepoint List)
06:32 - Manually browsing to Sitecontent (Get FTP Creds)
10:18 - Mirror FTP + Pillage for information, Find keypass in Tim's directory and crack it.
18:22 - Mounting/Mirroring ACCT Share with found Creds and finding hardcoded SQL Creds
25:24 - Logging into MSSQL with SQSH, enabling xp_cmdshell and getting a Nishang Rev Shell
34:35 - Finding SPBestWarmUp.ps1 Scheduled Task that runs as Administrator
40:00 - Begin of RottenPotato without MSF (Decoder's Lonely Potato)
45:56 - Using Ebowla Encoding for AV Evasion to create an exe for use with Lonely Potato
58:00 - Lonely Potato Running to return a Admin Shell
### BOX DONE
01:04:22 - Finding CVE-2017-0213
01:08:33 - Installing Visual Studio 2015 && Compiling the exploit
01:15:50 - Exploit Compiled, trying to get it to work....
01:18:11 - Just noticed the SPBestWarmUp.ps1 executed and gave us a shell!
01:28:37 - Found the issue, exploit seems to require interactive process
01:30:00 - Begin of Firefox Exploit Cluster (Not recommended to watch lol). It's a second unreliable way to get user
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 40 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
▶
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Network Security
View skill →Related Reads
📰
📰
📰
📰
Privacy Mask: Chrome extension to anonymize data
Dev.to AI
Top Cryptocurrency Recovery Hub: Finding Legitimate Digital Asset Recovery Experts
Dev.to AI
Reliable Cryptocurrency Recovery Service Helping Recover Hacked Digital Asset Wallets
Dev.to AI
Top Crypto Recovery Experts Specializing in Lost and Stolen Cryptocurrency Cases
Dev.to AI
Chapters (16)
1:45
Start of NMAP
4:17
Begin of Sharepoint/GoBuster (Special Sharepoint List)
6:32
Manually browsing to Sitecontent (Get FTP Creds)
10:18
Mirror FTP + Pillage for information, Find keypass in Tim's directory and crac
18:22
Mounting/Mirroring ACCT Share with found Creds and finding hardcoded SQL Creds
25:24
Logging into MSSQL with SQSH, enabling xp_cmdshell and getting a Nishang Rev S
34:35
Finding SPBestWarmUp.ps1 Scheduled Task that runs as Administrator
40:00
Begin of RottenPotato without MSF (Decoder's Lonely Potato)
45:56
Using Ebowla Encoding for AV Evasion to create an exe for use with Lonely Pota
58:00
Lonely Potato Running to return a Admin Shell
1:04:22
Finding CVE-2017-0213
1:08:33
Installing Visual Studio 2015 && Compiling the exploit
1:15:50
Exploit Compiled, trying to get it to work....
1:18:11
Just noticed the SPBestWarmUp.ps1 executed and gave us a shell!
1:28:37
Found the issue, exploit seems to require interactive process
1:30:00
Begin of Firefox Exploit Cluster (Not recommended to watch lol). It's a secon
🎓
Tutor Explanation
DeepCamp AI