Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Find examples of pen testing methods and tools in videos by Ippsec (as of 22nd January 2020)
#!/usr/bin/env python3
"""
Script used to pull down the current video descriptions from ippsec's youtube channel.
The raw output still has a few HTML tags that need to be manually removed and there
also seem to be multiple duplicates of videos that have been removed in the output
saved as ippsec-details.txt
"""
import re
import sys
import requests
from bs4 import BeautifulSoup
def find_playlist_links(url):
resp = requests.get(url)
if not resp.ok:
print("Unable to fetch playlist links for {url}", file=sys.stderr)
return []
matches = re.findall(r'href="\/playlist\?list=(?P<id>.{34})"', resp.text)
return [f"https://youtube.com/playlist?list={i}" for i in matches]
def find_video_links(playlist_url):
resp = requests.get(playlist_url)
if not resp.ok:
print(f"Unable to fetch video links for {playlist_url}", file=sys.stderr)
return []
matches = re.findall(
r'href="\/watch\?v=(.*)\&amp;list=(.*)\&amp;index=(.*)\&amp;t=(.*)s"', resp.text
)
matches = sorted(list(set(matches)), key=lambda comps: comps[2])
return [
f"https://www.youtube.com/watch?v={vid}&list={lst}&index={ix}&t={t}"
for (vid, lst, ix, t) in matches
]
def extract_details(video_url):
resp = requests.get(video_url)
if not resp.ok:
print(f"Unable to fetch video description for {video_url}", file=sys.stderr)
return []
soup = BeautifulSoup(resp.text, "lxml")
raw = soup.find(id="eow-description")
lines = str(raw).split("<br/>")
desc = []
for line in lines:
try:
cleaned = line.split(';">')[1].split("</a>")
desc.append("{} {}".format(*cleaned))
except IndexError:
pass
title = soup.find(id="eow-title").attrs["title"]
desc = "\n".join(desc)
return title, desc
if __name__ == "__main__":
url = "https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA/playlists?view=1&sort=dd&shelf_id=0"
for p_link in find_playlist_links(url):
for v_link in find_video_links(p_link):
title, desc = extract_details(v_link)
if title.startswith("HackTheBox"):
print(f"{title}\n{v_link}\n\n{desc}\n\n")
#!/usr/bin/env python3
"""
Grep through the descriptions downloaded from youtube to find timestamps
for techniques and tool tutorials.
"""
import os
import argparse
from collections import defaultdict
DIR = os.path.dirname(os.path.realpath(__file__))
FNAME = os.path.join(DIR, "ippsec-details.txt")
HTB = "HackTheBox"
def grep(pattern, case_insensitive, show_urls):
if case_insensitive:
pattern = pattern.lower()
lines = open(FNAME).readlines()
results = defaultdict(list)
for i, line in enumerate(lines):
_line = line.lower() if case_insensitive else line
if pattern in _line:
k = i - 1
while True:
current = lines[k]
if current.startswith(HTB):
video = current.strip()
url = lines[k + 1].strip()
break
k -= 1
results[f"{video}/{url}"].append(line.strip())
for key, lines in results.items():
video, url = key.split("/", 1)
print(video)
if show_urls:
print(url)
for line in lines:
print(" ", line)
print("")
if __name__ == "__main__":
parser = argparse.ArgumentParser("ippcheck")
parser.add_argument("-i", "--case-insensitive", action="store_true")
parser.add_argument("-u", "--show-urls", action="store_true")
parser.add_argument("pattern", nargs="+")
args = parser.parse_args()
grep(" ".join(args.pattern), args.case_insensitive, args.show_urls)
HackTheBox - Popcorn
https://www.youtube.com/watch?v=NMGsnPSm8iw&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=2&t=0
00:25 - TMUX and Connecting to HTB
02:00 - Virtual Host Routing Explanation
02:40 - File Enumeration (Dirb)
03:59 - Discover of Web App
05:45 - Starting SQLMap in the Background
09:30 - Uploading a PHP Shell
14:01 - Python PTY Reverse Shell (Tab Autocomplete!)
19:25 - MOTD Root (Method 1)
23:50 - Dirtyc0w Root (Method 2)
HackTheBox - Blocky
https://www.youtube.com/watch?v=C2O-rilXA6I&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=3&t=0
01:15 - Begin Recon with Reconnoitre
03:15 - Examining findings from Reconnoitre
06:50 - Decompiling java Jar Files with JAD
08:18 - Using JD-GUI
10:33 - Running WPScan
12:10 - Manually enumerating wordpress users
12:43 - SSH To the box and PrivEsc
15:30 - Rabbit hole, gaining access through FTP
17:09 - Finding Wordpress DB Password
18:33 - Switching to WWW-DATA by using phpMyAdmin + Wordpress
20:10 - Generating a PHP Password for Wordpress
21:50 - Gaining code execution with Wordpress Admin access
25:40 - Shell as www-data
26:40 - Enumerating Kernel Exploits with Linux-Exploit-Suggester
30:10 - Attempting CVE-2017-6074 Dccp Kernel Exploit (Unstable AF)</p>
HackTheBox - Vault
https://www.youtube.com/watch?v=LfbwlPxToBc&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=4&t=0
01:08 - Begin of Recon
03:08 - Begin of GoBustering
07:15 - Discovery of an image upload script
08:39 - Attempting to bypass the upload filter
12:46 - Reverse Shell to ubuntu Returned. Examining Web Source
15:28 - ALTERNATIVE: Checking out the host name pollution, setting host header to localhost
19:27 - Resume of poking around the host, discover passwords and other hosts in /home
23:14 - Uploading a static-compiled nmap to the box (static-binaries is a github repo)
24:57 - SSH Local Port Forward and Dynamic, to let our Kali box communicate with the next hop.
27:27 - Discovery of a page that lets us create ovpn (openvpn) configs and test the VPN
28:45 - Think i broke the box here, sent unicode to the box.... It stops responding on web.
32:55 - Machine reverted, getting back to where I started.
34:50 - Trying this again, and get a shell on ubuntu -- Lets do a Reverse Port Forward to get a shell on our kali box.
36:12 - Shell returned to Kali Box, explaining how to use socat if SSH Forward cannot listen on all ports.
38:58 - Exploring the DNS Server box.
39:26 - Finding a password in /home/dave/ssh
40:15 - Discovering Vault's IP Address in /etc/hosts
41:20 - Perfoming a NMAP on the vault box, discover two ports closed
41:50 - Doing a NMAP with the source port of one of the above ports to test for a lazy firewall, discover SSH on port 987
43:20 - ALTERNATIVE: Bypassing the firewall by using IPv6
49:47 - How to set the source port with SSH via ncat
50:45 - Discovering root.txt.gpg on Vault, it is encrypted with RSA Key D1EB1F03
51:35 - Dave has the above RSA Key, use SCP to send the file back to Ubuntu
54:45 - The file has been copied, using gpg to decrypt the file.
55:39 - MAJOR UNINTENDED WAY: Discovering SPICE ports are listening on localhost:5900-5903, this is like VNC
57:05 - Using Remote-Viewer to connect to the SPICE Port and getting physical access to the machine.
57:42 - Rebooting Vault by sending the Ctrl+Alt+delete key
58:00 - Editing grub to get a root shell without a password
58:56 - Changing the password to root, then rebooting again
59:30 - Logging in with the new password.</p>
HackTheBox - Celestial
https://www.youtube.com/watch?v=aS6z4NgRysU&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=5&t=0
00:58 - Begin of Recon
03:00 - Looking at the web application and finding the Serialized Cookie
04:38 - Googling for Node JS Deserialization Exploits
06:30 - Start of building our payload
07:10 - Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is
09:10 - Moving our serialized object to "Name", hoping to get to read stdout
11:30 - Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE)
13:25 - Failing to convert an object (stdout) to string.
14:02 - Verifying code execution via ping
15:32 - Code execution verified, gaining a shell
18:49 - Reverse shell returned, running LinEnum.sh
21:26 - Examining logs to find the Cron Job running as root
22:09 - Privesc by placing a python root shell in script.py
24:15 - Going back and getting a shell with NodeJSShell</p>
HackTheBox - Falafel
https://www.youtube.com/watch?v=CUbWpteTfio&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=6&t=0
01:15 - Begin of Recon
04:25 - Bruteforcing valid users
11:15 - Manually finding SQL Injection
13:13 - Using --string with SQLMap to aid Boolean Detection
15:41 - PHP Type Confusion ( == vs === with 0e12345) [Type Juggling]
18:35 - Attempting Wget Exploit with FTP Redirection (failed)
26:39 - Exploiting wget's maximum file length
33:30 - Reverse Shell Returned
36:19 - Linux Priv Checking Enum
41:00 - Checking web crap for passwords
44:00 - Grabbing the screenshot of tty
49:00 - Privesc via Yossi being in Disk Group (debugfs)
50:15 - Grabbing ssh root key off /dev/sda1
52:15 - Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll)
01:07:42 - Manually exploiting the SQL Injection! with Python</p>
HackTheBox - Arkham
https://www.youtube.com/watch?v=krC5j1Ab44I&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=7&t=0
00:55 - Begin of Recon
02:20 - Checking the WebPages
03:50 - Examining /userSubscribe.faces, to discover potential deserialization
05:00 - Exploring javax.faces.ViewState
05:50 - Googling around to see what an unencrypted serialized object should look like
07:15 - Checking out SMB to discover an openshare
09:00 - Downloading appserver.zip from batshare via smbclient
11:00 - Cracking a luks encrypted file with dd and hashcat
14:00 - Luks cracked, mounting the disk with luksOpen
16:20 - Discovery of the secret used to encrypt the java object
18:10 - Creating a python script to decrypt the ViewState to verify we have correct crypto settings
23:10 - Script completed, lets test the decryption!
24:15 - Downloading ysoserial to create a deserialization CommonCollections gadget
26:00 - Creating a python script to exploit the deserialization vuln
31:00 - Script complete! We got a ping, testing the MyFaces serialization objects (did not work)
33:00 - Modifying the script to run commands other than what ySoSerial provided
41:10 - Script updates finished, trying to get a reverse shell via nishang (did not work)
42:40 - Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for constrained mode)
45:00 - Downloading netcat to upload to the box
46:00 - Netcat returned a powershell reverse shell
47:20 - Discovering Backup.zip, downloading, using readpst to convert it to a plaintext mbox file
50:00 - Using evolution to view mbox file and find Batman's password
52:45 - Using Powershell's Invoke-Command to execute commands as Batman (like runas)
55:40 - Reverse shell as batman returned! Running a few commands to find out he is localadmin but needs to break out of UAC
58:10 - Unintended: Using net use to mount c$ and view the flag
59:30 - Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HTB Member
01:02:10 - Using GreatSCT/MSBuild to launch Meterpreter
01:02:45 - While GreatSCT installs, create a DLL to return a reverse shell
01:06:00 - copying the DLL into c:\users\batman\appdata\local\microsoft\windowsapps
01:08:30 - Using GreatSCT to generate payloads
01:11:50 - Getting a Meterpreter Session then migrating into an interactive process
01:17:45 - Running SystemPropertiesAdvanced.exe, which elevates and executes our dll</p>
HackTheBox - Fulcrum
https://www.youtube.com/watch?v=46RJxJ-Fm0Y&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=10&t=0
02:08 - Begin of Recon
14:00 - XXE Detection on Fulcrum API
17:40 - XXE Get Files
23:40 - XXE File Retrieval Working
24:30 - Lets Code a Python WebServer to Aid in XXE Exploitation
39:45 - Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution
47:28 - Shell Returned + Go Over LinEnum
56:49 - Finding WebUser's Password and using WinRM to pivot
01:06:00 - Getting Shell via WinRM, finding LDAP Credentials
01:14:00 - Using PowerView to Enumerate AD Users
01:27:06 - Start of getting a Shell on FILE (TroubleShooting FW)
01:35:35 - Getting shell over TCP/53 on FILE
01:37:58 - Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare
01:58:10 - Troubleshooting the error correctly and getting Domain Admin!
02:03:54 - Begin of unintended method (Rooting the initial Linux Hop)
02:09:54 - Root Exploit Found
02:12:25 - Mounting the VMDK Files and accessing AD.</p>
HackTheBox - Ariekei
https://www.youtube.com/watch?v=Pc4tzsn-ats&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=11&t=0
00:23 - Explaining VM Layout
01:47 - Nmap Start
05:20 - Poking at Virtual Host Routing (Beehive &amp; Calvin)
10:25 - Fixing GoBuster to find /cgi-bin/
11:48 - Enumerating WAF (Web Application Firewall), to see how it detects Shellshock
15:08 - Using VirtualHostRouting to navigate to Calvin.htb.htb
18:15 - Using ImageTragick to exploit Calvin
25:30 - Calvin Reverse shell returned
31:35 - Poking at /common, which allows pivot to Bastion Host
34:20 - SSH into the Bastion Host
38:45 - Explain SSH Local and Remote Port Forwarding
46:00 - Beehive Reverse Shell Returned
50:00 - Finding the root password via /common/containers/bastion-live/Dockerfile
54:50 - PrivEsc via Docker (much like the LXC shown in Calamity)
57:05 - Getting root access to filesystem
58:10 - Failing to get root shell via Crontab
01:06:20 - Yeah screw crontab, lets just create an ssh key.</p>
HackTheBox - Jail
https://www.youtube.com/watch?v=80-73OYcrrk&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=12&t=0
00:52 - Recon - NMAP
04:05 - Recon - Getting Linux Distro
04:35 - Recon - GoBuster
05:40 - Analyzing Jail.c source
09:45 - Begin Binary Exploitation
15:10 - Verify Buffer Overflow
17:35 - Create Exploit Skeleton
20:50 - Finding EIP Overwrite
23:02 - Adding Reverse TCP Shellcode
30:15 - Switching to "Socket Re-Use" Shellcode
32:20 - Shell Returned
34:00 - NFSv3 Privesc Begin
40:15 - Begin incorrectly playing with SetUID
43:10 - SELinux Escape
45:25 - Using SELinux Escape to copy SSH Key
48:55 - Logging in as Frank
50:00 - Privesc to adm (sudo rvim)
51:44 - Begin of finding a way to root
55:58 - Begin cracking rar file
57:18 - Using Hashcat to generate custom wordlist
HackTheBox - Brainfuck
https://www.youtube.com/watch?v=o5x1yg3JnYI&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=13&t=0
0:20 - Recon
3:40 - Start of WP Hacking
10:30 - Logged into WP
15:00 - Login to SuperSecretForum
25:00 - Cracking the SSH Key
27:15 - Begin of getting root.txt (RSA Cracking)
HackTheBox - Smasher2
https://www.youtube.com/watch?v=ELiicja60jI&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=2&t=0
00:58 - Begin of Recon
02:30 - Using Wireshark to see why Nmap said HTTP 403
06:15 - Running GoBuster to identify /backup
07:05 - Performing a DNZ Zone Transfer with dig axfr
08:50 - Manually playing with the login form to hunt for SQL Injection
10:50 - Downloading files out of /backup, opening auth.py with vim and ses.so with ghidra
16:42 - Examining /auth endpoint
18:10 - Examining ses.so in Ghidra
20:31 - Renaming variables from Ghidra's decompiler to try to make sense of the code
30:00 - Examining get_internal_usr and pwd to discover the bug
33:20 - Using GDB to debug python and step through ses.so, which makes analyzing decompiled code easier
36:50 - First time attaching the debugger - Seg faults for some reason.
38:30 - Attaching the debugger again, this time it works. Explaining important registers
39:00 - Stepping through the code trying to make sense of registers. This part may not make sense.
51:50 - Logging in with Administrator:Administrator and then looking at auth.py to see how the /api works
54:25 - Getting command execution
55:50 - Trying to get a Reverse Shell, discovering a WAF, identifying the bad characters
56:50 - Configuring burp to have a hotkey to "Issue Repeater Request" so we don't have to click send
57:18 - Tips to avoid a web filter/WAF ex: {echo,test}|{ba''se64,-''-d}
1:01:00 - Getting a reverse shell, then upgrading to a SSH Terminal by dropping SSH Key
1:05:05 - Running LinPEAS to identify paths to privesc
1:09:10 - Downloading the custom Linux Kernel Module: DHID then examine in Ghidra
1:12:00 - Looking at Snowscans blog to test the dev_read function
1:14:15 - Looking at the dev_mmap call
1:15:20 - Looking at MWR LAbs paper on insecure MMAP use in kernel modules
1:16:30 - Explaining what we are going to do - Rewrite credentials in memory
1:19:20 - Going over the first MMAP Call to map memory
1:21:05 - Setting a SSH CONFIG to make it easier to ssh and SCP into Smasher2
1:26:00 - Searching for a credential structure in memory
1:31:20 - Running GetUID to see if the cred structure we modified is ours, if not set it back
1:34:00 - Setting capabilities and running bash upon getting root
1:36:10 - Showing what would of happened if we did not revert credentials back to original.</p>
HackTheBox - Kryptos
https://www.youtube.com/watch?v=4uCoI5YzOwk&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=3&t=0
00:45 - Begin of Recon
02:50 - Examining login request while GoBuster runs
05:35 - Noticing weird behavior by modifying db parameter in login request
07:30 - Finding what the Error numbers mean. (SQL Error Codes)
08:50 - Testing if we can trick the application into authentication against us
09:50 - Starting up metasploit to steal the login hash of a MYSQL Login
12:30 - Cracking the MySQL Hash with Hashcat
16:45 - Creating a databse locally for the application to authenticate to
23:00 - Examining what MySQL Does after authentication in Wireshark
24:30 - Creating the database structure so the application will authenticate against our database
27:00 - Begin of the File Encryptor PHP App
27:30 - Performing a Known Plaintext attack against the RC4 Encryption
28:50 - Explaining the Known Plaintext
37:00 - Creating a Python Script to perform a SSRF attack and decrypt content
54:25 - Script done, discovering a LFI Exploit in /dev/
57:30 - Using PHP Filters to convert LFI to source code disclosure
59:50 - Extracting sqlite_test_page.php source code
01:01:00 - Manually analyzing the source code to discover a way to write files
01:03:00 - Checking PayloadAllTheThings to get a payload for dropping files
01:15:38 - Testing dropping a php script for code execution
01:18:00 - Using Chankro to bypass PHP Disabled functions
01:20:45 - Creating a PHP Script to download Chankro Script to avoid bad characters in the RCE
01:24:50 - Reverse shell returned, finding a VIMCrypted file in Rijndael Home
01:25:35 - Decrypting Creds.txt with a known plaintext attack in VimCrypt 02 (Blowfish)
01:28:20 - Downloading the files to our local box and explaining the attack
01:30:30 - Copying our Python Script from earlier and modify it to work with our VIM File
01:38:20 - Decrypted the creds and use them to SSH
01:39:10 - Analyzing the kryptos.py file
01:41:00 - Testing how random the random is
01:46:00 - Creating a python script to bruteforce the key as we know the randomness is broken
01:57:00 - Script to brute force signing key done
01:58:45 - Getting code execution within the eval statement
02:04:30 - Extra content, showing by using the encrypt method twice early on — you can decrypt pages</p>
HackTheBox - Fortune
https://www.youtube.com/watch?v=_BLd046r-co&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=4&t=0
01:04 - Begin of recon
04:41 - Exploring the web page on port 80
06:02 - Using wfuzz to do a special character fuzz to identify odd behavior and discover command injection
11:06 - Creating a hotkey in Burpsuite to send requests in repeater pane
11:50 - Start of creating a python program to automate this
17:30 - Script finished
18:30 - Exploring /var/appsrv
21:15 - Exploring authpf
22:30 - Hunting for the signing key for the CA to view HTTPS
24:40 - Copying the certificates to our box
26:00 - Creating and signing a Client Certificate
28:50 - Importing the certificate into FireFox
30:49 - Discovering the reason our certificate isn't working (time of server is behind)
31:50 - Accessing the HTTPS Website to get a SSH key for NFSUSER
33:40 - Discovering additional ports are open after using SSH with NFSUSER
34:45 - Installing the NFS-COMMON package to get the showmount binary
35:10 - Mounting a NFS Share with Version 2
36:00 - Editing our User ID on our box to gain access to the NFS Directories
37:00 - Reading mail to discover that the root password is set to the Postgres databases root pw
37:30 - Testing if we could setup a SetUID Binary with this NFS (Check Jail Video for this being successful)
40:20 - SSH into the box as Charlie and dumping the database
43:40 - Exploring the source code to the web application
47:00 - Copying the crypto python script to our box, which will let us decrypt it
47:40 - Copying the secrets into the crypto python script and decrypting the password</p>
HackTheBox - CTF
https://www.youtube.com/watch?v=51JQg202csw&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=5&t=0
00:52 - Start of Recon, discovering CentOS Version via HTTPD Version
02:15 - Checking out the HTTP Page
03:32 - Checking out login.php
05:15 - Identifying a Secure Token is used, most likely STOKEN
07:05 - Failing to enumerate usernames through BruteForce
09:45 - Fuzzing the login form with special characters to identify a blacklist
11:45 - Trying Double URL Encoding to bypass the BlackList
12:55 - Explaining Double URL Encoding
14:45 - Discovering this is most likely a LDAP Injection
16:50 - Explaining how a LDAP Query Works
19:15 - Identifying the LDAP Query Structure with a Null Byte
20:40 - Injecting the WildCard (*) to enumerate usernames
24:00 - Using Wfuzz to extract the username
26:00 - Enumerating LDAP Attributes that are utilized
30:26 - Creating a python script to extract the Pager Attribute
41:38 - Script complete, lets extract the token
43:45 - Using STOKEN to generate the OTP and logging in
46:00 - Disabling NTP so we can math the server time
46:44 - Discovery of that second half of the original LDAP Query at 16 minutes.
47:33 - Using a Null Byte to remove the GROUP Check.
50:33 - Running Commands
50:25 - Reverse Shell Returned
53:17 - Checking for the LDAP Bind password, then SSHing into the box
55:00 - Going over the /backup directory
58:20 - Using ListFiles to have 7za print our the contents of root.txt</p>
HackTheBox - Reddish
https://www.youtube.com/watch?v=Yp4oxoQIBAM&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=6&t=0
00:55 - Begin of Recon (Port Scans)
04:09 - Reverse Image Searching an favicon to get application used
08:20 - NODE-RED: Reverse Shell Returned
15:30 - NODE-RED: Running IP and Port Scans to identify lateral movement targets
24:29 - Downloading Chisel (Go Program for Tunnels).
25:00 - Shrinking Go Programs by using ldflags and upx packing from 10Mb to 3Mb!
27:00 - PowerPoint: Explaining Reverse Pivot Tunnel using Chisel
31:25 - WWW: Tunnel online, examining the website
34:23 - Full Port Scan to 172.19.0.2, discover REDIS
36:30 - Searching for ways to execute code against REDIS
38:07 - Using REDIS to create a PHP Shell
41:06 - PowerPoint: Explaining Local Pivot Tunnel using Chisel
44:30 - WWW: Reverse Shell Returned
45:45 - Notice wildcard used with RSYNC, go search GTFOBins
51:32 - Abusing the wildcard within RSYNC
57:23 - WWW: Got Root, but no flag... Lets go look at RSYNC again.
01:00:15 - Explaining how to tunnel from Backup - WWW - NODE-RED - Kali
01:17:50 - Getting reverse shell on BACKUP via uploading CronJob through rsync
01:20:30 - BACKUP: Reverse Shell Returned... No root.txt here either!?
01:26:30 - BACKUP: Noticing this is has /dev/sda*, where other dockers do not
01:28:15 - BACKUP: Dropping a cronjob on root disk to get shell on the host
01:30:45 - ExtraContent: PowerPoint Reverse SOCKS5 Proxy with Chisel</p>
HackTheBox - Mischief
https://www.youtube.com/watch?v=GKo6xoB1g4Q&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=7&t=0
01:20 - Begin of NMAP
02:30 - Extra nmaps, SNMP and AllPorts
04:00 - Playing with OneSixtyOne (SNMP BruteForce)
07:00 - Looking at SNMPWalk Output
08:40 - Installing SNMP Mibs so SMPWalk is readable
10:05 - Accessing the box over Link Local IPv6 Address
14:00 - Looking at Por 3366 (Website), getting PW from SNMP Info
17:50 - Getting IPv6 Routable Address via SNMP
19:20 - NMAP the IPv6 Address
21:00 - Accessing the page over IPv6
23:00 - Getting output from the command execution page
24:55 - Viewing Credentials Files and accessing the box via SSH
29:00 - Examining why loki cannot use /bin/su (getfacl)
31:00 - Getting a shell as www-data
40:30 - Extra content, reading files via ICMP</p>
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
https://www.youtube.com/watch?v=TVhtjiSedjU&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=8&t=0
01:10 - End of intro, Start of nmap
02:47 - Playing with Second-Order Union Injection
05:44 - Dumping all users
07:15 - Converting SFTP Exploit from 64bit to 32bit
13:27 - Reversing SLS Binary
15:19 - Kernel Exploit
22:31 - First Method - Executing ELF Binaries from memory (Reflective loading elf)
35:57 - Second Method - Crashing a program to create a write-able file.</p>
HackTheBox - Nightmare
https://www.youtube.com/watch?v=frh-jYaUvrU&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=9&t=0
01:50 - Start of Recon
04:58 - /documents and /secret rabbit hole enumeration
08:13 - Using wfuzz on the /secret rabbit hole to find argument for download.php
13:40 - Begin of Web Application Enumeration, some XSS Found
18:23 - Throwing bad characters in username and finding Second-Order SQL Injection.
23:50 - Begin of Union Injection to dump the database via second order sql injection
39:36 - Dumping users and passwords from SysAdmin table and using Hydra to bruteforce SSH
43:54 - Enumerating SFTP (Using SSHFS to Dump a File Listing)
53:00 - Converting 64-Bit SFTP Exploit to 32-Bit
01:11:46 - Reverse Shell Returned, some stuff and finding Set-GID Binary
01:22:55 - Reversing SLS binary with Radare2 (r2)
01:47:53 - Exploiting SLS Binary with new line character (Get to Decoder User)
01:51:47 - Begin of Kernel Exploitation (CVE-2017-1000112)
01:56:00 - Kernel Exploit Compiled (silly mistake before)
01:59:52 - Creating a new lsb-release file so exploit can identify kernel
02:07:03 - Recap of Box
02:09:56 - Creating a Tamper Script to do Second-Order SQL Injection
HackTheBox - CrimeStoppers
https://www.youtube.com/watch?v=bgKth1K44QA&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=10&t=0
01:18 - Begin of Recon: Getting ubuntu version
04:00 - Navigating to the CrimeStoppers Page
05:15 - First Hint - Read The Source!
05:50 - 2nd Hint - No SQL Databases and playing with the upload form
07:55 - 3rd Hint - Setting Admin cookie to 1 to see whiterose.txt
09:00 - Explanation of PHP App and why I went down testing $op parameter
10:45 - Testing $op parameter, another hint what year is it?
12:20 - Finding out $op appends .php
13:05 - Using php b64 filter to view php files ("Read the source luke")
22:50 - Looking into PHP Wrappers to try to gain code execution
24:50 - Placing our PHP Script in a zip so we can reference it with zip://, also improperly upload it to the server
26:20 - Attempting to use the zip:// wrapper to execute our php script, then troubleshooting the bad upload.
30:30 - Easy way to copy binary data into BurpSuite (Base64)
34:10 - Getting a shell
37:18 - Downloading ThunderBird Directory and reading email + getting dom's password
46:20 - Begin of looking into Apache Rootkit (mod_rootme)
48:04 - Begin of using r2 (Radare) to analyze rootkit, basic intro
50:55 - Analyzing DarkArmy Function
55:30 - Grabbing the strings and using python to XOR them to get secret that allows root
58:35 - Get Root
59:10 - Potential rabbit hole in the binary /var/www/html/whiterose.txt in the binary
01:04:20 - Second way to get root, looking around at file modification times to find FunSociety in logs</p>
HackTheBox - Kotarak
https://www.youtube.com/watch?v=38e-sxPWiuY&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=11&t=0
01:38 - Start of nmap
03:40 - Accessing port 60000
06:20 - Manually enumerating ports on localhost via SSRF
07:00 - Using wfuzz to portscan localhost via SSRF
10:00 - Tomcat creds exposed &amp; Uploading tomcat reverse shell
13:40 - Return of shell
14:20 - Extracting NTDS + SYSTEM Hive
20:20 - Using HashKiller to crack the hashes
21:30 - Escalating to Atanas &amp; Identifying wget vulnerability
27:10 - Starting exploit
33:22 - Exploit failed, light debugging
35:40 - Issue found, not listening all interfaces
39:35 - Root shell returned.
40:10 - Unintentional Root Method (Edited Footage, IP Change)</p>
HackTheBox - Shrek
https://www.youtube.com/watch?v=tI592BjTd4o&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=12&t=0
01:00 - Nmap
02:23 - Examining the Web Page
04:08 - GoBuster
04:53 - Finding /uploads/ Directory
05:50 - Finding /secret_area_51/ Directory
06:20 - Using Audacity to find Steg in Audio
08:50 - FTP With Creds revealed from Steg
10:06 - Examining files downloaded from FTP
12:43 - Finding decryption key + blob
14:33 - Using Python seccure to decrypt ecc
16:05 - SSH Into Shrek as SEC
16:35 - Farquad Rabbit Hole
17:42 - Incident Response : Finding files modified between two times
20:47 - What is /usr/src/thoughts.txt?
21:45 - Privesc through cron running: chown *</p>
HackTheBox - Calamity
https://www.youtube.com/watch?v=EloOaaGg3nA&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=13&t=0
01:28 - Begin of recon
02:20 - GoBuster
03:30 - admin.php discovered, finding the pw
04:50 - Getting Code Execution
07:45 - Finding out why Reverse Shells weren't working
09:45 - Getting a reverse shell by renaming nc
11:30 - Transfering files via nc
14:00 - Opening the wav file
16:25 - Using audiodiff to identify differences in sound
17:05 - The next step, why is the same song there twice?
19:25 - Importing files into Audacity and Inverting
22:25 - Attempting to exploit the process blacklist
24:25 - Unintended root LXC Background
28:30 - Creating an Alpine LXC
30:40 - Importing the image into lxc
32:00 - Creating the container
32:40 - Adding the host drive to container
34:20 - Starting the container and entering it
35:05 - Examining the Process Blacklist script
35:54 - Running through the exploit again on a Ubuntu Host</p>
HackTheBox - Holiday
https://www.youtube.com/watch?v=FvHyt7KrsPE&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=14&t=0
00:46 - NMAP Scan and Review
01:53 - GoBuster and identify User Agent based Routing
04:09 - SQLMap the Login
08:00 - Login to the page
08:55 - Begin of XSS
11:15 - Bypass first XSS Filter
14:45 - Encoded JS Payload - Getting XSS to call back to us
16:56 - Using Python to encode JS which will call back to us.
24:25 - Executing the paylaod
25:06 - Stage 2 XSS Attack - XMLHttpRequest
31:30 - Troubleshooting, No code works the first time.
36:00 - Stage 2 Fixed.
40:57 - Initial access to /admin
42:00 - Finding Command Injection
43:40 - Explanation of IP "Encoding"
48:40 - Rev Shell obtained
49:30 - How I found out about the IP Encode Trick
51:40 - Begin of PrivEsc
HackTheBox - Charon
https://www.youtube.com/watch?v=_csbKuOlmdE&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=15&t=0
1:30 - Rabbit Hole - Searching for SuperCMS
6:23 - Running enumeration in the background (GoBuster)
7:40 - Rabbit Hole - SQLMap Blog SinglePost.php
12:04 - Finding PHP Files in /cmsdata/ (GoBuster)
12:53 - Manual Identification of SQL Injection
15:50 - SQL Injection Explanation
17:20 - Rabbit Hole - Starting SQLMap in the Background
18:10 - SQL Union Injection Explanation
19:30 - Identifying "Bad/Filtered Words" in SQL Injection
21:02 - SQL Union Finding number of items returned
21:48 - Returning data from Union Injection
22:48 - SQL Concat Explanation
23:55 - Enumerating SQL Databases Explanation (Information_Schema)
25:46 - Returning Database, Table, Columns from Information_Schema
29:30 - Scripting to dump all columns
36:45 - Listing of columns in SuperCMS
37:15 - Dumping User Credentials
41:36 - Logging in and exploiting SuperCMS
47:00 - Return of reverse shell
48:40 - Transfering small files from shell to my machine
50:56 - Using RsaCtfTool to decrypt contents with weak public key
52:52 - Breaking weak RSA manually
1:01:20 - Begin PrivEsc to Root
1:02:40 - Transering large files with NC
1:03:50 - Analyzing SuperShell with BinaryNinja (Paid)
1:06:04 - Analyzing SuperShell with Radare2 (Free)
1:08:22 - Exploiting SuperShell
1:12:46 - Encore. Getting a Root Shell with SetUID Binary</p>
HackTheBox - Joker
https://www.youtube.com/watch?v=5wyvpJa9LdU&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=16&t=0
00:27 - Port Enumeration
02:54 - UDP Port Review
03:40 - TFTP Enumeration
06:30 - Cracking Squid PW
08:00 - FoxyProxy Setup
09:45 - Burp Setup
14:45 - Running Commands
21:20 - Reverse Shell
22:30 - PrivEsc to Alekos #1
28:00 - PrivEsc to Alekos #2
30:37 - Root #1 (SymLink)
30:48 - Root #2 (Tar Checkpoint)
44:45 - Root #3 (Remove Development)</p>
HackTheBox - Ellingson
https://www.youtube.com/watch?v=XVYgBetSvS8&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=2&t=0
01:12 - Begin of recon, examining website seeing the "Hackers" Theme
04:00 - Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015)
05:00 - Demoing how this is fixed now, with Werkzeug requiring a pin code
06:00 - Testing if we can connect back to our host with ping or curl (cannot)
08:00 - Dropping a SSH Key via python since we cannot reverse shell
13:00 - SSH into the box as the HAL User and clean up the authorized_key file
13:50 - Using xclip to copy and run LinEnum due to a firewall preventing us from curling it
21:00 - Discovering why the WERKZEUG PIN Code was disabled (Environment Variable)
22:27 - Checking out the Garbage SetUID Binary as HAL to discover he cannot run it
24:20 - Using Ghidra to verify we are not missing any functionality
27:30 - Using find to discover what files the adm group is an owner of
28:30 - Displaying exact modify times with ls using time-style argument, then checking logs to see what users changed their password after the shadow backup
31:30 - Cracking the Sha512Crypt (1800) hashes with Hashcat (Discovering Margo's password)
35:30 - Using Ghidra to discover the hardcoded password in the garbage binary
37:00 - Exploring the binary, using Ghidra to see if there are any hidden menu options
41:30 - Installing GDB Enhanced Features (GEF) and pwntools for python3
44:20 - Poorly explaining leaking memory addresses by creating a ROP Chain with puts
48:50 - Begin of Buffer Overflow ROP Chain - leak libc address, call main, overflow password with system(/bin/sh)
49:20 - Using pattern create and offset/search within gef to RSP Overwrite Location
51:30 - Using ropper to discover a pop rdi gadget
53:40 - Beging creating the pwntools skelton exploit, using objdump to get PLT/GOT location of PUTS and performing the memory leak.
01:06:30 - Using Readelf to get important locations in libc and strings to get location of /bin/sh. Then performing all the calculations based upon memory leak
01:15:41 - Putting it all togather to create a gadget chain to get a shell
01:20:00 - Replacing libc memory locations with the ones installed on ellingson
01:22:30 - Running the exploit, getting a root shell, then documenting the code</p>
HackTheBox - Ghoul
https://www.youtube.com/watch?v=kE36IGAU5rg&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=3&t=0
01:29 - Begin of Recon, notice multiple SSH Host Keys
06:15 - Discovering the HTTPD Website has a PHP Script, Run SQLMap and update gobuster to find PHP
07:30 - Moving onto enumerating TOMCAT, default password (admin:admin) logs in and attempting to discover framework via google images
09:00 - Discovering that this TOMCAT page allows the ability to upload images and zips
10:45 - Explaining the ZipSlip Vulnerability
12:20 - Walking through how ZipSlip Works
14:30 - Start of using EvilArc with a PHP-Reverse-Shell to perform ZipSlip
18:30 - Reverse Shell Returned
18:51 - Looking at Secret.php to get potential usernames and passwords
22:20 - Discovering tomcat listens on port 8080 then use that to drop SSH Key to get root (Unintended Path)
25:55 - Enumerating HTTPD PHP Scripts and TOMCAT Config to find some usernames and passwords
35:00 - Using find to list files modified between two dates
39:30 - Copying SSH Keys back to our box
42:30 - Logging into SSH over port 22 with Kaneki and SSH Key
44:00 - Creating a bash script to perform a ping scan to discover other hosts
49:55 - Extracting additional usernames from ~/.ssh/authorized_keys file and SSH Into the host
52:12 - Running the HostScan utility again to find another host, then modifying script to do a portscan
55:00 - Tunneling to the GOGS Box via SSH Tunnels
58:00 - Verifying the tunnel works by going to the GOGS HomePage and then searching for exploits
59:15 - SearchSploit turned up nothing, lets search for CVE's and hunt for a POC (CVE-2018-18925)
01:00:25 - Copying the GOGS Exploit, and logging in with a password we previously found. Note: There is a tool called gogsownz, but it automates so much you don't really learn anything.
01:02:30 - Creating a Repository in GOGS then dropping a file to the box
01:03:50 - Uploading the file to the repo, then modifying our i_like_gogs cookie to load it via an LFI and becoming admin
01:06:38 - As an Admin now we can create a Git Hook to execute code upon updating and get a shell
01:11:50 - Searching for what the gosu binary does, finding out it lets us privesc to root
01:18:15 - Examining the git history (git reflog) of the aogiri-chatapp found in the root directory to find credentials
01:22:00 - Escalating to root on kaneki-pc (second docker box) via password found
01:25:00 - Abusing SSH Agents to intercept the "SSO Like Token" and swim upstream to the Host OS</p>
HackTheBox - OneTwoSeven
https://www.youtube.com/watch?v=EXuEDHFjS9E&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=4&t=0
00:42 - Begin of recon
01:08 - Examining the webpage
04:28 - Discoving SFTP Credentials on the web page
07:00 - Playing with the SFTP Server
08:40 - Discoving the SymLink command to break out of home directory
09:40 - Symlinking the root directory to find the source of login.php through VIM SWP Files.
13:00 - Second way to get source code, symlink with a file naming ending in not PHP
15:30 - Examining the source code to login.php and getting a hard coded username
18:10 - Examining index.php to see how to access a login portal (admin)
19:20 - Using SSH to do port forwarding (Reddish)
21:20 - Examinig the admin web page
24:13 - Examing the Apache Rewrite Engine Rules
25:10 - Checking the source code to addon-manager to identify how upload/download features work
26:15 - Explaining the Rewrite attack
30:40 - Uploading a reverse shell, then executing
33:30 - Reverse shell returned
34:30 - Can sudo with apt, checking GTFO Bins
36:00 - Looks like we can MITM Apt due to passing a proxy through sudo
37:00 - Configuring Burp to act as an HTTP Proxy and pass it to Python
40:50 - Creating the Malicious APT Repo
45:30 - Creating the Malicious Deb File
51:30 - Getting the Root Shell</p>
HackTheBox - Flujab
https://www.youtube.com/watch?v=_f9Xygr-qHU&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=5&t=0
01:30 - Begin of Recon
04:15 - Adding DNS Names to /etc/hosts
05:20 - Using Aquatone to take HTTP Screenshots of a bunch of pages
11:00 - Start of looking at FreeFlujab.htb
15:40 - Looking at HTTP Cookies we send
17:40 - Editing Cookies in Firefox
19:50 - Discovering SMTP_CONFIG, which lets us change where the mail server is
21:50 - Using FireFox to remove character restrictions on a page
24:15 - The WebPage kept resetting our cookie, using Burp to auto replace
27:30 - Standing up a SMTP Server in python to read mail
30:20 - Discovering SQL Injection
34:50 - SQL Injection confirmed, testing Union Injections
37:40 - Creating a Python Script to aid us in running SQL Injections
37:40 - Script: Running a SMTP Server in background thread
41:35 - Script: Adding ability to use arrow keys to go to previous command
46:42 - Script: Making our command prompt send HTTP Requests
52:40 - Dumping database structure from INFORMATION_SCHEMA
1:05:00 - Dumping information out of the VACCINATIONS Table
1:07:50 - User information dumped, cracking a sha256 hash
1:11:00 - Accessing a new HOSTNAME from the database (sysadmin-console-01)
1:16:00 - Logging into Ajenti
1:17:00 - Discovering Notepad can read files from the server
1:24:10 - Looks like there was a SSH Key Compromise on the box from a README File
1:27:40 - Searching the compromised debian keys for one on the box
1:29:48 - Able to SSH Into the box with the Key! However we are in restricted bash
1:30:30 - rBash escape 1: Using GTFOBins to find a way to escape restricted bash
1:32:30 - rBash escape 2: Using -t bash argument in SSH to escape restricted bash
1:33:30 - Exploiting an old version of Screen to PrivEsc!
1:43:40 - Creating files in /home/sysadm
1:46:40 - SSH is configured to allow public keys to also be placed in ~/access
1:48:00 - Reading Ajenti Documentation to see API lets us change file permissions
1:50:00 - Ajenti wants the CHMOD Number to be in a weird format</p>
HackTheBox - Zipper
https://www.youtube.com/watch?v=RLvFwiDK_F8&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=6&t=0
01:15 - Start of NMAP
04:10 - Signing into Zabbix as Guest
05:30 - Getting potential usernames from inside Zabbix and guessing creds
06:30 - Running Searchsploit and looking for vulnerabilties
07:20 - Analyzing the "API" Script from SearchSploit as we have API Creds
10:15 - Modifying the "API" Script
11:15 - Showing a shortcut to skip the Container to Host Lateral Movement.
15:35 - Shell on the Container.
17:25 - Searching for Zabbix MySQL Password
18:35 - Dumping the Zabbix User Database
20:00 - Logging into Zabbix as Admin, discover ZBX Agent on Host. Testing if port is accessible
23:30 - Running commands on the Zabbix Agent (Host OS) from Zabbix Server (Guest OS)
29:53 - Getting a Reverse Shell on Zabbix (use nohup to fork)
32:40 - Running LinEnum on Zabbix Host
35:15 - Examining home directories to find Zapper Creds
36:42 - Examining the "Zabbix-Service" SetUID
39:00 - PRIVESC #1: Running ltrace to discover it is vulnerable to $PATH Manipulation
42:00 - PRIVESC #2: Weak permissions on Purge-Backups Service
48:30 - Extra Content: Building a Zabbix API Client from Scratch!
48:55 - "Pseudo Terminal" Skeleton Script via Cmd module
50:00 - Adding Login Functionality
56:08 - Making the script login upon starting
57:50 - Adding functionality to dump users
01:04:00 - Adding functionality to dump groups
01:05:25 - Adding functionality to add users
01:10:45 - Adding functionality to modify users</p>
HackTheBox - Dab
https://www.youtube.com/watch?v=JvqBaZ0WnV4&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=7&t=0
00:40 - Begin of the box
03:20 - Checking the HTTP Ports out
04:38 - Using wfuzz to bruteforce a login on port 80
08:15 - Begin examining port 8080, use wfuzz to bruteforce a cookie
11:30 - Using wfuzz to enumerate the WAF and determine bad characters
14:40 - Doing a SSRF Like attack with wfuzz and enumerating open ports on localhost.
16:50 - Begin examining port 11211 (MemCache)
18:00 - Dumping data from Memcache
23:50 - Using CVE-2018-15473 to enumerate valid users over SSH
27:35 - Cracking the users hash and logging into the box
29:00 - Using R2 to analyzing rabbit hole application "try_harder"
33:30 - Going through LinEnum
38:30 - Using r2 to examine myexec to find password
40:13 - Using r2 to examine libseclogin.so
41:30 - Examining ld.so.conf.d to identify if we can use ldconfig to hijack a library
42:10 - Creating a malicious library to hijack seclogin()
45:10 - Lets bypass the login by hijacking printf()</p>
HackTheBox - Oz
https://www.youtube.com/watch?v=yX00n1UmalE&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=8&t=0
00:50 - Start of the box
05:30 - Attempting GoBuster but wildcard response gives issue
07:40 - Start of doing wfuzz to find content
10:38 - Manually testing SQLInjection
13:07 - Running SQLMap and telling it exactly where the injection is
16:04 - Manually extracting files with the SQL Injection
19:50 - Cracking the hash with hashcat
25:00 - Start of examining the custom webapp, playing with Template Injection
27:00 - Explaining a way to enumerate language behind a webapp
35:17 - Reverse Shell returned on first Docker Container
38:00 - Examining SQL Database
39:40 - Doing the Port Knock to open up SSH
43:50 - Gain a foothold on the host of the docker container via ssh
46:00 - Identifying containers running
50:10 - Creating SSH Port Forwards without exiting SSH Session then NMAP through
55:11 - Begin looking into Portainer, finding a weak API Endpoint
59:00 - Start of creating a container in portainer that can access the root file
01:08:25 - Changing sudoers so dorthy can privesc to root
01:09:50 - Lets go back and create a python script to play with SQL Injection</p>
HackTheBox - Falafel
https://www.youtube.com/watch?v=CUbWpteTfio&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=9&t=0
01:15 - Begin of Recon
04:25 - Bruteforcing valid users
11:15 - Manually finding SQL Injection
13:13 - Using --string with SQLMap to aid Boolean Detection
15:41 - PHP Type Confusion ( == vs === with 0e12345) [Type Juggling]
18:35 - Attempting Wget Exploit with FTP Redirection (failed)
26:39 - Exploiting wget's maximum file length
33:30 - Reverse Shell Returned
36:19 - Linux Priv Checking Enum
41:00 - Checking web crap for passwords
44:00 - Grabbing the screenshot of tty
49:00 - Privesc via Yossi being in Disk Group (debugfs)
50:15 - Grabbing ssh root key off /dev/sda1
52:15 - Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll)
01:07:42 - Manually exploiting the SQL Injection! with Python</p>
HackTheBox - Vault
https://www.youtube.com/watch?v=LfbwlPxToBc&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=10&t=0
01:08 - Begin of Recon
03:08 - Begin of GoBustering
07:15 - Discovery of an image upload script
08:39 - Attempting to bypass the upload filter
12:46 - Reverse Shell to ubuntu Returned. Examining Web Source
15:28 - ALTERNATIVE: Checking out the host name pollution, setting host header to localhost
19:27 - Resume of poking around the host, discover passwords and other hosts in /home
23:14 - Uploading a static-compiled nmap to the box (static-binaries is a github repo)
24:57 - SSH Local Port Forward and Dynamic, to let our Kali box communicate with the next hop.
27:27 - Discovery of a page that lets us create ovpn (openvpn) configs and test the VPN
28:45 - Think i broke the box here, sent unicode to the box.... It stops responding on web.
32:55 - Machine reverted, getting back to where I started.
34:50 - Trying this again, and get a shell on ubuntu -- Lets do a Reverse Port Forward to get a shell on our kali box.
36:12 - Shell returned to Kali Box, explaining how to use socat if SSH Forward cannot listen on all ports.
38:58 - Exploring the DNS Server box.
39:26 - Finding a password in /home/dave/ssh
40:15 - Discovering Vault's IP Address in /etc/hosts
41:20 - Perfoming a NMAP on the vault box, discover two ports closed
41:50 - Doing a NMAP with the source port of one of the above ports to test for a lazy firewall, discover SSH on port 987
43:20 - ALTERNATIVE: Bypassing the firewall by using IPv6
49:47 - How to set the source port with SSH via ncat
50:45 - Discovering root.txt.gpg on Vault, it is encrypted with RSA Key D1EB1F03
51:35 - Dave has the above RSA Key, use SCP to send the file back to Ubuntu
54:45 - The file has been copied, using gpg to decrypt the file.
55:39 - MAJOR UNINTENDED WAY: Discovering SPICE ports are listening on localhost:5900-5903, this is like VNC
57:05 - Using Remote-Viewer to connect to the SPICE Port and getting physical access to the machine.
57:42 - Rebooting Vault by sending the Ctrl+Alt+delete key
58:00 - Editing grub to get a root shell without a password
58:56 - Changing the password to root, then rebooting again
59:30 - Logging in with the new password.</p>
HackTheBox - Carrier
https://www.youtube.com/watch?v=2ZxRA8BgmnA&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=11&t=0
00:53 - Begin of Recon
03:30 - Checking out the Web Page
04:20 - Doing UDP/GoBuster Scans
08:20 - Running SNMPWalk and then logging into web interface
10:20 - Reading the tickets on the web page
12:00 - Discovering code execution
16:00 - Reverse Shell Returned
23:15 - Discovering FTP Server 10.120.15.10
26:00 - Gaining access to a Router Interface
27:30 - Using Draw.io to draw out the network
32:40 - Examining routing information
35:45 - Looking at BGP Information
39:00 - First attempt at BGP Hijack, advertising a route
43:30 - Did not work, examining routing loop.
50:50 - Blocking the routing advertisement to AS300
56:50 - Showing the new routing loop (AS300 sends to AS200)
01:00:00 - Telling AS200 not to advertise the route to AS300
01:04:00 - Grabbing FTP Traffic to get root password
01:07:00 - Logging into all 3 routers for some fun
01:08:50 - Hiding from TraceRoute by mucking with TTL's
01:13:20 - Redoing the attack, but showing routing tables on all routers
01:17:30 - Unintended route, Just adding an IP to eth2</p>
HackTheBox - Waldo
https://www.youtube.com/watch?v=1klneIHECqY&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=12&t=0
01:15 - Begin of Recon
02:00 - Looking at what Filtered means in Nmap
05:00 - Start of looking at webpage (GoBuster)
06:30 - Manual HTTP Enumeration
09:50 - Start of exploiting with BurpSuite
17:00 - SSH Key Found, logging in with nobody
19:12 - Discovering a second SSH Server
23:36 - Using the same SSH Key to login to the second SSH Server as monitor
24:38 - Escaping rBash by modifying an executable file in our current $PATH
28:13 - Running LinEnum.sh to search for PrivEscs
30:50 - Enabling ThoroughTests in LinEnum to see what else it will check
36:30 - Looking into capabilities permission sin linux
39:00 - Begin of second way to escape rBash and setup a SSH Tunnel for fun</p>
HackTheBox - Hawk
https://www.youtube.com/watch?v=UGd9JE1ZXUI&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=13&t=0
01:00 - Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver
03:50 - Checking FTP Server for hidden files
04:30 - Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher
08:20 - Creating a bunch of files varying in length to narrow likely ciphers down.
14:35 - Encrypting all of the above files and checking their file sizes
22:45 - Decrypting file, obtaining a password
24:25 - Begin looking at Drupal, running Droopescan
25:12 - Manually examining Drupal, finding a way to enumerate usernames
25:50 - Placing invalid emails in create account, is a semi-silent way to enumerate usernames
28:15 - Logging into Drupal with Admin.
29:25 - Gaining code execution by enabling PHP Plugin, then previewing a page with php code
32:30 - Reverse Shell Returned
33:25 - Running LinEnum.sh - Discover H2 (Database) runs as root
37:00 - Hunting for passwords in Drupal Configuration
39:25 - Finding database connection settings. SSHing with daniel and the database password (not needed)
40:10 - Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk’s Loopback. Only need to do one of those, just showing its possible without daniel
44:30 - Accessing Hawk’s H2 Service (8082) via the loopback address
50:00 - Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console.
51:45 - Logging into H2 by using a non-existent database, then testing code execution
52:50 - Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service.
59:50 - Reverted box, cleaning up environment then getting reverse shell
01:02:45 - Discovering could have logged into the database with Drupal Database Creds.</p>
HackTheBox - Tartarsauce
https://www.youtube.com/watch?v=9MeBiP637ZA&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=14&t=0
01:10 - Begin of recon
03:00 - Discovery of Wordpress and fixing broken links with burp
06:50 - Start of WPScan
07:14 - Start of poking at Monstra, (Rabbit Hole)
13:05 - Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits
16:30 - Reverse shell returned as www-data
18:08 - Confirming monstra was read-only
18:50 - Running LinEnum.sh to see www-data can run tar via sudo
20:30 - Use GTFOBins to find a way to execute code with Tar
22:00 - Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script
24:10 - Examining backuperer script
26:00 - Hunting for vulnerabilities in Backuperer
32:15 - Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false
34:20 - Begin of exploiting the backuperer service by exploiting intregrity check
36:40 - Creating our 32-bit setuid binary
39:16 - Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)
40:54 - Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root
42:30 - Exploiting the Backuperer Service via SetUID!
45:00 - Unintended Exploit: Using SymLinks to read files via backuperer service</p>
HackTheBox - DevOops
https://www.youtube.com/watch?v=tQ34Ntkr7H4&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=15&t=0
00:54 - Start of Recon
03:10 - Start of GoBuster
04:00 - Looking at /upload, testing with a normal XML File
06:15 - Valid XML File created, begin of looking for XML Entity Injection XXE
08:20 - XXE Returns a a local file off the server
09:30 - Grabbing the source code to the webserver to find newpost function.
11:35 - Discovery of vulnerability due to user data being passed to pickle
12:44 - Creating the script to exploit pickle
16:38 - Reverse shell returns!
19:55 - Poking around at Source Code
20:15 - Discover of an SSH Key within deployment stuff.
21:15 - Trying SSH Key for other users on the box to see if it is valid
22:57 - Hunting for git filers, the boxes name is "Gitter" and we have an SSH Key that goes nowhere.
23:00 - Discovery ~roosa/work is the same as ~roosa/deploy but there's a .git repo in this one!
23:45 - Examining Git Log to see the SSH Key has changed!
25:20 - SSH'ing with the old key, to see it's root's key.
25:58 - The webserver could read Roosa's SSH Key. Could bypass the entire pickle portion
26:20 - Start of "Extra Practice"
27:40 - Creating a Python Script to automate the LFI With XXE
35:50 - Script completed, lets improve it to try to download an exposed git repo</p>
HackTheBox - Olympus
https://www.youtube.com/watch?v=7ifJOon5-G8&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=16&t=0
01:30 - Begin of Recon, nmap filtered explanation
03:30 - Begin of initial DNSRecon, hunting for a domain name
06:04 - Web page enumeration, finding xdebug in header
09:47 - Installing xdebug plugin in Chrome to show its use
12:50 - Getting a reverse shell on the first docker (Icarus)
15:00 - Setting up nginx to accept files uploaded over HTTP / WebDav
20:30 - Examining the Wireless Capture from Icarus
21:30 - Cracking WPA with aircrack / hashcat
25:00 - Decrypting WPA traffic in Wireshark
27:50 - Enumerating valid usernames via SSH (CVE-2018-15473)
33:15 - SSH into port 2222 with information from Wireless Capture
34:40 - Domain Name found! Time to do a DNS Zone Transfer
36:15 - Port Knocking to open up port 22
40:05 - PrivEsc to root via being a member of the Docker Group</p>
HackTheBox - Canape
https://www.youtube.com/watch?v=rs75y2qPonc&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=17&t=0
00:43 - Start of Recon, nmap and poking around the website
04:00 - Dirbusting a site that always respond 200
09:43 - Switching to a different Wordlist (SecLists/Discovery/Web/Common)
10:48 - Discovery of .git - Poking around to clone it and download
15:10 - Downloaded .git, examining commit history
19:50 - Start of Pickle Talk
21:25 - Begin writing of the pickle exploit
28:45 - Return of Reverse Shell as www-data
32:30 - Begin looking into CouchDB
34:00 - Poking around at documents within CouchDB
36:15 - Examining first exploit with creating a CouchDB User
39:50 - Exploring the passwords database with our newly created admin user and finding Homers Password.
42:00 - Getting root with sudo pip install
45:55 - Box Done. Begin second unintended way to get to Homer User
47:03 - Playing with the public RCE Exploit for CouchDB
48:20 - Running the exploit
49:36 - Examining the exploit, doing each step manually to see where it fails
54:30 - Searching on how to create a new CouchDB Cluster, maybe it will allow this work?
55:55 - Digging into how erlang works
57:30 - Finding default CouchDB Cookie
59:10 - Connecting to the Erlang pool then searching for how to run commands.
01:01:54 - Exploring how to send long commands as distributed task
01:04:30 - Getting reverse shell
HackTheBox - Poison
https://www.youtube.com/watch?v=rs4zEwONzzk&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=18&t=0
00:56 - Start of recon, use Bootstrap XSL Script to make nmap pretty
03:10 - Looking at nmap in web browser
03:52 - Navigating to the web page, and testing all the pages.
06:25 - Testing for LFI
07:00 - Using PHP Filters to view the contents of php file through LFI (Local File Inclusion)
08:40 - Testing for RFI (Remote File Inclusion) [not vuln]
10:00 - Code Execution via LFI + phpinfo()
14:45 - Modifying the PHP-LFI Script code to get it working
17:10 - Debugging the script to see why tmp_name couldn't be found
20:12 - Shell returned!
21:25 - Looking at pwdbackup.txt and decoding 13 times to get password.
23:37 - SSH into the box (Do not privesc right away!)
24:29 - Getting shell via Log Poisoning
26:39 - Whoops. Broke the exploit, because of bad PHP Code... We'll come back to this! (<a href="#" onclick="yt.www.watch.player.seekTo(42*60+50);return false
28:47 - Begin of PrivEsc, grabbing secret.zip off
32:38 - Searching for processes running as root, find VNC
33:49 - Setting up SSH Tunnels without exiting SSH Session.
37:43 - Something weird happend... Setting up SSH Tunnels manually.
40:10 - PrivEsc: VNC through the SSH Tunnel, passing the encrypted VNC Password
41:40 - Decrypting the VNC Password because we can.
42:50 - Examining the log file to see why our Log Poison Failed, then doing the Log Poison</p>
HackTheBox - Stratosphere
https://www.youtube.com/watch?v=uMwcJQcUnmY&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=19&t=0
01:11 - Begin of recon
03:48 - Manually checking the page out
04:30 - Discovering the webserver is java/tomcact
05:35 - Starting up GoBuster / Hydra
09:40 - The Directory /Monitoring was found - Discovering its Struts because of .action
11:00 - Stumbling upon an exploit trying to find out how to enumerate Struts Versions
14:10 - Searching Github for CVE-2017-5638 exploit script, exploiting the box to find out its firewalled off
21:10 - Using a HTTP Forward Shell to get around the strict firewall
22:40 - Go here if you want to start copying the Forward Shell Script
23:34 - Explaining how it works
25:10 - Explaining the code
31:06 - Forward Shell Returned - Enumerating Database to find creds
37:29 - Examining User.py
40:15 - Privesc: Abusing Python's Path to load a malicious library and sudo user.py</p>
HackTheBox - Craft
https://www.youtube.com/watch?v=3znkLWakuUA&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=2&t=0
01:20 - Begin of recon
03:18 - Checking out the HTTPS Certificate for potential hostnames
05:10 - Looking at api.craft.htb, appears to be some type of Documentation for the REST API
06:40 - Looking at gogs.craft.htb, no known exploits but there is some source code!
09:20 - Checking out the Git Issues, seeing Dinesh put a JWT Token in a comment. Checking the token out
11:25 - Attempting to crack the JWT (fails)
13:30 - Going back to the issues to see there is an eval() on user input
16:25 - Installing Go and Pip3 on Kali 2019.4, so we can install GitLeaks and TruffleHog
18:57 - Running GitLeaks and TruffleHog (find nothing) then manually analyzing the git commits
21:20 - Discovering Dinesh's credentials in an old git commit
25:05 - Logging into GOGS with Dinesh, then showing adding an SSH Key for potential port forwarding
28:28 - Testing Code Execution from the previous git issue, use the test.py script as a skeleton.
31:30 - Getting a reverse shell with this exploit using exec(base64)
35:10 - Reverse Shell Returned
36:15 - Grabbing settings.py on the server to get a bunch of credentials
37:30 - Fixing our terminal to have the correct rows/columns so we can use vi
40:18 - Editing dbtest.py to dump all users from the database
42:00 - Adding the JWT SECRET from settings.py to our hashcat wordlist to prove cracking would have worked if there was a weak secret
45:25 - Manually crafting a JWT in Python to show what to do if you are successful at cracking... Then trying to create a JWT that is not signed
49:10 - Logging into GOGS with the credentials we got from dumping the database
50:20 - Gilfoyle as a private repo, lets download it
53:30 - Running truffleHog and GitLeaks against Gilfoyle's craft-infra repo
58:00 - An SSH Key was found on Gilfoyle's repo, SSH in and run LinPEAS
01:00:00 - Bunch of references to Vault in LinPEAS, looking into what this is.
01:02:20 - The .vaulttoken file is saved creds, lets just use vault ssh to login to the box</p>
HackTheBox - Celestial
https://www.youtube.com/watch?v=aS6z4NgRysU&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=20&t=0
00:58 - Begin of Recon
03:00 - Looking at the web application and finding the Serialized Cookie
04:38 - Googling for Node JS Deserialization Exploits
06:30 - Start of building our payload
07:10 - Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is
09:10 - Moving our serialized object to "Name", hoping to get to read stdout
11:30 - Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE)
13:25 - Failing to convert an object (stdout) to string.
14:02 - Verifying code execution via ping
15:32 - Code execution verified, gaining a shell
18:49 - Reverse shell returned, running LinEnum.sh
21:26 - Examining logs to find the Cron Job running as root
22:09 - Privesc by placing a python root shell in script.py
24:15 - Going back and getting a shell with NodeJSShell</p>
HackTheBox - Aragog
https://www.youtube.com/watch?v=NFdi-2tgvxY&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=21&t=0
01:26 - Start of Recon
03:25 - Notice SSH configured for Pub Key Only. Hint at what to grab later!
03:50 - Grabbing test.txt off ftp server via anonymous auth
04:07 - Determining if I want to go down the "Exploit VSFTPD" rabbit hole
05:54 - Viewing test.txt and hosts.php
06:48 - Figuring out how hosts.php works and discovering XXE
08:58 - Start of XXE Discovery
10:16 - Making the XXE Output /etc/passwd
11:33 - Encoding output in Base64 in order to view PHP Files
12:58 - Using Burp Intruder to BruteForce Files
16:20 - Creating a program to bruteforce home directories
26:41 - Program Finished. Finding SSH ID_RSA Key
28:15 - Low Priv Access Granted
30:24 - LinEnum.sh shows Wordpress CHMOD'd to 777
31:05 - Examining Wordpress Site (big hint left by author)
32:10 - Enumerating MySQL Database
35:15 - Giving up on MySQL, lets edit PHP Files to dump passwords!
36:50 - Identifying the file we want to backdoor
37:51 - Placing our PHP Code
42:06 - Got the password!</p>
HackTheBox - Flux Capacitor
https://www.youtube.com/watch?v=XLIBbkQJKuY&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=22&t=0
01:25 - Begin of recon
02:20 - Wiresharking NMAP to identify fingerprint
05:53 - Checking the WebPage
09:15 - Finding /sync and why web browser has a 403
12:45 - Using wfuzz to find what arguments /sync takes
15:45 - The actual wfuzz command
20:30 - Finding Bad Characters with wfuzz
24:51 - Getting command execution
32:00 - Getting a reverse shell
43:40 - Privesc to root abusing custom script
47:48 - Examining how NGINX/OpenResty was configured</p>
HackTheBox - Inception
https://www.youtube.com/watch?v=J2I-5xPgyXk&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=23&t=0
01:05 - Start of Recon + Finding dompdf
08:30 - PHP Wrappers + Failed testing for RCE
11:35 - Writing Python Program to automate file disclosure bug
18:40 - Finding WebDav Configuration + Uploading Files for RCE
25:50 - Modifying Sokar's Forward Shell (PTY over HTTP)
33:55 - Forward shell returned
38:50 - Using Squid to pivot to ports listening locally + NMAP via ProxyChains
47:48 - Getting nmap on Inception to speed up scanning private network
59:16 - Nmap results returned for 192.168.0.1, FTP Anonymous Login
1:01:15 - Finding TFTP as a Running Service
1:06:35 - Using TFTP to grab crontab &amp; creating a pre-invoke apt script</p>
HackTheBox - Enterprise
https://www.youtube.com/watch?v=NWVJ2b0D1r8&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=24&t=0
01:00 - Begin of recon
10:00 - Finding the vulnerable Wordpress Plugin
17:50 - Exploiting lcars plugin
28:30 - Logging into WP and Getting Reverse Shell
35:00 - Wordpress RevShell Returned
40:00 - Using Meterpreter to pivot and provide access to MySQL
50:00 - MySQL Shell Returned
52:00 - Logging into Joomla and Getting Reverse Shell
57:20 - Joomla Reverse Shell returned
59:00 - Getting Reverse Shell on Host OS (port 443)
1:02:00 - Shell Returned begin of local privesc recon
1:12:06 - Beginning of Binary Exploitation
1:21:00 - Start writing exploit script
1:28:30 - Analyzing the PHP SQL Injection Scripts
1:36:30 - Viewing what SQLMap does to exploit this
1:40:00 - Stepping through Double Query Injection
1:47:20 - Writing our own SQL Injection Exploit Script</p>
HackTheBox - Node
https://www.youtube.com/watch?v=sW10TlZF62w&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=25&t=0
00:45 - Begin of NMAP
03:00 - GoBuster (Fails)
08:15 - Screw GoBuster, BurpSpider FTW
09:12 - Examing Routes File to find more pages
10:10 - Finding Credentials and downloading backup
14:45 - Cracking the zip with fcrackzip
16:45 - Finding more credentials (SSH) within MongoSource
21:50 - Privesc to Tom User
35:04 - Analyzing Backup Binary File
36:49 - Using strace to find binary password
40:25 - Finding blacklisted characters/words
50:00 - Unintended method one, abusing CWD
52:20 - Unintended method two, wildcards to bypass blacklist
54:45 - Unintended method three, command injection via new line
59:15 - Intended root Buffer Overflow ASLR Brute Force
HackTheBox - SolidState
https://www.youtube.com/watch?v=_QapCUx55Xk&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=26&t=0
HackTheBox - Nineveh
https://www.youtube.com/watch?v=K9DKULxSBK4&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=27&t=0
00:00 - Intro
01:58 - Begin Recon (NMAP)
04:19 - GoBuster HTTP + HTTPS
06:35 - Accessing Pages
07:05 - Using Hydra against HTTP + HTTPS Web Forms
11:30 - Logging into HTTP and hunting for vulns
17:00 - Second Hydra attempt against HTTPS
17:57 - Logging into HTTPS (phpLiteAdmin)
20:17 - Chaining Exploits to get Code Execution
26:38 - Reverse Shell Returned
28:00 - LinEnum.sh Script Review
31:30 - Watching for new Processes
37:00 - Found the error in script :)
39:30 - Getting reverse root shell
41:51 - Intended Route to get User
46:12 - Reviewing Knockd configuration
49:33 - Doing the PortKnock</p>
HackTheBox - Europa
https://www.youtube.com/watch?v=OsxDB41jg6A&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=28&t=0
00:24 - Recon with Sparta
02:00 - Enumerating SSL Certificate
03:55 - Manually View SSL Certificate
04:35 - VirtualHostRouting Explanation
07:42 - SQL Injection - Auth Bypass
13:00 - Dumping the Database with SQLMap
16:45 - Begin of Web Exploit (Regex //e)
23:00 - Getting a Shell
27:10 - Begin PrivEsc (CronJob)</p>
HackTheBox - Apocalyst
https://www.youtube.com/watch?v=TJVghYBByIA&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=29&t=0
01:26 - Enumeration Start
02:58 - WPScan Start
05:40 - Directory Scanning with GoBuster
10:54 - Examining WPScan Output
13:40 - Bruteforcing with WPScan
14:40 - Bruteforcing HTTP Post with Hydra
18:30 - Edit WP Theme to get Code Execution
22:09 - Return of Reverse Shell
26:25 - Privelege Escalation Word Writeable Passwd</p>
HackTheBox - Luke
https://www.youtube.com/watch?v=gaBdfD4BGBo&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=3&t=0
00:40 - Begin of Recon
02:45 - Checking FTP to get a note
03:38 - Going to each of the three websites
04:30 - Running Gobuster on port 80/3000
06:30 - Taking notes of all the login pages (forgot Ajenti)
07:55 - config.php found which has a password
10:15 - Discovering /login on port 3000 accepts username=&amp;password=
11:25 - Successful login! JWT Token returned
14:00 - Using curl to add the JWT Token in the header to access other api endpoints
15:10 - Using BurpSuite to add headers
18:30 - Navigating the Rest API to dump the usernames and passwords
20:30 - Attempting logins on other services
21:30 - Derry can login to /management
22:50 - Ajenti Password! Lets try logging in
22:30 - Ajenti has a virtual terminal that is running as root!
26:20 - Extra Content - Getting a reverse shell
28:30 - Grabbing the JWT Secret, so we can forge our own tokens!
29:10 - Creating a python script to generate JWT Tokens
30:20 - This token has no expiration time, and is assigned at 0. Should never expire!
31:30 - Adding Requests to our script, so the script can make web requests
33:15 - Lets try removing all signing algorithms from the token and see if server accepts it
34:40 - Cracking the JWT Token Signing key with Hashcat</p>
HackTheBox - Sneaky
https://www.youtube.com/watch?v=1UGxjqTnuyo&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=30&t=0
00:00 - Intro
00:44 - Recon + Web Enum
01:33 - SQL Injection
05:30 - Start of IPv6 Talk
06:30 - What is an IPv6 IP Address?
11:27 - Types of IPv6 Addresses
14:06 - IPv6 Subnetting Explained
21:20 - End of IPv6 Primer, Exploit time!
22:43 - Method 1: Getting MAC and calculating fe80
30:30 - Method 2: Enumerating Networks by pinging Multicast
33:56 - Extra: Getting Windows to respond from Multicast Ping
38:07 - Extra: NMAP Scanning ipv6 local networks
40:15 - Convert RPM to DEB (Needed for install nmap on tenten)
41:30 - Intended Solution: Getting IPv6 via SNMP
43:58 - No SNMP MIB Output
45:58 - Getting SNMP MIBS Installed and Configured
47:52 - Tool: Enyx - SNMPv6 Enumeration via Python
50:44 - Privesc Enumeration
52:49 - Buffer Overflow</p>
HackTheBox - Lazy
https://www.youtube.com/watch?v=3VxZNflJqsw&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=31&t=0
00:39 - Basic Web Page Discovery
03:30 - Examining Cookies - Pt1 (Burp Sequencer)
05:05 - Fuzzing Usernames (2nd Order SQL Injection)
07:15 - Examining Cookies - Pt2
07:40 - Cookie Bitflip
12:45 - Oracle Padding Attack - Pt1
15:30 - Rooting the Box
22:50 - Oracle Padding Attack - Pt2</p>
HackTheBox - Haircut
https://www.youtube.com/watch?v=9ZXG1qb8lUI&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=32&t=0
01:45 - GoBuster
04:40 - Exploiting exposed.php
11:40 - Getting Shell
20:09 - Screen Privesc</p>
HackTheBox - CronOS
https://www.youtube.com/watch?v=CYeVUmOar3I&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=33&t=0
HackTheBox - Tenten
https://www.youtube.com/watch?v=A4U3xiRWfsU&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=34&t=0
HackTheBox - October
https://www.youtube.com/watch?v=K05mJazHhF4&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=35&t=0
00:45 - Pulling up Web Page.
01:10 - Searchsploit
02:40 - Enumerating Version (Download Versions, Hash Static Files)
08:20 - Default cred /backend -- Upload Shell
09:51 - User Reverse Shell
12:10 - Transfering file over nc
14:45 - Begin "fuzzing" Binary
16:15 - GDB Analysis
18:46 - Get a full reverse shell with tab autocomplete.
19:00 - Showing ASLR changing address
20:20 - Disable ASLR on Exploit Dev Machine
21:15 - Start of exploit development for ovrflw binary (Pattner_Create)
27:27 - Start of Return to LibC attack - Getting Addresses
37:20 - Grabbing memory locations off October Machine
41:00 - Convert script to Bruteforce ASLR</p>
HackTheBox - Popcorn
https://www.youtube.com/watch?v=NMGsnPSm8iw&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=36&t=0
00:25 - TMUX and Connecting to HTB
02:00 - Virtual Host Routing Explanation
02:40 - File Enumeration (Dirb)
03:59 - Discover of Web App
05:45 - Starting SQLMap in the Background
09:30 - Uploading a PHP Shell
14:01 - Python PTY Reverse Shell (Tab Autocomplete!)
19:25 - MOTD Root (Method 1)
23:50 - Dirtyc0w Root (Method 2)
HackTheBox - Unattended
https://www.youtube.com/watch?v=2SATzCQY0Zw&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=4&t=0
01:00 - Begin of recon
03:30 - Running GoBuster to discover /dev and index.php
06:50 - Checking out the web application
07:55 - Discovering SQL Injection in ID and playing with it
11:45 - Running SQLMap to dump pieces of the database
14:55 - Nginx Misconfiguration, missing trailing slash
19:10 - Downloading source code of the application
21:20 - Exploring the source of the application
25:47 - Specifying an error string in SQLMap to have it do boolean logic versus time-based
27:00 - Installing a Docker LAMP Server to run the web application
45:40 - Finally got the application running locally (Missed a comma which created a lot more work)
46:15 - Analyzing the SQL Injection with Debug turned on to see how it works
50:00 - Explanation of gaining code execution through an LFI + PHP Cookies
53:00 - Exploring the cookie
55:40 - Have code execution on our docker, lets exploit the server
01:00:00 - Reverse Shell returned
01:02:35 - Exploring MySQL database and escalating to GULY
01:08:30 - Running LinEnum as Guly and going through the results
01:12:00 - Exploring files Guly can access due to Grub Group, downloading initrd
01:14:10 - Decompressing initrd.img and looking for the file GULY modified
01:21:20 - Running STRACE to see what uinitrd does
01:24:20 - Running uinitrd after modifying /etc/hosts and /boot/guid
01:26:20 - Extra Content: If you had trouble with TTY, SSH is accessible via IPv6
01:30:50 - Extra Content: Runing GIXY to analyze the NGINX Configuration
01:35:20 - Extra Content: Looking at uinitrd in Ghidra</p>
HackTheBox - LaCasaDePapel
https://www.youtube.com/watch?v=OSRCEOQQJ4E&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=5&t=0
01:05 - Start of nmap
02:50 - Attempting to execute an VSFTPD Backdoor via MSF
03:40 - Discovering the backdoor opened 6200, discovering a weird shell
04:50 - Lets figure out what just happened
06:50 - Triggering the backdoor without Metasploit
09:05 - Exploring the Psy PHP Shell opened up by the backdoor
10:20 - Several functions for executing bash aren't working, checking disable_functions
11:40 - Attempting to bypass disabled_functions (does not work)
12:50 - Using ScanDir() and File_Get_Contents(), to explore the filesystem
14:50 - Identifying we are probably running as the Dali User (Unintended Path)
17:00 - Downloading CA.KEY, which is a private key to a webserver
21:40 - Using the CA.KEY to generate client certificates to access the HTTPS Page
30:25 - Weird it didn't work, lets just verify all our certificates are good
32:28 - This time it worked! We connected to the server
33:20 - Failing to add the certificate to BurpSuite
33:50 - Discovering File Traversal by editing the PATH variable
36:38 - Discovering the LFI just puts the path as Base64 Encoded
37:15 - Using the LFI to download the SSH Private Key
38:45 - Testing SSH Key against users on the box to gain access!
39:13 - UNINTENDED: Skipping the HTTPS Certificate - Generating SSH Keys to upload via PHP Shell
40:30 - UNINTENDED: Using file_put_contents() to append our public key to authorized_keys
41:30 - UNINTENDED: Using SSH to tunnel through Dali (SOCKS Proxy)
42:30 - UNINTENDED: Scanning ports on Dali that are listening on LocalHost
43:08 - UNINTENDED: Port 8000 is open, and its one step after the Reverse_Proxy that performs SSL Authentication!
45:35 - Running PSPY and LinEnum
50:20 - Using PSPY to view FileSystem Events which will show the cron
52:30 - Taking control of ~/memcached.ini because we own the folder!
54:45 - Exploiting the cron that utilizes memcached.ini to get a root shell
55:55 - Exploring how the SSL Authentication is working
HackTheBox - FriendZone
https://www.youtube.com/watch?v=Zf8p49IzEEA&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=6&t=0
00:45 - Begin of Recon
04:10 - Running SMBMap to identify and crawl file shares
05:00 - Downloading creds.txt from an smb share and checking FTP/SMB
06:50 - Checking the webpage and grabbing potential DNS Names for the box
10:40 - Using dig to perform a DNS Zone Transfer to obtain additional host names
12:00 - Adding all hostnames to /etc/hosts
12:55 - Running Aquatone to take screenshots of all the pages for quick examination
15:15 - Testing Uploads.Friendzone.red
16:30 - Testing admin.friendzone.red
17:00 - Testing administrator1.friendzone.red, logging in with creds found from SMB
18:35 - Found an LFI in the Dashboard.PHP script (PageName Variable)
20:15 - Using PHP Wrappers with the LFI To obtain PHP Script Source
23:00 - Revisiting recon to find ways to upload files, end up using SMBClient
25:10 - Gaining code execution through the LFI Exploit and SMB File Share
27:30 - Reverse Shell Returned
28:50 - Exploring /var/www/html to see if any troll directories had useful files in them, find creds to Friend user
31:20 - Running PSPY to identify cron jobs we don't have permission to see
33:15 - Running LinEnum.sh to enumerate the box and discover the Python OS Library is writeable
38:20 - Fixing our reverse shell by setting ROWS and COLUMNS of our terminal so we can use Vi
40:45 - Placing a reverse shell in the Python OS library</p>
HackTheBox - Chaos
https://www.youtube.com/watch?v=no9UnySBQrU&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=7&t=0
01:05 - Begin of recon
02:20 - Starting up GoBuster then editing /etc/hosts to add the hosts in nmap
03:20 - Going over the website
06:00 - Discovering a wordpress instance (/wp/ form goBuster)
09:50 - Finding webmail credentials from a wordpress Protected Post
10:30 - Discovering webmail.chaos.htb (Method 1)
12:50 - Testing IMAP, then configuring Evolution to login to the mail server (Method 2)
16:40 - Decrypting the message that was in the draft.
22:55 - Message decrypted, new page discovered
23:11 - Discovering a webpage for creating pdfs
24:10 - Searching for a code injection path for LaTex
24:45 - Discovering the blacklist is on "input"
25:30 - Testing for blind command execution via ping
27:43 - Reverse Shell Returned
28:10 - Enumerating the web directory to find passwords
29:11 - Switching to the "Ayush" user with mail password, discover we are in rBash
29:45 - Escaping rBash by via tar (Method 1: GTFOBins)
31:00 - Escaping rBash by editing path (Method 2)
32:55 - Discovering a mozilla user configuration directory, copying it off to export passwords
36:30 - Using firefox_decrypt to export root password
37:30 - Logging into webmin with credentials from firefox
37:50 - Privesc via switching to root user with known password (Method 1)
38:10 - Using webmin to execute commands as root (Method 2)</p>
HackTheBox - LightWeight
https://www.youtube.com/watch?v=yQgtDoCDAYk&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=8&t=0
00:45 - Begin of recon, Nmap
01:30 - Taking the CentOS Apache Version to find major version
03:20 - Running GoBuster with a Common-PHP-Files wordlist.
06:00 - Enumerating Ldap with ldapsearch
07:30 - Discovery of Password Hashes within ldap information
10:55 - Attempting to crack the hashes. (does not crack)
12:30 - Back to the web page
13:15 - Page says to login with ip@Lightweight with the password of your ip
15:35 - Running LinEnum
20:15 - Discovery of Extended Capabilities set on tcpdump
20:50 - Performing a packet capture over SSH without touching disk
23:45 - Examining the pcap created, don't see anything on ens33
24:20 - Performing a packet capture through SSH and piping live results to WireShark
26:00 - Discovery of LDAP Traffic, ldapuser2 password passed in clear-text
28:15 - Using bash to exfil a file over the network (backup.7z)
29:25 - Using 7z2john and hashcat to crack a 7zip file
32:05 - Examining extracted files to discover a new credential (ldapuser1)
33:30 - The openssl binary in ldapuser1 has an empty capability (which is all)
35:00 - Using GTFOBins to see what we can do with openssl
37:11 - Reading /etc/shadow with openssl
37:35 - Adding an entry into /etc/sudoers to allow us to escalate to root</p>
HackTheBox - Redcross
https://www.youtube.com/watch?v=-GNyDEQ9UDU&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=9&t=0
00:20 - Flow chart of potential paths through this box
02:25 - Begin of recon, SSL Enumeration, examining PHP Behavior
06:23 - Using GoBuster to dicover directories, pdf's, and php scripts
08:10 - Using wfuzz to discover subdomains (virtual host routing)
12:15 - Guessing credential, logging in with guest:guest disover SQL Injection
16:45 - Manually doing an error-based SQL Injection with extractquery()
31:50 - A good screenshot showing the SQL Inject Queries used, then cracking
35:00 - Doing the SQLInjection with SQLMap, needed the delay flag!
37:50 - Examining the account-signup.pdf to create a user
39:50 - Doing XSS (cross site scripting) to steal a cookie of the admin
43:15 - Going to admin.redcross.htb and showing that any way you got the PHPSESSID cookie would work
46:15 - Poking at admin.redcross.htb, creating a user that lands us in an SSH Jail
48:38 - Playing with the Firewall portion of the site, discover command injection in deleting rules!
52:28 - Reverse shell as www-data
54:40 - Discover postgresql credentials in actions.php, this database lets you create users!
1:00:21 - Inserting a user into the database, then logging in with SSH
1:02:40 - Examining /etc to discover a different postgresql account-signup
1:04:50 - Adding a root user with the new credentials, then sudo to root!
1:06:29 - Discovering Haraka running
1:09:10 - Using Metasploit to exploit haraka, get shell as penelope
1:12:26 - Doing the PG thing again but this time specify sudo group, so we don't need to use the other PG account.
1:15:50 - Examining iptctl.c
1:19:56 - Using Pattern_Create to discover where the RSP (RIP) Overwrite occours.
1:21:15 - Start of python script
1:24:11 - Dumping PLT Functions to use with our rop chain (no aslr on binary)
1:28:00 - Getting pop gadgets with radare
1:29:40 - Building our ROP Chain
1:34:28 - Exploiting the binary! To get root.</p>
HackTheBox - Curling
https://www.youtube.com/watch?v=Paajc2Dupms&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=10&t=0
01:12 - Begin of Recon
01:55 - Running Cewl to generate a wordlist
02:50 - Finding secret.txt in the HTML Source, which happens to be the password
03:28 - Runninh JoomScan so we have something running in the background
04:20 - Checking the manifest to get the Joomla Version
06:20 - Explaining what equals mean in base64
07:50 - Begin of hunting for Joomla Username
08:30 - BruteForcing Joomla Login with WFUZZ
10:35 - Troubleshooting by sending wfuzz through burp
12:25 - Turns out the CSRF Token is tied to cookie, adding that to the wfuzz command
17:10 - Success! Logged into Joomla
17:58 - Gaining code execution by modifying a template
20:20 - Getting a reverse shell
23:20 - Finding the file: password_backup which is encoded
23:55 - Extracting password_backup manually with xxd, zcat, bzcat, tar
25:43 - Extracting Password_Backup with CyberChef
27:35 - Logging in with Floris
28:17 - Looking at /home/floris/AdminArea
28:50 - Testing the input file by changing the url to us
29:30 - Getting LFI by using file:// within curl
30:38 - Pulling the cron, to see what is going on
31:25 - Cron shows curl -K to use curl with a config file, checking man page.
32:05 - Changing where curl saves to, in order to gain a root shell
33:45 - Showing another good file to read with the LFI (logs)
34:18 - Using pspy to show when processes start/end, which shows the curl command with no exploits</p>
HackTheBox - Frolic
https://www.youtube.com/watch?v=b6WGQSJu_zQ&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=11&t=0
01:16 - Begin of Recon, until around 13 minutes gathering information to avoid rabbit holes
04:04 - Using nc/ncat to verify a port is open (-zv)
11:17 - Doing gobuster across man of the sub directories
13:03 - Examining /admin/ - Examine the HTML Source because login is not sending any data
14:09 - Discover some weird text encoding (Ook), how I went about decoding it
15:44 - Decoded to base64 with some spaces, clean up the base64 and are left with a zip file
19:19 - After cracking the zip, there is another text encoding challenge (BrainF*)
25:11 - With potential information, return to our long running recon for more information
28:49 - Discovering /playsms
32:00 - Reading ExploitDB Articles and then attempting to manuall exploit PlaySMS via uploading a CSV
34:34 - Getting a reverse shell
39:00 - Running LinEnum.sh
40:00 - Finding the SetUID file: rop
42:00 - Exploiting ROP Program with ret2libc
45:30 - Getting offsets of system, exit, /bin/sh from libc using ldd, readelf, and strings
50:34 - Running our exploit to get root shell
54:00 - Begin of recovering rop.c source code
56:41 - Recreating rop.c then compiling
59:44 - Copying the physical disk to our local box via SSH and DD
01:01:44 - Using PhotoRec to restore files and finding rop.c</p>
HackTheBox - Sunday
https://www.youtube.com/watch?v=xUrq29OTSuM&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=12&t=0
00:48 - Begin of NMAP Discovery of Finger
03:36 - Enumerating Finger with Finger-User-Enum
05:00 - Nmap'ing all port quickly by lowering max-retries
08:40 - Adding an old Key Exchange Alogorithm to SSH
09:30 - Showing Hydra doesn't work, then using Patator
11:19 - Using find to count lines in all wordlist files
14:07 - Logged in with sunny:sunday
14:45 - Grabbing /backup/shadow.backup and cracking sha256crypt with Hashcat
16:46 - Just noticed this box is oooooold, try to privesc with sudo and ShellShock (Fail)
18:53 - Privesc by overwriting the /root/troll binary
23:30 - Using wget to exfil files quickly
24:50 - Viewing what wget --post-file looks like
25:50 - Creating a PHP Script to accept uploaded files
27:30 - Hardening our upload location to prevent executing PHP Files and/or reading what was uploaded
29:10 - Starting a php webserver with php -S (ip):(port) -t .
31:10 - Replacing the root password by changing the shadow file
33:30 - Demoing a way to create directories and upload files!</p>
HackTheBox - Valentine
https://www.youtube.com/watch?v=XYXNvemgJUo&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=13&t=0
00:25 - Start of Recon, identifying end of life OS from nmap
03:20 - Running vulnerability scripts in nmap to discover heartbleed
04:16 - Going to the HTTP Page to see what it looks like
06:30 - Begin of Heartbleed - Grabbing Python Module
07:13 - Explaining Heartbleed -- XKCD ftw
10:15 - Explaining and running the exploit
13:40 - Exporting large chunks of memory by running in a loop
14:10 - Finding an encrypted SSH Key on the server
15:35 - Examining heartbleed output to discover SSH Key Password
17:45 - SSH as low priv user returned
21:55 - Finding a writable tmux socket to hijack session and find a root shell
23:50 - Alternative Privesc, DirtyC0w</p>
HackTheBox - Nibbles
https://www.youtube.com/watch?v=s_0GcRGv6Ds&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=14&t=0
00:18 - Start of Recon
01:15 - Finding hidden directory via Source
02:15 - Downloading NibbleBlog to help us with finding version information
03:59 - Identifying what vresion of NibblesBlog is running
04:42 - Using SearchSploit to find vulnerabilities
05:36 - Examining the Exploit
06:08 - Explanation of exploit
07:25 - Attempting to find valid usernames for NibblesBlog
09:13 - Finding usernames in /content/private
10:15 - Using Hydra to attempt to bruteforce
14:08 - Oh crap. Hydra not good idea we're blocked...
15:40 - Using SSH Proxies to hit nibbles from another box (Falafel)
18:20 - Guessing the password
20:10 - Logged in, lets attempt our exploit!
22:46 - Code Execution achieved. Lets get a reverse shell
24:53 - Reverse shell returned.
26:00 - Running sudo -l examine sudoer, then finding out why sudo took forever to return
26:50 - Privesc via bad sudo rules
32:10 - Alternative PrivEsc via RationalLove</p>
HackTheBox - Bashed
https://www.youtube.com/watch?v=2DqdPcbYcy8&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=15&t=0
HackTheBox - Sense
https://www.youtube.com/watch?v=d2nVDoVr0jE&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=16&t=0
01:20 - Star of Recon
03:40 - GoBuster
04:45 - Getting banned and Pivoting to verify
10:20 - Logging into PFSense
16:50 - Manually Exploiting PFsense
38:30 - Using Metasploit to exploit
42:00 - Creating a Bruteforce Script in Python ( CSRF )</p>
HackTheBox - Shocker
https://www.youtube.com/watch?v=IBlTdguhgfY&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=17&t=0
00:39 - Begin Nmap, OS Enum via SSH/HTTP Banner
05:00 - GoBuster
07:08 - Viewing CGI Script
08:50 - Begin NMAP Shellshock
09:50 - Debugging Nmap HTTP Scripts via Burp
11:10 - Fixing the HTTP Request &amp; nmap script
14:45 - Performing Shellshock &amp; more fixing
18:25 - Getting a reverse shell
21:19 - Running LinEnum.sh
23:00 - Rooting the box</p>
HackTheBox - Mirai
https://www.youtube.com/watch?v=SRmvRGUuuno&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=18&t=0
00:49 - Nmap
01:31 - Examining some odd behavior. Nmap different result than browser.
04:00 - Getting to /admin and testing for Zone Transfer
05:40 - Testing SSH Default Raspberry Pi Creds
06:11 - Escalate to root 'sudo su'
07:10 - Recovering the deleted root.txt
08:38 - GrepFu
10:40 - Downloading /dev/sdb via SSH
12:48 - Running Binwalk against it
13:18 - Trying to recover with TestDisk
14:37 - Trying to recover with PhotoRec</p>
HackTheBox - Blocky
https://www.youtube.com/watch?v=C2O-rilXA6I&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=19&t=0
01:15 - Begin Recon with Reconnoitre
03:15 - Examining findings from Reconnoitre
06:50 - Decompiling java Jar Files with JAD
08:18 - Using JD-GUI
10:33 - Running WPScan
12:10 - Manually enumerating wordpress users
12:43 - SSH To the box and PrivEsc
15:30 - Rabbit hole, gaining access through FTP
17:09 - Finding Wordpress DB Password
18:33 - Switching to WWW-DATA by using phpMyAdmin + Wordpress
20:10 - Generating a PHP Password for Wordpress
21:50 - Gaining code execution with Wordpress Admin access
25:40 - Shell as www-data
26:40 - Enumerating Kernel Exploits with Linux-Exploit-Suggester
30:10 - Attempting CVE-2017-6074 Dccp Kernel Exploit (Unstable AF)</p>
HackTheBox - Networked
https://www.youtube.com/watch?v=H3t3G70bakM&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=2&t=0
00:45 - Begin of recon
01:45 - Looking at the website, checking source, robots.txt, etc
02:30 - Using GoBuster with PHP Extensions as HTTP Header said it had PHP Enabled
03:50 - Writing a simple PHP Code Execution script and trying to upload it
05:30 - Discovery of backup.tar, examining timestamps between downloading with wget/firefox
07:40 - Searching php scripts for superglobals as that will show user-input
11:10 - Explaining what magic bytes are
14:30 - Using PHP interactive mode to demonstrate what is happening
16:15 - Showing error codes are different based upon where image validation failed
17:30 - Uploading a malicious PHP Shell
18:40 - Navigating to our php shell and getting a reverse shell
21:40 - Reverse shell returned
23:40 - Examining check_attack.php to discover vulnerability when doing exec() to escalate to guly
27:30 - Explaining the code execution vulnerability of creating a malicious file
28:30 - Creating the malicious file
31:57 - Shell returned as Guly, checking sudo list
33:09 - Examining the changename.sh script (guly can run it as root)
37:00 - Exploiting the script by inserting a command into a network configuration file
38:40 - Explaining why Apache executed PHP when files did not have the PHP Extension
39:08 - Checking php.conf to see it was user created
41:15 - Modifying php.conf to include "FilesMatch .php$", so it only executes php when the name ends in .php</p>
HackTheBox - Bank
https://www.youtube.com/watch?v=JRPWFSzFaG0&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=20&t=0
00:39 - Nmap Results
01:15 - DNS Enumeration
04:08 - HTTP VirtualHost Routing
05:28 - DirSearch (Web Enumeration)
08:50 - HTTP Redirect Vulnerability
13:23 - PW in Balance-Transfer
18:00 - File Upload, WebShell
21:48 - First Shell
30:10 - First Privesc Method (SUID)
31:38 - Second Privesc Method (passwd)</p>
HackTheBox - Beep
https://www.youtube.com/watch?v=XJmBpOd__N8&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=21&t=0
1:35 - Method 1: LFI + Password
16:03 - Method 2: Turning LFI into RCE
37:46 - Method 3: Code exec via call
54:00 - Method 4: Shellshock</p>
HackTheBox - Haystack
https://www.youtube.com/watch?v=oGO9MEIz_tI&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=3&t=0
00:54 - Begin of Recon find Elastic Search on 9200
02:00 - Checking the exif data in the image, nothing interesting, but showing FF changes some metadata when downloading (foresnic tip)
03:55 - Navigating to port 9200 and seeing the Elastic Search JSON Response
04:48 - Searching Elastic Search Documentation to see how to make queries
06:00 - Using /_cat/indices to see the "tables" withing ES
07:37 - Using /quotes/_search to dump the Quotes indicy, then using jq to extract desired data
13:20 - Lets switch over to Python to extract this data so we can translate this into English
17:00 - Installing googletrans, so our script can translate this. Using python3 cli to test this out
20:10 - Adding googletrans to our script
21:10 - Running our script to translate everything and then using grep to "find the needle"
22:50 - SSH'ing to the box with the security user
24:00 - Running LinEnum, noticing kibana listening on 5601
28:15 - Creating a Local Port forward so we can access kibana from out box
29:50 - Checking Kibana's version to see there are known exploits for it
30:50 - Getting a reverse shell as the Kibana user
36:00 - Using find to see what files the kibana user can write to
37:10 - Going into the Logstash directory to see that it will execute code with a specific log message
38:45 - Explaining the logstash pipeline of how it gets data
39:33 - Getting a reverse shell as the LogStash user (root)
42:00 - Reverse shell returned, but we screwed up creating a file -- figuring out what we did wrong</p>
HackTheBox - Safe
https://www.youtube.com/watch?v=CO_g3wtC7rk&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=4&t=0
00:40 - Begin of nmap
02:31 - Discovering MyApp in the HTML Source
03:30 - Examining MyApp on port 1337
05:30 - Opening myapp up in Ghidra
07:20 - Testing out the buffer overflow
08:40 - Using pattern search to see where we can overwrite RSP
10:15 - Create a PwnTool Skeleton and having it call main instead of crashing
12:30 - Testing calling main (error: need to do recvline to send text)
13:50 - Explaining hijacking the SYSTEM() call
17:11 - Finding a way to put user input into RDI
17:30 - Examining the Test Function which places RSP to RDI
19:50 - Finding a pop r13 as the Test Function jumps to r13
23:30 - Putting the gadget togather for code execution
27:00 - Setting pwntools to exploit the remote host
28:30 - Shell on the box
29:15 - Dropping SSH Key to get a normal shell and copying keepass files
31:40 - Using keepass2john to create hashes to crack
35:00 - Cracking keepass hashes with hashcat
37:50 - Using kpcli to export the root password
39:20 - Using the root password to su to the root user</p>
HackTheBox - Writeup
https://www.youtube.com/watch?v=GKq4cwBfH24&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=5&t=0
01:04 - Start of recon identifying a debian box based upon banners
02:30 - Taking a look at the website, has warnings about DOS type attacks.
03:17 - Discovering the /writeup/ directory in robots.txt
04:18 - Checking the HTML Source to see if there's any information about what generated this page. Discover CMS Made Simple
05:15 - CMS Made Simple is an opensource product. Search through the source code to discover a way to identify version information.
07:30 - Using SearchSploit to find an exploit
09:05 - Running the exploit script with a bad URL and triggering the servers anti-DOS protection
10:10 - Running the exploit script with correct URL and analyze the HTTP Requests it makes via Wireshark to see how the SQL Injection works
16:20 - Explaining how password salts work
19:00 - Using Hashcat to crack a salted md5sum
21:15 - Demonstrating the --username flag in hashcat, this allows you to associate cracked passwords to users
24:14 - Begin of low-priv shell, running LinEnum to discover we are a member of staff
27:58 - Using google to see what the Staff group can do (edit /usr/local/bin)
28:40 - Explaining path injection
29:40 - Using PSPY to display all the processes that start on linux, useful for finding crons or short-running processes
31:58 - Running PSPY to see run-parts is called without an absolute path upon user login
33:13 - Performing the relative path injection by creating the file /usr/local/bin/run-parts which will drop our SSH Key</p>
HackTheBox - Swagshop
https://www.youtube.com/watch?v=qECG2_8xw_s&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=6&t=0
00:45 - Begin of recon
01:36 - Examining the web page to find Magento, noticing /index.php/ mod-rewrite misconfig and old copyright
04:50 - Whoops should of done apt search magescan, either way this package is not in Kali
05:30 - Running MageScan to scan the website
08:20 - Finding an open configuration file (app/etc/local.xml)
10:30 - Running searchsploit to identify public exploits
12:10 - Examining an exploit that will add an administrative user via SQL Injection
15:15 - Running the exploit out of the box didn't work, send it through burp in order to debug it
16:45 - Exploit needed to be modified to include index.php due to mod-rewrite misconfig
19:25 - Going back to SearchSploit and using the Authenticated RCE Exploit
21:30 - Making the obvious changes to fix the exploit script
24:17 - Debugging the exploit by running it through burpsuite, find out we need to use an login page
29:00 - Bit more in-depth debugging by setting a breakpoint with pdb
30:30 - The regex is failing due to page not returning anything, the URL has a time span lets increase that
33:15 - Finally fixed this exploit! Reverse Shell Returned
35:30 - Noticing we can exec vim with sudo, lets privesc
37:10 - Mentioning GTFOBins which helps find privesc paths from privileged programs
38:15 - EXTRA: Examining the PHP Object Injection RCE Exploit</p>
HackTheBox - Help
https://www.youtube.com/watch?v=XB8CbhfOczU&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=7&t=0
00:49 - Begin of recon
01:45 - Running gobuster to find /support
02:50 - Searching for a way to find version of HelpdeskZ
03:35 - Reading over the File Upload exploit script to see it requires server time
05:10 - Uploading a PHP Reverse Shell Script
07:45 - Going back to GitHub to find where uploads are saved
09:10 - Begin of modifying the script to pull the server time out of HTTP Headers
10:30 - Figuring out the python to pull the "Date" HTTP Header
14:30 - Getting the Time Format right with STRFTIME.COM
19:40 - Testing out the exploit and getting a shell
23:20 - Discovery of an old kernel, looking for an exploit
24:30 - Copying the exploit, compiling, and privesc!
25:50 - Looking into port 3000
27:00 - /graphql discovered
27:42 - Dumping the schema to discover what data is inside
30:15 - Dumping username, password from the database
32:12 - Logging into HelpdeskZ
33:40 - Discovering the Boolean SQL Injection
34:50 - Running SQLMap
36:00 - Explaining the Injection
37:10 - Begin of creating a python script to exploit this</p>
HackTheBox - Irked
https://www.youtube.com/watch?v=OGFTM_qvtVI&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=8&t=0
31:35 . Sorry, was an extremely busy week and didn't get to verify everything was good.
00:39 - Begin on Recon
01:39 - Starting a full nmap scan
04:15 - Discovery of IRC
04:35 - Manually looking at IRC
06:00 - Looking at the IRC to understand how to connect to an IRC Server
07:00 - Pulling the IRC Version and discovering the exploit
08:50 - Going into the history of the IRC Backdoor
09:45 - Manually exploiting the IRC Server
13:10 - Shell returned on the server
14:30 - Discovery of .backup which gives a steg password
16:45 - Logging in with djmardov
21:20 - Discovery of SetUID enabled custom binary, viewuser
23:25 - Using ltrace to see what the binary does, executes the file /tmp/listusers
23:50 - Getting a root shell
25:50 - Testing exploiting the binary with "who", fails due to no setuid
27:50 - Looking at the binary within Ghidra</p>
HackTheBox - Teacher
https://www.youtube.com/watch?v=u2-te8n2WbY&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=9&t=0
00:40 - Begin of recon
02:00 - Poking around at the website to identify what techologies it utilizes
02:30 - Discovering something odd about images/5.png
03:25 - Downloading 5.png to discover it is a text file with a portion of a password
06:00 - Finding a place to login (/moodle), attempt to enumerate valid usernames
08:00 - Using wfuzz to bruteforce the password
11:20 - Looking for a way to enumerate Moodle Versions
13:20 - Searching for exploits for this version and finding "Bad Teacher"
14:40 - Start of manually exploiting this vulnerability
16:00 - Adding a "Calculated Question" which has the formula (vulnerable) parameter
20:16 - Finding artifacts of creating/testing the machine which spoils what we are supposed to do
24:21 - Fixing our forumla to allow for code execution
28:30 - Getting a reverse shell
30:00 - Looking around the MySQL Database to discover hashes of other users
31:52 - The account Giovannibak stands out due to the hash being just MD5
32:30 - Attempting the password (expelled) of the MD5 hash above to login to "Su" to Giovannibak
36:20 - Grabbing and compiling pspy to find a cronjob
38:30 - Running PSPY to discover /usr/bin/backup.sh
40:00 - Abusing the backup cron to have it chmod 777 /etc/shadow (could do anything, sudoers is a bit less noisy)</p>
HackTheBox - HackBack
https://www.youtube.com/watch?v=B9nozi1PrhY&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=2&t=0
00:01:30 - Begin of Recon, discovery of an HTTP API that has a few commands
00:06:00 - Using JQ to parse json output, use NetStat/Proc to find GoPhish
00:15:00 - Logging into GoPhish with default creds admin:gophish, finding DNS Names
00:21:15 - Discovery of Obfuscated JavaScript Deobfuscating it to find a hidden section
00:33:20 - Using wfuzz to bruteforce the password for webadmin.php
00:37:10 - Finding Code Execution in WebAdmin.php
00:44:00 - Creating a Python Script to give a pseudo shell to cat, ls, and upload
01:10:45 - Script finished, uploading reGeorg to create a proxy onto the box to bypass FW
01:16:20 - Using WinRM to access low privilege shell as Simple User
01:25:08 - Exploring /Util/Scripts to find a way to privesc to Hacker
01:30:29 - Exploring GetSystem functionality of meterpreter
01:37:20 - Starting to create program to steal a token from NamedPipe Clients
01:41:00 - Creating XOR Encrypter for payloads in C (There is a bug used &amp; instead of %)
01:48:20 - Using MSFVenom to generate raw payload to XOR then generate in C Format
01:51:38 - Creating the Stager to execute meterpreter, with some fun old AV Evasion tactics
02:03:45 - Found the issue, AND'd the payload instead of XOR'd in encrypt.c
02:08:30 - Creating the NamedPipe portion of code
02:28:30 - Creating the Pipe Impersonation part of the code
02:43:16 - Had some weird errors, adding the ability to enable token privileges
03:01:00 - Editing the /util/scripts/clean.ini to execute our NamedPipe Creation File
03:06:10 - Meterpreter Session Loaded. Unfortunately it grab the impersonation token, more troubleshooting.
03:08:20 - Found the bug that caused us to not pass the token
03:09:45 - Re-Explaining all the code
03:14:57 - Meterpreter loaded, using incognito to grab our impersonation token for HACKER user
03:30:15 - Creating a bat file to run NetCat and upload into /util/scripts/spool which gets executed
03:35:50 - Start of looking at UserLogger Service, download it, un-UPX it
03:41:30 - Using ProcessMonitor to Dynamically Analyze the UserLogger binary (think of strace on windows)
03:49:40 - UserLogger lets us write binaries as SYSTEM with 777 permissions! Lets chain Diagnostic Hub Exploit
03:52:00 - Changing CMDLine in FakeDLL and valid_dir in Diaghub_exploit.cpp
04:18:05 - Changing from DEBUG mode to RELEASE mode for compiling. Which fixes it.
04:25:15 - Root.txt is hidden behind alternate data streams.
04:27:39 - ALTERNATE PATH THAT LETS YOU SKIP NAMEDPIPE STUFF</p>
HackTheBox - Sizzle
https://www.youtube.com/watch?v=YVhlfUvsqYc&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=3&t=0
01:04 - Begin of Recon
06:45 - Checking the web interfaces
07:20 - Discovering there is a Certificate Authority
08:50 - Taking a look at LDAP
10:55 - Examining SMB to find shares
12:00 - Searching the Operations and Department Shares
14:50 - Viewing permissions of a SMB Share with SMBCACLS
19:10 - Discovering a writeable share, dropping a SCF File to get a hash
22:04 - Using Hashcat to crack NetNTLMv2
24:40 - Using SMBMap to identify if this user has access to anything extra
25:40 - Discovering the CertSRV Directory
28:00 - Discovering Powershell Remoting
30:00 - Error from WinRM (Need SSL)
31:00 - Using openSSL to generate a private key
31:52 - Going to /CertSRV to sign our certificate as Amanda
34:00 - Adding the SSL Authentication to WinrM
35:15 - Playing with LDAP Again (with the Amanda Creds)
37:50 - Shell on the box with WinRM as Amanda
38:15 - Running SharpHound
40:29 - Applocker is on the box, lets move it in the windows directory
42:00 - Trying to get the bloodhound data off the box.
44:20 - Starting bloodhound
45:27 - File didn't copy lets load up Covenant
49:30 - Covenant is up and running - Create a HTTP Listener
50:30 - Hosting a Launcher
52:30 - Getting a grunt
54:40 - Running SeatBelt
57:00 - Running SharpHound
01:01:18 - Running Bloodhound with all Collection Methods
01:05:15 - Discovering the MRLKY can DCSYNC
01:07:25 - Cannot kerberoast because of the Double Hop Problem, create token with MakeToken
01:12:30 - Cracked the Kerberoasted Hash, doing maketoken with mrlky and running DCSYnc
01:14:40 - Running WMIExec to get Administrator
01:22:00 - UNINTENDED Method 1: Amanda can write to Clean.bat
01:24:30 - UNINTENDED Method 2: Forensic artifacts leave MRKLY Hash in C:\windows\system32\file.txt</p>
HackTheBox - Bighead
https://www.youtube.com/watch?v=VBt-CmjMYiM&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=4&t=0
00:01:10 - Begin of Nmap
00:04:45 - Pulling important information from the website
00:06:00 - Discovering DNS Names, adding stuff to /etc/hosts
00:18:30 - Odd behavior with code.bighead.htb, redirects us to 127.0.0.1; change that with Burp
00:23:50 - Using wfuzz to dirbust, with the ability to see HTTP Codes (hunting for 418)
00:27:00 - Found BigHead Web Server on Github, pulling Zips and cracking
00:36:40 - Before reversing the binary, keep hunting for information about the OS
00:43:40 - Discovering PHPInfo within the PhpMyAdmin directory, has OS.
00:46:00 - Installing Immunity and Mona
00:47:30 - Grabbing MinGW so we can run the Bighead Webserver
00:55:40 - Crashing the webserver, seeing we have
01:00:00 - Sending a pattern to the box and examining the stack to see where our overwrites are
01:06:15 - Validating we know where all our overwrites are (EAX,EBX,EIP,ESP)
01:10:06 - Explanation of EggHunters
01:16:05 - Grabbing the shellcode we want, then adding it to our exploit script
01:24:50 - Validating our exploit is working as we intended by setting a break point on JMP ESP
01:27:00 - Our box complains about DEP, lets disable that on our OS and hope its disabled on target
01:30:00 - Running the exploit against the target and getting a shell back!
01:35:00 - Searching the registry (HKLM) for "password"
01:37:00 - Dumping information about services on the box (HKLM\System\CurrentControlSet\Services)
01:38:15 - Discovery of NGINX password, then looking at ports listening on localhost
01:41:08 - Found SSH Listening on 127.0.0.1:2020, Setting up a reverse tunnel with Chisel
01:45:10 - SSH into nginx@Bighead over port 2020, land in an extremely restricted shell
01:50:30 - Searching for vulnerable PHP Code, discovering testlink
02:02:55 - Exploiting an LFI Vulnerability
02:07:00 - Using Netcat to get a reverse shell
02:16:10 - Looking at the KeePass Configuration File to see where the KDBX and Key is
02:18:55 - A bunch of pain trying to get data off the Alternate Data Stream.
02:31:30 - Finally got the KDBX back to my box, then crack the KeePass file</p>
HackTheBox - Ethereal
https://www.youtube.com/watch?v=Bhh5yPHjwUY&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=5&t=0
00:50 - Begin of Recon, Downloading FTP and inspecting websites
10:23 - Recap of what we saw on the recon. Limited pages that provide paths for exploitation, Server Hostname, and FTP
11:30 - Sending MD5Hashes to VirusTotal to get file age
15:45 - Downloading PasswordBox sourcecode to examine pbox.dat and discover a password manager.
21:00 - Use Hydra to try to bruteforce ethereal.htb:8080, find blind command injection in page by running various ping commands but no way to view output.
25:45 - Using nslookup to exfil the results of commands executed.
33:15 - Creating Python Script to automate exploitaiton of this program. Using Scapy, BeutifulSoup, and Requests.
55:23 - Script working! Now to make the output a bit more pretty using tokens to sepereate spaces
01:02:00 - Running commands to get interesting information about the page
01:05:20 - Enumerating the Firewall via netsh
01:09:10 - Using OpenSSL to get a reverse shell on windows
01:17:25 - Reverse shell returned.
01:19:40 - Creating a malicious shortcut via powershell
01:22:40 - Using OpenSSL To transfer files
01:28:00 - Getting reverse shell as Alan, then using OpenSSL to convert files to base64 to make exfil easier
01:32:30 - Creating and signing a malicious MSI with WiX.
01:48:15 - First attempt failed, creating a less complicated MSI File by just having it execute our shortcut
01:53:00 - Getting reverse shell as SYSTEM - Cannot read EFS Files
01:55:20 - Having our MSI not run as SYSTEM by changing impersonation in WiX
01:58:30 - Shell as Rupal returned.</p>
HackTheBox - Fighter
https://www.youtube.com/watch?v=CW4mI5BkP9E&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=6&t=0
00:00:55 - Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb.
00:02:53 - Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and members.streetfighterclub.htb/old/login.asp
00:08:45 - Begin poking around the members.streetfighterclub.htb page - Find SQL Injection
00:12:00 - Boolean injection to force the query to return "valid login". Play with logins to find it always returns to "Service not available"
00:14:25 - Testing Union Injections for easy exfil of data
00:15:50 - Examining Stacked Queries to make running our own SQL Statements easy. Then bunch of injections to run Xp_CMDShell and get output.
00:19:30 - Some valuable recon/information in debugging our SQL queries. Noticing small things really helps.
00:34:40 - Start of making a program to give us a command shell.
01:09:40 - Explaining the program we just created. Then fix a small bug.
01:12:45 - Begin of popping the box the intended way. Finding powershell is blocked but specifying the 32-bit version is not
01:17:10 - Return of 32-bit PowerShell... Identifying we can append data to c:\users\decoder\clean.bat -- That's odd lets try to place a shell in it to see if it is being ran.
01:32:40 - Found the issue! Powershell is encoding in UTF-16 which is confusing cmd prompt. 64-bit Shell as Decoder returned!
01:35:30 - Exploiting Capcom Driver to gain root shell, this post is super helpful: <a class="yt-uix-sessionlink" data-sessionlink="itct=CDoQ6TgYACITCIL5pKSqmOcCFcHK1QodC78DYUjR_5CDucSJtwk" data-target-new-window="True" data-url="/redirect?redir_token=O35kGE6gG98zlOWp5O0IogZvkTF8MTU3OTgyMTA4MUAxNTc5NzM0Njgx&amp;q=http%3A%2F%2Fwww.fuzzysecurity.com%2Ftutorials%2F28.html&amp;v=CW4mI5BkP9E&amp;event=video_description" href="/redirect?redir_token=O35kGE6gG98zlOWp5O0IogZvkTF8MTU3OTgyMTA4MUAxNTc5NzM0Njgx&amp;q=http%3A%2F%2Fwww.fuzzysecurity.com%2Ftutorials%2F28.html&amp;v=CW4mI5BkP9E&amp;event=video_description" rel="nofollow noopener" target="_blank">http://www.fuzzysecurity.com/tutorial...
01:42:18 - Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dll to our box so we can reverse it.
01:47:25 - Looking at the binaries in Ida64 Free
01:51:14 - Explaining what's happening and then writing a script to bypass the password check.
01:55:35 - Start of unintended way (Juicy Potato)
01:58:10 - Finding a world write-able spot under System32 for AppLocker Bypass, thanks @Bufferov3rride -- Then uploading JuicyPotato
02:06:10 - Start of modifying JuicyPotato to accept uppercase arguments.
02:10:14 - Finding a vulnerable CLSID to get JuicyPotato working
02:28:25 - Running JuicyPotato with a vulnerable CLSID to gain a SYSTEM Shell, then create our own DLL to bypass the check.</p>
HackTheBox - Rabbit
https://www.youtube.com/watch?v=5nnJq_IWJog&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=7&t=0
01:40 - Begin of Recon (nmap, setting hostname, dns, nmap, ipv6)
05:45 - Checking websites (80,443,8080)
08:10 - Attempting to enumerate users of OWA-2010 (Fails)
14:10 - Checking out Joomla Version (/administrator/manifets/files/joomla.xml)
15:50 - Using SearchSploit with (Complain Management System)
19:38 - Register Account, Login, Verify/Play with SQL Union Injection
23:30 - Enumerating SQL Injection with SQLMap
29:18 - Going back to MSF/OWA_LOGIN and testing credentials.
32:15 - Logging into OWA and reading email to find out OpenOFfice, Defender, and Powershell Constain Mode is installed
36:20 - Creating a malicious OpenOffice macro with LibreOffice + Downloading an Executing a file without Powershell (certutil ftw)
40:18 - Compiling Merlin (like MSF/Empire)
48:40 - Sending the email and waiting.
50:20 - Merlin call back, Switch to Powershell Nishang to get a interactive shell
54:30 - Running PowerUp to find we are an Administrator
56:56 - Running JAWS to do some more Windows Enumeration
01:03:04 - Found an odd scheduled task "System Maintenance"
01:06:03 - Attempting to write a php shell to HTTPD
01:12:30 - Frusterated creating a PHP Script... Switch to the SCHTask Privesc
01:18:20 - Uhh. Testing if echo is somehow breaking .bat/.php files
01:21:50 - Going back to test PHP to verify it just didn't like echo.
HackTheBox - Minion
https://www.youtube.com/watch?v=IbVmpr6IFQU&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=8&t=0
00:40 - Begin of Recon
04:00 - Start of GoBuster
05:40 - Finding a SSRF
09:00 - Passing arguments to cmd.aspx via SSRF
12:05 - Firewall Enumeration
16:35 - Begin of setting up ICMP Reverse Shell
22:25 - Begin of sending ICMP Rev Shell to Server (Warning: Lots of Fail)
46:31 - Return of ICMP Rev Shell
52:20 - PrivEsc form IIS to Decoder
01:11:15 - Unzipping via Powershell
01:14:05 - Finding Administrator password hidden in NTFS File Stream
01:16:30 - Using Net Use to mount C: As Administrator
01:19:30 - Using IDA to analyze root.exe and grab the flag (Misses last character of hash)
01:24:15 - Using Invoke Command to execute root.exe as admin (Lots of Fail)
01:32:52 - Opening up the Firewall then just using RDP to gain access</p>
HackTheBox - Helpline
https://www.youtube.com/watch?v=Vs3oSDlzxwA&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=2&t=0
00:35 - Begin of Recon
01:42 - Checking the ManageEngine Page
02:23 - Running Searchsploit to see potential exploits
03:40 - Enumerating valid usernames via AjaxDomainServlet
05:40 - Logging in with guest:guest
07:10 - Running the privilege escalation script to get Administrator access
08:00 - Searching for information on this exploit
08:20 - Blog post missing... Searching Archive.org and Google Cache for a mirror
10:00 - Making curl go through burp to step through the exploit in BurpSuite
18:00 - Copying the admin cookies into FireFox
19:25 - Going to Admin then Custom Triggers to execute code on the server
21:50 - Getting a reverse shell via Nishang
22:30 - Using iconv to create UTF-16LE encoded Base64 for use with "-EncodedCommand" option
25:45 - Reverse Shell as System returned, but EFS Protects the flags
26:45 - Finding interesting files with get-childitem -recurse . | select FullName
28:50 - Copying mimikatz over to the box to steal NTLM Hashes
31:00 - Defender blocked us. Disable defender with Set-MpPreference -DisableRealtimeMonitoring $true
32:50 - Using hashes.org to view password of Zachary, checking his groups to see he can view event logs
33:30 - Doing some powershell goodness to search event logs!
40:50 - Extracting ProcessCommandLine from the logs (Tolu Password), its a shame Nishang screws with how some commands output to stdout. This could of been a lot cleaner.
43:00 - Using Mimikatz to decrypt the EFS Protected file with Tolu's password
57:25 - Need to read Leo's admin-pass.xml, load meterpreter and migrate into his namespace
01:00:20 - admin-pass is the output of SecureString, lets decrypt it to get the admin password
01:02:20 - Using Invoke-Command with the credential object created to execute commands as administrator
01:03:50 - Cannot read root.txt because of "Double Hop Problem" (how PowerShell Authenticates), using CredSSP Authentication to fix this.</p>
HackTheBox - Conceal
https://www.youtube.com/watch?v=1ae64CdwLHE&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=3&t=0
01:15 - Begin of recon
02:54 - Checking SNMP with snmpwalk
03:29 - Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decrypted value
04:18 - Getting more SNMP Information with snmp-check
07:35 - Going over UDP Ports discovered by snmp-check
10:55 - Running ike-scan
11:55 - Examining ike-scan results to build a IPSEC Config
13:50 - Installing Strongswan (IPSEC/VPN Program)
14:19 - Adding the PSK Found earlier to /etc/ipsec.secrets
15:30 - Begin configuring /etc/ipsec.conf
20:08 - Starting and debugging ipsec
21:55 - Explaining why we add TCP to strongswan config
24:00 - Starting IPSEC, then using NMAP through IPSEC.
25:55 - Enumerating SMB Quickly (SMBMap/cme)
26:50 - Enumerating FTP, discovering we can upload files
27:20 - Checking HTTP, hunting for our uploaded file. Then uploading files that may lead to code execution
29:44 - Grabbing an ASP Webshell from Github/tennc/webshell
32:08 - Webshell has been uploaded
32:30 - Explaining a weird MTU Issue you *may* run into due to the nested VPN's
35:40 - Back to playing with the web shell, getting a reverse shell with Nishang
38:03 - Explaining RLWRAP
38:40 - whoami /all shows SEImpersonation, so we run JuicyPotato to privesc
44:35 - JuicyPotato fails with the default CLSID, changing it up to get it working.
46:30 - Doing the box again with Windows
47:15 - Setting up the IPSEC Connection through Windows Firewall
50:00 - Installing a DotNet C2 (The Covenant)
54:20 - Covenant/Elite open, starting a Listener then a Powershell Launcher
01:00:10 - Grunt activated. Running Seatbelt, then compiling Watson and reflectively running it
01:05:00 - Grabbing the Sandbox Escaper ALPC Privesc
01:08:03 - Being lazy and compiling a CPP Rev Shell in Linux because it wasn't installed on Windows
01:25:35 - Box is reverted, trying the ALPC Exploit again</p>
HackTheBox - Reel
https://www.youtube.com/watch?v=ob9SgtFm6_g&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=4&t=0
00:42 - Begin of Nmap
04:23 - Examining the anonymous FTP Directory and discovering email addresses in Meta Data
06:50 - Manually enumerating valid email addresses via SMTP
10:50 - Creating a "Canary Document" in Word to ping back to our server when a word document is opened
13:14 - Generating a malicious RTF Document (CVE-2017-0199)
26:28 - Shell Returned. Enumerating the AppLocker Policy
32:53 - Decrypting a PowerShell Secure String to reveal Tom's Password, Testing access with SSH
35:22 - Lets forget we had Tom and run Bloodhound from Nico!
40:30 - First time opening BloodHound on this box.
49:45 - Lets update Bloodhound, looks like some data is missing and there were errors when running it
53:25 - Finding a path from Nico to BACKUP_ADMINS and explaining AD Security Objects (GenericWrite, WriteOwner,etc)
58:23 - Taking Ownership over Herman then allowing Nico to change his password and examining bloodhound
01:01:40 - Adding Herman to the Backup_Admins group
01:04:30 - Finding the Administrator Password within backup scripts.
01:07:00 - Attempting to run Watson (ends up not working)
01:23:22 - Using Metasploit to do the box
01:25:42 - Since Watson failed, lets just look at last patch times on the box to get an idea whats vulnerable.
01:27:19 - Attempting to do the ALPC Exploit within Metasploit
01:31:00 - That failed - Lets just prove the box is vulnerable, by overwriting a DLL</p>
HackTheBox - DropZone
https://www.youtube.com/watch?v=QzP5nUEhZeg&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=5&t=0
01:00 - Start of Recon
02:15 - TFTP Enumeration - Identifying configuration and OS information
06:32 - Finding a path to code execution
07:17 - Examining PSExec Metasploit Module
08:55 - Using irb within metasploit to print a powershell payload
12:30 - Examining PsExec()
15:40 - Examining native_upload
18:10 - Examining mof_upload
20:34 - Using irb within metasploit to print the MOF File
22:35 - Quick explanation of MOF Files
25:05 - Modifying the MOF to run NetCat
27:30 - Uploading nc to the target
28:50 - Uploading the malicious MOF File and getting a shell!
29:50 - Using Streams to view Hidden text within ADS
33:08 - Start of Bonus Content, finging a TFTP Exploit that uses MOF
35:05 - Attempting to use distrinct_ftp_traversal against DropZone
36:30 - Installing pry.byebug in order to allow us to drop to a debug console and step through metasploit modules
40:50 - Testing out pry.byebug
42:30 - Finding why the exploit module didn't work
44:50 - Module still doesn't work, TFTP Stopping mid transfer
49:30 - Whoops, changed the delay on the wrong timeout
51:00 - Meterpreter Shell returned, showing off the extended API and some WMI Commands.</p>
HackTheBox - Tally
https://www.youtube.com/watch?v=l-wzBhc9wFc&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=6&t=0
01:45 - Start of NMAP
04:17 - Begin of Sharepoint/GoBuster (Special Sharepoint List)
06:32 - Manually browsing to Sitecontent (Get FTP Creds)
10:18 - Mirror FTP + Pillage for information, Find keypass in Tim's directory and crack it.
18:22 - Mounting/Mirroring ACCT Share with found Creds and finding hardcoded SQL Creds
25:24 - Logging into MSSQL with SQSH, enabling xp_cmdshell and getting a Nishang Rev Shell
34:35 - Finding SPBestWarmUp.ps1 Scheduled Task that runs as Administrator
40:00 - Begin of RottenPotato without MSF (Decoder's Lonely Potato)
45:56 - Using Ebowla Encoding for AV Evasion to create an exe for use with Lonely Potato
58:00 - Lonely Potato Running to return a Admin Shell
01:04:22 - Finding CVE-2017-0213
01:08:33 - Installing Visual Studio 2015 &amp;&amp; Compiling the exploit
01:15:50 - Exploit Compiled, trying to get it to work....
01:18:11 - Just noticed the SPBestWarmUp.ps1 executed and gave us a shell!
01:28:37 - Found the issue, exploit seems to require interactive process
01:30:00 - Begin of Firefox Exploit Cluster (Not recommended to watch lol). It's a second unreliable way to get user</p>
HackTheBox - Mantis
https://www.youtube.com/watch?v=VVZZgqIyD0Q&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=7&t=0
01:20 - Start of nmap
03:22 - Poking at a rabbit hole (8080)
08:08 - GoBuster to find hidden directory
09:50 - Finding SQL Creds in hidden directory
13:40 - Using dbeaver to enumerate database
16:50 - Impacket-PSExec to Admin
19:00 - Proving James is not an Admin
20:35 - Using MSF to Enable Remote Desktop to do Incident Response
27:00 - Start of Remote Desktop Looking at Event Log + Active Directory
31:00 - Installing Sysmon to get better logs
36:15 - Looking at Sysmon Logs
42:20 - Proving the PrivEsc was due to Impacket-PSExec not cleaning up
48:00 - Using Forensics to get Service Creation Date
53:30 - Finding a HTB User creating a Git Issue to Impacket (LOL)
55:10 - Intended Route - Forging a Kerberos Ticket MS14-068
HackTheBox - Bastard
https://www.youtube.com/watch?v=lP-E5vmZNC0&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=10&t=0
HackTheBox - Arkham
https://www.youtube.com/watch?v=krC5j1Ab44I&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=2&t=0
00:55 - Begin of Recon
02:20 - Checking the WebPages
03:50 - Examining /userSubscribe.faces, to discover potential deserialization
05:00 - Exploring javax.faces.ViewState
05:50 - Googling around to see what an unencrypted serialized object should look like
07:15 - Checking out SMB to discover an openshare
09:00 - Downloading appserver.zip from batshare via smbclient
11:00 - Cracking a luks encrypted file with dd and hashcat
14:00 - Luks cracked, mounting the disk with luksOpen
16:20 - Discovery of the secret used to encrypt the java object
18:10 - Creating a python script to decrypt the ViewState to verify we have correct crypto settings
23:10 - Script completed, lets test the decryption!
24:15 - Downloading ysoserial to create a deserialization CommonCollections gadget
26:00 - Creating a python script to exploit the deserialization vuln
31:00 - Script complete! We got a ping, testing the MyFaces serialization objects (did not work)
33:00 - Modifying the script to run commands other than what ySoSerial provided
41:10 - Script updates finished, trying to get a reverse shell via nishang (did not work)
42:40 - Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for constrained mode)
45:00 - Downloading netcat to upload to the box
46:00 - Netcat returned a powershell reverse shell
47:20 - Discovering Backup.zip, downloading, using readpst to convert it to a plaintext mbox file
50:00 - Using evolution to view mbox file and find Batman's password
52:45 - Using Powershell's Invoke-Command to execute commands as Batman (like runas)
55:40 - Reverse shell as batman returned! Running a few commands to find out he is localadmin but needs to break out of UAC
58:10 - Unintended: Using net use to mount c$ and view the flag
59:30 - Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HTB Member
01:02:10 - Using GreatSCT/MSBuild to launch Meterpreter
01:02:45 - While GreatSCT installs, create a DLL to return a reverse shell
01:06:00 - copying the DLL into c:\users\batman\appdata\local\microsoft\windowsapps
01:08:30 - Using GreatSCT to generate payloads
01:11:50 - Getting a Meterpreter Session then migrating into an interactive process
01:17:45 - Running SystemPropertiesAdvanced.exe, which elevates and executes our dll</p>
HackTheBox - Querier
https://www.youtube.com/watch?v=d7ACjty4m7U&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=3&t=0
00:50 - Begin of Reocn
03:30 - Using SMBMap to enumerate fileshares
05:45 - Discovering an Excel Macro File
09:25 - Using olevba to extract macro from the document to discover credentials
11:15 - Using MSSQLClient.py from Impacket to log into the SQL Server
12:15 - Doing the SQL CMD:XP_DIRTREE to read a file off a UNC Share to steal the hash with Responder
13:15 - Cracking the NetNTLMv2 Hash
14:11 - Explaining the Responder Database file to view previously captured hashes
16:30 - Logging into the SQL Server with the cracked account, then doing XP_CMDSHELL to run commands
17:50 - Getting a Nishang Reverse Shell
22:00 - Running PowerUp, doing Invoke-ServiceAbuse and discovering creds in an old Group Policy Object
26:30 - Going back to the password disclosed via Group Policy and discovering they are an administrator
28:00 - Explaining how the PowerUp module decrypted a password out of Group Policy
29:10 - Getting VIM to highlight the syntax of Powershell
34:50 - Rooting the box with Invoke-ServiceAbuse</p>
HackTheBox - Giddy
https://www.youtube.com/watch?v=J2unwbMQvUo&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=4&t=0
01:00 - Begin of intro
02:17 - Examining port 80 and 443
03:15 - Using gobuster to discover directories
04:20 - /remote discovered, nothing to do here
05:25 - /mvc discovered
06:15 - SQL Injection everywhere
09:15 - Attempt to perform union injection on search
10:15 - Having trouble, send to SQLMap look at other places in the applicaiton
12:20 - SQLMap having trouble with search SQL, change to ITEM
16:50 - Attempting XP_CMDSHELL (Fails)
19:50 - Using XP_DIRTREE to read files off SMBShare
23:30 - Use Responder to steal the authentication attempt of XP_DIRTREE
25:00 - Cracking the NetNTLMv2 Hash
26:00 - Logging into /remote with cracked credentials
26:40 - Discovering unifi video is installed, this has a known privesc
29:30 - Attempting to use Meterpreter. (Fail: AV)
32:15 - Grabbing and compiling a DotNet Reverse Shell
35:15 - Actually compiling the reverse shell
38:58 - Using xcopy to copy our reverse shell to the victim
39:00 - Attempting to find Unifi Service name so we can restart it. End up searching registry due to permission issues.
42:10 - Restarting Unifi Service so it executes TaskKill.exe
44:25 - Start of Bypassing AppLocker Bypass by copying executable into a directory under Windows
45:50 - Escaping powershell constrained mode with PSBypassCLM
HackTheBox - SecNotes
https://www.youtube.com/watch?v=PJXb2pK8K84&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=5&t=0
01:05 - Begin of recon
02:45 - Checking out the website
03:50 - Using wfuzz to enumerate usernames
05:45 - Logging in with an account we created
07:23 - Checking out Change Password and noticing it does this poorly
09:25 - Using the contact form, to see if tyler will follow links
14:14 - Changing Tyler's password by sending him to the ChangePassword Page
15:00 - Logged in and find SMB Share with credentials.
16:15 - Found a webshare but not sure the directory it executes from. Begin hunting for a different webserver.
17:48 - Port 8808 found via nmap'ing all ports. Creating a php script to gain code execution
19:15 - Downloading netcat for windows to use as a Reverse Shell
21:14 - Playing with Bash on Windows
22:35 - Finding the administrator password in ~/.bash_history
23:45 - Alternate way to find the .bash_history file
25:36 - Unintended way to bypass the CSRF. SQL Injection + bad Static Code analysis
HackTheBox - Silo
https://www.youtube.com/watch?v=2c7SzNo9uoA&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=6&t=0
01:30 - Begin of recon
03:15 - Begin of installing SQLPlus and ODAT (Oracle Database Attack Tool)
08:45 - Bruteforcing the SID with ODAT
10:15 - Holy crap, this is slow lets also do it with Metasploit
13:00 - Bruteforcing valid logins with ODAT
16:00 - Credentials returned, logging into Oracle with SQLPlus as SysDBA
19:00 - Reading files from disk via Oracle
23:20 - Writing files to disk from Oracle. Testing it in WebRoot Directory
25:52 - File Written, lets write an ASPX WebShell to the Server
29:10 - WebShell Working! Lets get a Reverse Shell
31:28 - Reverse Shell Returned
32:24 - Finding a DropBox link, but password doesn't display well.
33:55 - Attempting to copy file via SMB to view UTF8 Text
35:18 - That didn't work, lets transfer the file by encoding it in Base64.
36:55 - Got the password lets download the dump!
39:10 - Begin of Volatility
45:20 - Running the HashDump plugin from volatilty then PassTheHash with Administrator's NTLM!
47:35 - Begin of unintended way, examining odat and uploading an meterpreter exe
50:30 - Using odat externaltable to execute meterpreter and get a system shell!
52:20 - Examining odat verbosity flag to see what commands it runs and try to learn.</p>
HackTheBox - Bart
https://www.youtube.com/watch?v=Cz6vQvGGiuc&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=7&t=0
01:54 - Begin Recon, Windows IIS/OS Mapping and GoBuster
05:20 - Explanation of Virtual Host Routing
09:50 - Developers name exposed in HTML Source, also discover /monitor
11:10 - Enumerating Username in PHP Server Monitor: Challenge Watch Sense to und
16:33 - Discover of Internal-01.bart.htb
19:17 - Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /Log/log.php)
29:34 - Finally got Hydra to return the password!
32:20 - Log Poisoning + LFI = Remote Code Execution
37:30 - Return of Reverse Shell
41:30 - Why you should check if you're a 32-bit process on a 64-bit machine
48:35 - Attempting to use b33f/FuzzySecurity Invoke-RunAs
56:00 - Mistake with Invoke-RunAs is probably pointing it to the wrong port. D:
01:03:40 - ARGH! Lets try to use this account via Empire
01:11:00 - Bring out the big guns, it's Metasploit Time!
01:18:10 - Alright, lets poke a hole in the firewall and connect over SMB!
01:21:17 - Failed to PSExec in MSF
01:21:40 - Found Impacket-PSExec! And it works!
01:23:45 - Lets go hunt for creds!
01:35:23 - Cracking Salted Hashes with Hashcat (Sha265.Salt)</p>
HackTheBox - Chatterbox
https://www.youtube.com/watch?v=_dRrvJNdP-s&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=8&t=0
01:18 - Begin of Recon
04:55 - Start of aChat buffer Overflow: Finding the exploit script with Searchsploit
07:24 - Begin of replacing POC's Calc Shellcode with what is generated from MSFVenom
09:42 - Correction: Payload Size wrong, should be 3,xxx -- look at "Payload Size" I accidentally highlighted the size of the python file.
14:30 - Whoops, erased too much out of POC. Lets correctly replace the shellcode this time and get a shell.
17:50 - Running PowerUp to find AutoLogon Credentials
20:05 - Running Code as Administrator
24:18 - First Privesc Method: Using Start-Process to execute commands as a different user because Invoke-Command did not work.
27:30 - Alternate way to read root.txt -- Alfred owns root.txt, so he can edit the files access list. Get-ACL to view access list and cacls to modify
33:12 - Summary of the box
34:37 - Doing the box with Metasaploit, Warning: Lots of fails.
43:10 - Using meterpreters PortFwd to bypass ChatterBox's firewall and access port 445
51:25 - Doing the box with Empire !
58:20 - Using Empire's Run_As module to execute commands as Administrator</p>
HackTheBox - Jeeves
https://www.youtube.com/watch?v=EKGBskG8APc&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=9&t=0
01:19 - Begin of Enumeration
04:15 - Avoiding the Rabbit Hole on port 80 (IIS)
06:00 - Begin of Jenkins
09:00 - Using Jenkins Script Console (Groovy) to gain code execution
12:00 - Reverse TCP Shell via Nishang
17:00 - Reverse Shell returned. PowerSplit dev branch to find unintended privesc (Tokens)
22:20 - Powersploit's Invoke-AllChecks completes
24:20 - Finding Keepass Database using Impack-SMBServer to transfer files
27:00 - Cracking the KeePass Database
30:20 - Using KeePass2 to open database
34:25 - PassTheHash via pth-winexe to gain administrator shell
35:20 - Grabbing root.txt that is hidden via Alternate Data Streams (ADS)
39:00 - Using RottenPotato to escalate to root via MSF
41:00 - Using Unicorn to gain a reverse MSF SHell
45:20 - Performing the attack
48:00 - Impersonating Token to gain root
HackTheBox - Pivoting Update: Granny and Grandpa
https://www.youtube.com/watch?v=HQkDL-xh7es&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=10&t=0
HackTheBox - Granny and Grandpa
https://www.youtube.com/watch?v=ZfPVGJGkORQ&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=11&t=0
1:50 - Nmap Results (Discovery of WebDav)
4:35 - DavTest
6:22 - HTTP PUT Upload Files
7:00 - MSFVenom Generate aspx payload
13:00 - User Shell Returned
16:23 - Get Admin Shell (ms14-070)
17:14 - Beginning of Pivot Fail. Socks Proxy
29:35 - Shell on Grandpa (CVE-2017-7269)
32:45 - Using portfwd to access ports not exposed to routable interfaces
34:45 - Cracking LM Hash Explanation
38:30 - Cracking LM Hashes via Hashcat
41:30 - Grandpa acts cranky. Revert.
42:30 - Expected behavior when exploiting via CVE-2017-7269. None of that auto system weirdness (<a href="#" onclick="yt.www.watch.player.seekTo(45*60+20);return false
45:50 - Using Hashcat to crack NTLM using LM Hashes
48:50 - Finally log into SMB using the portfwd from <a href="#" onclick="yt.www.watch.player.seekTo(32*60+45);return false
49:07 - Random pivot attempt failure.</p>
HackTheBox - Granny and Grandpa
https://www.youtube.com/watch?v=ZfPVGJGkORQ&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=12&t=0
1:50 - Nmap Results (Discovery of WebDav)
4:35 - DavTest
6:22 - HTTP PUT Upload Files
7:00 - MSFVenom Generate aspx payload
13:00 - User Shell Returned
16:23 - Get Admin Shell (ms14-070)
17:14 - Beginning of Pivot Fail. Socks Proxy
29:35 - Shell on Grandpa (CVE-2017-7269)
32:45 - Using portfwd to access ports not exposed to routable interfaces
34:45 - Cracking LM Hash Explanation
38:30 - Cracking LM Hashes via Hashcat
41:30 - Grandpa acts cranky. Revert.
42:30 - Expected behavior when exploiting via CVE-2017-7269. None of that auto system weirdness (<a href="#" onclick="yt.www.watch.player.seekTo(45*60+20);return false
45:50 - Using Hashcat to crack NTLM using LM Hashes
48:50 - Finally log into SMB using the portfwd from <a href="#" onclick="yt.www.watch.player.seekTo(32*60+45);return false
49:07 - Random pivot attempt failure.</p>
HackTheBox - Devel
https://www.youtube.com/watch?v=2LNyAbroZUk&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=13&t=0
01:02 - Going over NMAP
02:00 - Anonymous FTP + File Upload
04:30 - MSFVenom
07:20 - Metasploit
10:00 - Exploit Suggestor
11:30 - Getting Root</p>
HackTheBox - Arctic
https://www.youtube.com/watch?v=e9lVyFH7-4o&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=14&t=0
00:00 - Intro
00:12 - Enumerate with nmap
00:40 - Going to the webpage
01:50 - Using SearchSploit to find ColdFusion Exploits
02:40 - Attempt to exploit through MSF. Debug why it failed.
03:50 - Setting up a Burp Redirect listener
04:55 - Examining request send by MSF Exploit
06:35 - Getting a reverse shell
07:50 - Using Unicorn to create a Powershell Meterpreter Loa
11:35 - Reverseshell returned
12:10 - Using the MSF post module local_exploit_suggestor
15:29 - Privesc via MS10-092</p>
HackTheBox - Bastion
https://www.youtube.com/watch?v=2j3FNp5pjQ4&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=2&t=0
01:33 - Begin of recon
02:30 - Using SMBClient to view open shares, discover /Backups
03:00 - Mount the SMB Share
03:40 - Playing with SMBMap which is a bit more automated but write files!
05:22 - Checking out files in the /Backups share
06:30 - Using 7zip to view files in a VHD file
07:50 - Installing libguestfs-tools in order to use guestmount
09:25 - Mounting the VHD with guestmount
11:00 - Extracting local passwords from SAM and SYSTEM with secretsdump
13:30 - Cracking the hash and then using SSH to login to the box
14:30 - Viewing local adminstrators and seeing administrators is not actually disabled (backup indicated it was)
16:30 - Running JAWS
19:30 - Discovering mRemoteNG installed
20:30 - Looks like there is a way to decrypt passwords stored in mRemoteNG
21:40 - Installing mRemoteNG-Decrypt then decrypting the passwords in the config
24:30 - Using PSEXEC or SSH to remote in as administrator</p>
HackTheBox - Netmon
https://www.youtube.com/watch?v=ZxvgniJXbOo&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=3&t=0
01:00 - Begin of Recon
03:50 - Searching for good files to view via FTP
09:00 - Nothing really found, searching for where PRTG creation file is
14:34 - Backup configuration found!
16:20 - Logging in by incrementing the password from 2018 to 2019
17:55 - Searching for CVE's
19:45 - Searching for where to send notification emails like CVE Said
20:30 - Testing for Command Injection via Cmd
22:20 - Testing for Command Injection via Powershell
23:00 - Getting a reverse shell
26:55 - Encoding powershell in Base64 to eliminate potential bad characters
29:10 - Getting a reverse shell</p>
HackTheBox - Access
https://www.youtube.com/watch?v=Rr6Oxrj2IjU&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=4&t=0
00:58 - Begin of recon: ftp, telnet, IIS 7.5
03:00 - Downloading all files off an FTP Server with WGET
05:30 - Examining the "Access Control.zip" file.
06:30 - Cracking a zip file with John
07:45 - Creating a wordlist for cracking the zip (strings of the mdb file)
10:00 - Exploring the MDB Files (Access Database) with MDBTools (mdb-sql and mdb-tables)
12:30 - Grabbing the same password we cracked by checking the auth_user table
13:35 - Converting the PST File (Outlook Email) to PlainText via readpst
15:00 - Logging into telnet with the credentials from the email
15:45 - Switching to a Nishang Shell to execute powershell
18:15 - Running JAWS (Just Another Windows Scanner)
23:34 - Discovering Stored Credentials on the box for ACCESS\Administrator
25:11 - Examining the Shortcut on PUBLIC\DESKTOP which shows us how the "Stored Credential" is used.
25:58 - Using powershell to view information of a Shortcut
27:25 - Using the Stored Credential via runas /savecred
30:31 - Creating Base64 (UTF-16LE) on linux to use in as a Powershell EncodedCommand
31:54 - Box done, Administrator returned.
54:20 )
32:38 - Begin of decrypting the Stored Credential, uploading Mimikatz
33:40 - Using powershell to download files
36:36 - Discovering that I was trying to save mimikatz to a directory i cannot write to :(
37:15 - Testing Applocker methods to bypass the Software Restriction Policy (Give up on this one)
38:50 - Trying to get Meterpreter shell via Unicorn (Fails, unknown reason)
41:28 - Getting a Empire Agent running
43:35 - Empire Agent Returned, Injecting meterpreter shellcode.
45:46 - Attempting to use Mimikatz from within Meterpreter to decrypt dpapi::creds
46:52 - Explaining Mimikatz Arguments when in "non-interactive" mode
54:20 - Grabbing needed files to decrypt DPAPI::CREDS offline
56:09 - Switing to Windows to run Mimikatz
01:02:32 - Decrypting the Creds stored in DPAPI</p>
HackTheBox - Active
https://www.youtube.com/watch?v=jUc1J31DNdw&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=5&t=0
01:10 - Begin of recon
03:00 - Poking at DNS - Nothing really important.
04:00 - Examining what NMAP Scripts are ran.
06:35 - Lets just try out smbclient to list shares available
07:25 - Using SMBMap to show the same thing, a great recon tool!
08:30 - Pillaging the Replication Share with SMBMap
09:20 - Discovering Groups.xml and then decrypting passwords from it
13:10 - Dumping Active Directory users from linux with Impacket GetADUsers
16:28 - Using SMBMap with our user credentials to look for more shares
18:25 - Switching to Windows to run BloodHound against the domain
26:00 - Analyzing BloodHound Output to discover Kerberostable user
27:25 - Performing Kerberoast attack from linux with Impacket GetUsersSPNs
29:00 - Cracking tgs 23 with Hashcat
30:00 - Getting root on the box via PSEXEC</p>
HackTheBox - Jerry
https://www.youtube.com/watch?v=PJeBIey8gc4&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=6&t=0
00:45 - Introduction, nmap
01:30 - Clicking around in Tomcat
02:20 - Playing around with HTTP Authentication
05:45 - Bruteforcing tomcat default creds with Hydra and seclists
08:20 - Sending hydra through a proxy to examine what is happening
12:50 - Logging into tomcat and using msfvenom + metasploit to upload a malicious war file
22:42 - Begin of doing this box without MSF
23:45 - Downloading a cmd jsp shell and making a malicious war file
26:25 - WebShell returned
28:00 - Begin of installing SilentTrinity
30:55 - SilentyTrinity Started, starting listener and generating a payload
33:00 - Pasting the payload into the webshell
34:00 - Debugging SSL Handshake errors
37:00 - Starting SilentTrinity back up, how to use modules
39:10 - Start of Execute-Assembly, compiling Watson
43:10 - Running Watson
43:30 - Start of Seatbelt and debugging why some dotNet code may not run (versioning issues)
HackTheBox - Bounty
https://www.youtube.com/watch?v=7ur4om1K98Y&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=7&t=0
00:38 - Begin of recon
01:48 - Gobuster, using -x aspx to find aspx pages
03:16 - Playing with a file upload form, seeing what can be uploaded
05:15 - Using Burp Intruder to automate checking file extensions
07:00 - Finding a way to execute code from file upload in ASPX (web.config)
10:55 - Executing code via web.config file upload
13:08 - Installing Merlin to be our C2
15:25 - Compiling the Merlin Windows Agent
18:37 - Modifying web.config to upload and execute merlin
21:14 - Merlin Shell returned!
24:18 - Checking for SEImpersonatePrivilege Token then doing Juicy Potato
27:44 - Getting Admin via Juicy Potato
29:44 - Box completed
30:00 - Start of doing this box again, with Metasploit! Creating a payload with Unicorn
33:00 - Having troubles getting the server call back to us, trying Ping to see if the exploit is still working
34:17 - Reverted box. Have to update our payload with some updated VIEWSTATE parameters
36:45 - Metasploit Session Returned! Checking local_exploit_suggester
40:01 - Comparing local_exploit_suggester on x32 and x64 meterpreter sessions
40:30 - Getting Admin via MS10-092
42:05 - Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host <a class="yt-uix-sessionlink" data-sessionlink="itct=CEEQ3NcEIhMI75HjrqqY5wIVkavVCh0ZZwun" data-url="/results?search_query=%23PivotProblems" href="/results?search_query=%23PivotProblems">#PivotProblems
47:20 - Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed</p>
HackTheBox - Blue
https://www.youtube.com/watch?v=YRsfX6DW10E&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=8&t=0
00:38 - Start of Recon
01:20 - Finding NMAP Scripts (Probably a stupid way)
02:00 - Running Safe Scripts - Not -sC, which is default.
02:52 - Listing NMAP Script Categories (Prob a really stupid way)
03:18 - Really Cool Grep (Only show matching -oP)
04:40 - Nmap Safe Script Output
06:30 - Exploiting MS17-010 with MSF
07:40 - Setting up Dev Branch of Empire
09:07 - Starting a Listener
10:55 - Getting a PowerShell Oneliner to launch payload
12:16 - Invoke-Expression (IEX) to Execute Launcher
13:25 - Interacting with a single agent
13:40 - Using Modules - PowerUp Invoke-AllChecks
14:40 - Fixing weird issue with PS Module
16:15 - Invoke-AllChecks finished
17:15 - Loading PS Modules into Memory
17:40 - Executing funcitons out of above module
18:20 - Why I don't pass to MSF via InjectShellcode
22:45 - How I pass from Empire to MSF (Unicorn + IEX)
25:53 - Just running Powershell CMDs from Empire (Shell)</p>
HackTheBox - Optimum
https://www.youtube.com/watch?v=kWTnVBIpNsE&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=9&t=0
1:38 - Go to HTTPFileServer
2:56 - Explanation of Vulnerability
4:49 - Testing the Exploit
6:25 - Getting rev tcp shell with Nishang
11:54 - Shell returned
13:15 - Finding exploits with Sherlock
15:15 - Using Empire Module without Empire for Privesc
21:00 - Start of doing the box with Metasploit
22:36 - Reverse Shell Returned (x32)
24:45 - MSF Error during PrivEsc
25:35 - Reverse Shell Returned (x64)
26:19 - Same PrivEsc as earlier, different result
28:47 - Examining how Rejetto MSF Module works with Burp</p>
HackTheBox - CronOS
https://www.youtube.com/watch?v=CYeVUmOar3I&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=10&t=0
HackTheBox - Nineveh
https://www.youtube.com/watch?v=K9DKULxSBK4&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=11&t=0
00:00 - Intro
01:58 - Begin Recon (NMAP)
04:19 - GoBuster HTTP + HTTPS
06:35 - Accessing Pages
07:05 - Using Hydra against HTTP + HTTPS Web Forms
11:30 - Logging into HTTP and hunting for vulns
17:00 - Second Hydra attempt against HTTPS
17:57 - Logging into HTTPS (phpLiteAdmin)
20:17 - Chaining Exploits to get Code Execution
26:38 - Reverse Shell Returned
28:00 - LinEnum.sh Script Review
31:30 - Watching for new Processes
37:00 - Found the error in script :)
39:30 - Getting reverse root shell
41:51 - Intended Route to get User
46:12 - Reviewing Knockd configuration
49:33 - Doing the PortKnock</p>
HackTheBox - SolidState
https://www.youtube.com/watch?v=_QapCUx55Xk&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=12&t=0
HackTheBox - Kotarak
https://www.youtube.com/watch?v=38e-sxPWiuY&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=13&t=0
01:38 - Start of nmap
03:40 - Accessing port 60000
06:20 - Manually enumerating ports on localhost via SSRF
07:00 - Using wfuzz to portscan localhost via SSRF
10:00 - Tomcat creds exposed &amp; Uploading tomcat reverse shell
13:40 - Return of shell
14:20 - Extracting NTDS + SYSTEM Hive
20:20 - Using HashKiller to crack the hashes
21:30 - Escalating to Atanas &amp; Identifying wget vulnerability
27:10 - Starting exploit
33:22 - Exploit failed, light debugging
35:40 - Issue found, not listening all interfaces
39:35 - Root shell returned.
40:10 - Unintentional Root Method (Edited Footage, IP Change)</p>
HackTheBox - Tartarsauce
https://www.youtube.com/watch?v=9MeBiP637ZA&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=14&t=0
01:10 - Begin of recon
03:00 - Discovery of Wordpress and fixing broken links with burp
06:50 - Start of WPScan
07:14 - Start of poking at Monstra, (Rabbit Hole)
13:05 - Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits
16:30 - Reverse shell returned as www-data
18:08 - Confirming monstra was read-only
18:50 - Running LinEnum.sh to see www-data can run tar via sudo
20:30 - Use GTFOBins to find a way to execute code with Tar
22:00 - Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script
24:10 - Examining backuperer script
26:00 - Hunting for vulnerabilities in Backuperer
32:15 - Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false
34:20 - Begin of exploiting the backuperer service by exploiting intregrity check
36:40 - Creating our 32-bit setuid binary
39:16 - Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)
40:54 - Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root
42:30 - Exploiting the Backuperer Service via SetUID!
45:00 - Unintended Exploit: Using SymLinks to read files via backuperer service</p>
HackTheBox - Blue
https://www.youtube.com/watch?v=YRsfX6DW10E&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=15&t=0
00:38 - Start of Recon
01:20 - Finding NMAP Scripts (Probably a stupid way)
02:00 - Running Safe Scripts - Not -sC, which is default.
02:52 - Listing NMAP Script Categories (Prob a really stupid way)
03:18 - Really Cool Grep (Only show matching -oP)
04:40 - Nmap Safe Script Output
06:30 - Exploiting MS17-010 with MSF
07:40 - Setting up Dev Branch of Empire
09:07 - Starting a Listener
10:55 - Getting a PowerShell Oneliner to launch payload
12:16 - Invoke-Expression (IEX) to Execute Launcher
13:25 - Interacting with a single agent
13:40 - Using Modules - PowerUp Invoke-AllChecks
14:40 - Fixing weird issue with PS Module
16:15 - Invoke-AllChecks finished
17:15 - Loading PS Modules into Memory
17:40 - Executing funcitons out of above module
18:20 - Why I don't pass to MSF via InjectShellcode
22:45 - How I pass from Empire to MSF (Unicorn + IEX)
25:53 - Just running Powershell CMDs from Empire (Shell)</p>
HackTheBox - Devel
https://www.youtube.com/watch?v=2LNyAbroZUk&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=16&t=0
01:02 - Going over NMAP
02:00 - Anonymous FTP + File Upload
04:30 - MSFVenom
07:20 - Metasploit
10:00 - Exploit Suggestor
11:30 - Getting Root</p>
HackTheBox - Optimum
https://www.youtube.com/watch?v=kWTnVBIpNsE&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=17&t=0
1:38 - Go to HTTPFileServer
2:56 - Explanation of Vulnerability
4:49 - Testing the Exploit
6:25 - Getting rev tcp shell with Nishang
11:54 - Shell returned
13:15 - Finding exploits with Sherlock
15:15 - Using Empire Module without Empire for Privesc
21:00 - Start of doing the box with Metasploit
22:36 - Reverse Shell Returned (x32)
24:45 - MSF Error during PrivEsc
25:35 - Reverse Shell Returned (x64)
26:19 - Same PrivEsc as earlier, different result
28:47 - Examining how Rejetto MSF Module works with Burp</p>
HackTheBox - Bastard
https://www.youtube.com/watch?v=lP-E5vmZNC0&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=18&t=0
HackTheBox - Silo
https://www.youtube.com/watch?v=2c7SzNo9uoA&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=19&t=0
01:30 - Begin of recon
03:15 - Begin of installing SQLPlus and ODAT (Oracle Database Attack Tool)
08:45 - Bruteforcing the SID with ODAT
10:15 - Holy crap, this is slow lets also do it with Metasploit
13:00 - Bruteforcing valid logins with ODAT
16:00 - Credentials returned, logging into Oracle with SQLPlus as SysDBA
19:00 - Reading files from disk via Oracle
23:20 - Writing files to disk from Oracle. Testing it in WebRoot Directory
25:52 - File Written, lets write an ASPX WebShell to the Server
29:10 - WebShell Working! Lets get a Reverse Shell
31:28 - Reverse Shell Returned
32:24 - Finding a DropBox link, but password doesn't display well.
33:55 - Attempting to copy file via SMB to view UTF8 Text
35:18 - That didn't work, lets transfer the file by encoding it in Base64.
36:55 - Got the password lets download the dump!
39:10 - Begin of Volatility
45:20 - Running the HashDump plugin from volatilty then PassTheHash with Administrator's NTLM!
47:35 - Begin of unintended way, examining odat and uploading an meterpreter exe
50:30 - Using odat externaltable to execute meterpreter and get a system shell!
52:20 - Examining odat verbosity flag to see what commands it runs and try to learn.</p>
HackTheBox - Bashed
https://www.youtube.com/watch?v=2DqdPcbYcy8&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=2&t=0
HackTheBox - Bounty
https://www.youtube.com/watch?v=7ur4om1K98Y&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=20&t=0
00:38 - Begin of recon
01:48 - Gobuster, using -x aspx to find aspx pages
03:16 - Playing with a file upload form, seeing what can be uploaded
05:15 - Using Burp Intruder to automate checking file extensions
07:00 - Finding a way to execute code from file upload in ASPX (web.config)
10:55 - Executing code via web.config file upload
13:08 - Installing Merlin to be our C2
15:25 - Compiling the Merlin Windows Agent
18:37 - Modifying web.config to upload and execute merlin
21:14 - Merlin Shell returned!
24:18 - Checking for SEImpersonatePrivilege Token then doing Juicy Potato
27:44 - Getting Admin via Juicy Potato
29:44 - Box completed
30:00 - Start of doing this box again, with Metasploit! Creating a payload with Unicorn
33:00 - Having troubles getting the server call back to us, trying Ping to see if the exploit is still working
34:17 - Reverted box. Have to update our payload with some updated VIEWSTATE parameters
36:45 - Metasploit Session Returned! Checking local_exploit_suggester
40:01 - Comparing local_exploit_suggester on x32 and x64 meterpreter sessions
40:30 - Getting Admin via MS10-092
42:05 - Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host <a class="yt-uix-sessionlink" data-sessionlink="itct=CFoQ3NcEIhMIzKzctaqY5wIVisgVCh2CrQn_" data-url="/results?search_query=%23PivotProblems" href="/results?search_query=%23PivotProblems">#PivotProblems
47:20 - Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed</p>
HackTheBox - Jerry
https://www.youtube.com/watch?v=PJeBIey8gc4&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=21&t=0
00:45 - Introduction, nmap
01:30 - Clicking around in Tomcat
02:20 - Playing around with HTTP Authentication
05:45 - Bruteforcing tomcat default creds with Hydra and seclists
08:20 - Sending hydra through a proxy to examine what is happening
12:50 - Logging into tomcat and using msfvenom + metasploit to upload a malicious war file
22:42 - Begin of doing this box without MSF
23:45 - Downloading a cmd jsp shell and making a malicious war file
26:25 - WebShell returned
28:00 - Begin of installing SilentTrinity
30:55 - SilentyTrinity Started, starting listener and generating a payload
33:00 - Pasting the payload into the webshell
34:00 - Debugging SSL Handshake errors
37:00 - Starting SilentTrinity back up, how to use modules
39:10 - Start of Execute-Assembly, compiling Watson
43:10 - Running Watson
43:30 - Start of Seatbelt and debugging why some dotNet code may not run (versioning issues)
HackTheBox - Jeeves
https://www.youtube.com/watch?v=EKGBskG8APc&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=22&t=0
01:19 - Begin of Enumeration
04:15 - Avoiding the Rabbit Hole on port 80 (IIS)
06:00 - Begin of Jenkins
09:00 - Using Jenkins Script Console (Groovy) to gain code execution
12:00 - Reverse TCP Shell via Nishang
17:00 - Reverse Shell returned. PowerSplit dev branch to find unintended privesc (Tokens)
22:20 - Powersploit's Invoke-AllChecks completes
24:20 - Finding Keepass Database using Impack-SMBServer to transfer files
27:00 - Cracking the KeePass Database
30:20 - Using KeePass2 to open database
34:25 - PassTheHash via pth-winexe to gain administrator shell
35:20 - Grabbing root.txt that is hidden via Alternate Data Streams (ADS)
39:00 - Using RottenPotato to escalate to root via MSF
41:00 - Using Unicorn to gain a reverse MSF SHell
45:20 - Performing the attack
48:00 - Impersonating Token to gain root
HackTheBox - Bart
https://www.youtube.com/watch?v=Cz6vQvGGiuc&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=23&t=0
01:54 - Begin Recon, Windows IIS/OS Mapping and GoBuster
05:20 - Explanation of Virtual Host Routing
09:50 - Developers name exposed in HTML Source, also discover /monitor
11:10 - Enumerating Username in PHP Server Monitor: Challenge Watch Sense to und
16:33 - Discover of Internal-01.bart.htb
19:17 - Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /Log/log.php)
29:34 - Finally got Hydra to return the password!
32:20 - Log Poisoning + LFI = Remote Code Execution
37:30 - Return of Reverse Shell
41:30 - Why you should check if you're a 32-bit process on a 64-bit machine
48:35 - Attempting to use b33f/FuzzySecurity Invoke-RunAs
56:00 - Mistake with Invoke-RunAs is probably pointing it to the wrong port. D:
01:03:40 - ARGH! Lets try to use this account via Empire
01:11:00 - Bring out the big guns, it's Metasploit Time!
01:18:10 - Alright, lets poke a hole in the firewall and connect over SMB!
01:21:17 - Failed to PSExec in MSF
01:21:40 - Found Impacket-PSExec! And it works!
01:23:45 - Lets go hunt for creds!
01:35:23 - Cracking Salted Hashes with Hashcat (Sha265.Salt)</p>
HackTheBox - Tally
https://www.youtube.com/watch?v=l-wzBhc9wFc&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=24&t=0
01:45 - Start of NMAP
04:17 - Begin of Sharepoint/GoBuster (Special Sharepoint List)
06:32 - Manually browsing to Sitecontent (Get FTP Creds)
10:18 - Mirror FTP + Pillage for information, Find keypass in Tim's directory and crack it.
18:22 - Mounting/Mirroring ACCT Share with found Creds and finding hardcoded SQL Creds
25:24 - Logging into MSSQL with SQSH, enabling xp_cmdshell and getting a Nishang Rev Shell
34:35 - Finding SPBestWarmUp.ps1 Scheduled Task that runs as Administrator
40:00 - Begin of RottenPotato without MSF (Decoder's Lonely Potato)
45:56 - Using Ebowla Encoding for AV Evasion to create an exe for use with Lonely Potato
58:00 - Lonely Potato Running to return a Admin Shell
01:04:22 - Finding CVE-2017-0213
01:08:33 - Installing Visual Studio 2015 &amp;&amp; Compiling the exploit
01:15:50 - Exploit Compiled, trying to get it to work....
01:18:11 - Just noticed the SPBestWarmUp.ps1 executed and gave us a shell!
01:28:37 - Found the issue, exploit seems to require interactive process
01:30:00 - Begin of Firefox Exploit Cluster (Not recommended to watch lol). It's a second unreliable way to get user</p>
HackTheBox - Active
https://www.youtube.com/watch?v=jUc1J31DNdw&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=25&t=0
01:10 - Begin of recon
03:00 - Poking at DNS - Nothing really important.
04:00 - Examining what NMAP Scripts are ran.
06:35 - Lets just try out smbclient to list shares available
07:25 - Using SMBMap to show the same thing, a great recon tool!
08:30 - Pillaging the Replication Share with SMBMap
09:20 - Discovering Groups.xml and then decrypting passwords from it
13:10 - Dumping Active Directory users from linux with Impacket GetADUsers
16:28 - Using SMBMap with our user credentials to look for more shares
18:25 - Switching to Windows to run BloodHound against the domain
26:00 - Analyzing BloodHound Output to discover Kerberostable user
27:25 - Performing Kerberoast attack from linux with Impacket GetUsersSPNs
29:00 - Cracking tgs 23 with Hashcat
30:00 - Getting root on the box via PSEXEC</p>
HackTheBox - Jail
https://www.youtube.com/watch?v=80-73OYcrrk&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=26&t=0
00:52 - Recon - NMAP
04:05 - Recon - Getting Linux Distro
04:35 - Recon - GoBuster
05:40 - Analyzing Jail.c source
09:45 - Begin Binary Exploitation
15:10 - Verify Buffer Overflow
17:35 - Create Exploit Skeleton
20:50 - Finding EIP Overwrite
23:02 - Adding Reverse TCP Shellcode
30:15 - Switching to "Socket Re-Use" Shellcode
32:20 - Shell Returned
34:00 - NFSv3 Privesc Begin
40:15 - Begin incorrectly playing with SetUID
43:10 - SELinux Escape
45:25 - Using SELinux Escape to copy SSH Key
48:55 - Logging in as Frank
50:00 - Privesc to adm (sudo rvim)
51:44 - Begin of finding a way to root
55:58 - Begin cracking rar file
57:18 - Using Hashcat to generate custom wordlist
HackTheBox - Falafel
https://www.youtube.com/watch?v=CUbWpteTfio&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=27&t=0
01:15 - Begin of Recon
04:25 - Bruteforcing valid users
11:15 - Manually finding SQL Injection
13:13 - Using --string with SQLMap to aid Boolean Detection
15:41 - PHP Type Confusion ( == vs === with 0e12345) [Type Juggling]
18:35 - Attempting Wget Exploit with FTP Redirection (failed)
26:39 - Exploiting wget's maximum file length
33:30 - Reverse Shell Returned
36:19 - Linux Priv Checking Enum
41:00 - Checking web crap for passwords
44:00 - Grabbing the screenshot of tty
49:00 - Privesc via Yossi being in Disk Group (debugfs)
50:15 - Grabbing ssh root key off /dev/sda1
52:15 - Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll)
01:07:42 - Manually exploiting the SQL Injection! with Python</p>
HackTheBox - DevOops
https://www.youtube.com/watch?v=tQ34Ntkr7H4&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=28&t=0
00:54 - Start of Recon
03:10 - Start of GoBuster
04:00 - Looking at /upload, testing with a normal XML File
06:15 - Valid XML File created, begin of looking for XML Entity Injection XXE
08:20 - XXE Returns a a local file off the server
09:30 - Grabbing the source code to the webserver to find newpost function.
11:35 - Discovery of vulnerability due to user data being passed to pickle
12:44 - Creating the script to exploit pickle
16:38 - Reverse shell returns!
19:55 - Poking around at Source Code
20:15 - Discover of an SSH Key within deployment stuff.
21:15 - Trying SSH Key for other users on the box to see if it is valid
22:57 - Hunting for git filers, the boxes name is "Gitter" and we have an SSH Key that goes nowhere.
23:00 - Discovery ~roosa/work is the same as ~roosa/deploy but there's a .git repo in this one!
23:45 - Examining Git Log to see the SSH Key has changed!
25:20 - SSH'ing with the old key, to see it's root's key.
25:58 - The webserver could read Roosa's SSH Key. Could bypass the entire pickle portion
26:20 - Start of "Extra Practice"
27:40 - Creating a Python Script to automate the LFI With XXE
35:50 - Script completed, lets improve it to try to download an exposed git repo</p>
HackTheBox - Hawk
https://www.youtube.com/watch?v=UGd9JE1ZXUI&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=29&t=0
01:00 - Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver
03:50 - Checking FTP Server for hidden files
04:30 - Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher
08:20 - Creating a bunch of files varying in length to narrow likely ciphers down.
14:35 - Encrypting all of the above files and checking their file sizes
22:45 - Decrypting file, obtaining a password
24:25 - Begin looking at Drupal, running Droopescan
25:12 - Manually examining Drupal, finding a way to enumerate usernames
25:50 - Placing invalid emails in create account, is a semi-silent way to enumerate usernames
28:15 - Logging into Drupal with Admin.
29:25 - Gaining code execution by enabling PHP Plugin, then previewing a page with php code
32:30 - Reverse Shell Returned
33:25 - Running LinEnum.sh - Discover H2 (Database) runs as root
37:00 - Hunting for passwords in Drupal Configuration
39:25 - Finding database connection settings. SSHing with daniel and the database password (not needed)
40:10 - Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk’s Loopback. Only need to do one of those, just showing its possible without daniel
44:30 - Accessing Hawk’s H2 Service (8082) via the loopback address
50:00 - Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console.
51:45 - Logging into H2 by using a non-existent database, then testing code execution
52:50 - Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service.
59:50 - Reverted box, cleaning up environment then getting reverse shell
01:02:45 - Discovering could have logged into the database with Drupal Database Creds.</p>
HackTheBox - Nibbles
https://www.youtube.com/watch?v=s_0GcRGv6Ds&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=3&t=0
00:18 - Start of Recon
01:15 - Finding hidden directory via Source
02:15 - Downloading NibbleBlog to help us with finding version information
03:59 - Identifying what vresion of NibblesBlog is running
04:42 - Using SearchSploit to find vulnerabilities
05:36 - Examining the Exploit
06:08 - Explanation of exploit
07:25 - Attempting to find valid usernames for NibblesBlog
09:13 - Finding usernames in /content/private
10:15 - Using Hydra to attempt to bruteforce
14:08 - Oh crap. Hydra not good idea we're blocked...
15:40 - Using SSH Proxies to hit nibbles from another box (Falafel)
18:20 - Guessing the password
20:10 - Logged in, lets attempt our exploit!
22:46 - Code Execution achieved. Lets get a reverse shell
24:53 - Reverse shell returned.
26:00 - Running sudo -l examine sudoer, then finding out why sudo took forever to return
26:50 - Privesc via bad sudo rules
32:10 - Alternative PrivEsc via RationalLove</p>
HackTheBox - Conceal
https://www.youtube.com/watch?v=1ae64CdwLHE&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=30&t=0
01:15 - Begin of recon
02:54 - Checking SNMP with snmpwalk
03:29 - Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decrypted value
04:18 - Getting more SNMP Information with snmp-check
07:35 - Going over UDP Ports discovered by snmp-check
10:55 - Running ike-scan
11:55 - Examining ike-scan results to build a IPSEC Config
13:50 - Installing Strongswan (IPSEC/VPN Program)
14:19 - Adding the PSK Found earlier to /etc/ipsec.secrets
15:30 - Begin configuring /etc/ipsec.conf
20:08 - Starting and debugging ipsec
21:55 - Explaining why we add TCP to strongswan config
24:00 - Starting IPSEC, then using NMAP through IPSEC.
25:55 - Enumerating SMB Quickly (SMBMap/cme)
26:50 - Enumerating FTP, discovering we can upload files
27:20 - Checking HTTP, hunting for our uploaded file. Then uploading files that may lead to code execution
29:44 - Grabbing an ASP Webshell from Github/tennc/webshell
32:08 - Webshell has been uploaded
32:30 - Explaining a weird MTU Issue you *may* run into due to the nested VPN's
35:40 - Back to playing with the web shell, getting a reverse shell with Nishang
38:03 - Explaining RLWRAP
38:40 - whoami /all shows SEImpersonation, so we run JuicyPotato to privesc
44:35 - JuicyPotato fails with the default CLSID, changing it up to get it working.
46:30 - Doing the box again with Windows
47:15 - Setting up the IPSEC Connection through Windows Firewall
50:00 - Installing a DotNet C2 (The Covenant)
54:20 - Covenant/Elite open, starting a Listener then a Powershell Launcher
01:00:10 - Grunt activated. Running Seatbelt, then compiling Watson and reflectively running it
01:05:00 - Grabbing the Sandbox Escaper ALPC Privesc
01:08:03 - Being lazy and compiling a CPP Rev Shell in Linux because it wasn't installed on Windows
01:25:35 - Box is reverted, trying the ALPC Exploit again</p>
HackTheBox - Irked
https://www.youtube.com/watch?v=OGFTM_qvtVI&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=31&t=0
31:35 . Sorry, was an extremely busy week and didn't get to verify everything was good.
00:39 - Begin on Recon
01:39 - Starting a full nmap scan
04:15 - Discovery of IRC
04:35 - Manually looking at IRC
06:00 - Looking at the IRC to understand how to connect to an IRC Server
07:00 - Pulling the IRC Version and discovering the exploit
08:50 - Going into the history of the IRC Backdoor
09:45 - Manually exploiting the IRC Server
13:10 - Shell returned on the server
14:30 - Discovery of .backup which gives a steg password
16:45 - Logging in with djmardov
21:20 - Discovery of SetUID enabled custom binary, viewuser
23:25 - Using ltrace to see what the binary does, executes the file /tmp/listusers
23:50 - Getting a root shell
25:50 - Testing exploiting the binary with "who", fails due to no setuid
27:50 - Looking at the binary within Ghidra</p>
HackTheBox - Netmon
https://www.youtube.com/watch?v=ZxvgniJXbOo&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=32&t=0
01:00 - Begin of Recon
03:50 - Searching for good files to view via FTP
09:00 - Nothing really found, searching for where PRTG creation file is
14:34 - Backup configuration found!
16:20 - Logging in by incrementing the password from 2018 to 2019
17:55 - Searching for CVE's
19:45 - Searching for where to send notification emails like CVE Said
20:30 - Testing for Command Injection via Cmd
22:20 - Testing for Command Injection via Powershell
23:00 - Getting a reverse shell
26:55 - Encoding powershell in Base64 to eliminate potential bad characters
29:10 - Getting a reverse shell</p>
HackTheBox - FriendZone
https://www.youtube.com/watch?v=Zf8p49IzEEA&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=33&t=0
00:45 - Begin of Recon
04:10 - Running SMBMap to identify and crawl file shares
05:00 - Downloading creds.txt from an smb share and checking FTP/SMB
06:50 - Checking the webpage and grabbing potential DNS Names for the box
10:40 - Using dig to perform a DNS Zone Transfer to obtain additional host names
12:00 - Adding all hostnames to /etc/hosts
12:55 - Running Aquatone to take screenshots of all the pages for