Skip to content

Instantly share code, notes, and snippets.

@sminez
Last active January 5, 2024 05:51
Show Gist options
  • Save sminez/571bd7bafb1b88630b85c85a0cd66e3a to your computer and use it in GitHub Desktop.
Save sminez/571bd7bafb1b88630b85c85a0cd66e3a to your computer and use it in GitHub Desktop.
Find examples of pen testing methods and tools in videos by Ippsec (as of 22nd January 2020)
#!/usr/bin/env python3
"""
Script used to pull down the current video descriptions from ippsec's youtube channel.
The raw output still has a few HTML tags that need to be manually removed and there
also seem to be multiple duplicates of videos that have been removed in the output
saved as ippsec-details.txt
"""
import re
import sys
import requests
from bs4 import BeautifulSoup
def find_playlist_links(url):
resp = requests.get(url)
if not resp.ok:
print("Unable to fetch playlist links for {url}", file=sys.stderr)
return []
matches = re.findall(r'href="\/playlist\?list=(?P<id>.{34})"', resp.text)
return [f"https://youtube.com/playlist?list={i}" for i in matches]
def find_video_links(playlist_url):
resp = requests.get(playlist_url)
if not resp.ok:
print(f"Unable to fetch video links for {playlist_url}", file=sys.stderr)
return []
matches = re.findall(
r'href="\/watch\?v=(.*)\&amp;list=(.*)\&amp;index=(.*)\&amp;t=(.*)s"', resp.text
)
matches = sorted(list(set(matches)), key=lambda comps: comps[2])
return [
f"https://www.youtube.com/watch?v={vid}&list={lst}&index={ix}&t={t}"
for (vid, lst, ix, t) in matches
]
def extract_details(video_url):
resp = requests.get(video_url)
if not resp.ok:
print(f"Unable to fetch video description for {video_url}", file=sys.stderr)
return []
soup = BeautifulSoup(resp.text, "lxml")
raw = soup.find(id="eow-description")
lines = str(raw).split("<br/>")
desc = []
for line in lines:
try:
cleaned = line.split(';">')[1].split("</a>")
desc.append("{} {}".format(*cleaned))
except IndexError:
pass
title = soup.find(id="eow-title").attrs["title"]
desc = "\n".join(desc)
return title, desc
if __name__ == "__main__":
url = "https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA/playlists?view=1&sort=dd&shelf_id=0"
for p_link in find_playlist_links(url):
for v_link in find_video_links(p_link):
title, desc = extract_details(v_link)
if title.startswith("HackTheBox"):
print(f"{title}\n{v_link}\n\n{desc}\n\n")
#!/usr/bin/env python3
"""
Grep through the descriptions downloaded from youtube to find timestamps
for techniques and tool tutorials.
"""
import os
import argparse
from collections import defaultdict
DIR = os.path.dirname(os.path.realpath(__file__))
FNAME = os.path.join(DIR, "ippsec-details.txt")
HTB = "HackTheBox"
def grep(pattern, case_insensitive, show_urls):
if case_insensitive:
pattern = pattern.lower()
lines = open(FNAME).readlines()
results = defaultdict(list)
for i, line in enumerate(lines):
_line = line.lower() if case_insensitive else line
if pattern in _line:
k = i - 1
while True:
current = lines[k]
if current.startswith(HTB):
video = current.strip()
url = lines[k + 1].strip()
break
k -= 1
results[f"{video}/{url}"].append(line.strip())
for key, lines in results.items():
video, url = key.split("/", 1)
print(video)
if show_urls:
print(url)
for line in lines:
print(" ", line)
print("")
if __name__ == "__main__":
parser = argparse.ArgumentParser("ippcheck")
parser.add_argument("-i", "--case-insensitive", action="store_true")
parser.add_argument("-u", "--show-urls", action="store_true")
parser.add_argument("pattern", nargs="+")
args = parser.parse_args()
grep(" ".join(args.pattern), args.case_insensitive, args.show_urls)
HackTheBox - Popcorn
https://www.youtube.com/watch?v=NMGsnPSm8iw&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=2&t=0
00:25 - TMUX and Connecting to HTB
02:00 - Virtual Host Routing Explanation
02:40 - File Enumeration (Dirb)
03:59 - Discover of Web App
05:45 - Starting SQLMap in the Background
09:30 - Uploading a PHP Shell
14:01 - Python PTY Reverse Shell (Tab Autocomplete!)
19:25 - MOTD Root (Method 1)
23:50 - Dirtyc0w Root (Method 2)
HackTheBox - Blocky
https://www.youtube.com/watch?v=C2O-rilXA6I&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=3&t=0
01:15 - Begin Recon with Reconnoitre
03:15 - Examining findings from Reconnoitre
06:50 - Decompiling java Jar Files with JAD
08:18 - Using JD-GUI
10:33 - Running WPScan
12:10 - Manually enumerating wordpress users
12:43 - SSH To the box and PrivEsc
15:30 - Rabbit hole, gaining access through FTP
17:09 - Finding Wordpress DB Password
18:33 - Switching to WWW-DATA by using phpMyAdmin + Wordpress
20:10 - Generating a PHP Password for Wordpress
21:50 - Gaining code execution with Wordpress Admin access
25:40 - Shell as www-data
26:40 - Enumerating Kernel Exploits with Linux-Exploit-Suggester
30:10 - Attempting CVE-2017-6074 Dccp Kernel Exploit (Unstable AF)</p>
HackTheBox - Vault
https://www.youtube.com/watch?v=LfbwlPxToBc&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=4&t=0
01:08 - Begin of Recon
03:08 - Begin of GoBustering
07:15 - Discovery of an image upload script
08:39 - Attempting to bypass the upload filter
12:46 - Reverse Shell to ubuntu Returned. Examining Web Source
15:28 - ALTERNATIVE: Checking out the host name pollution, setting host header to localhost
19:27 - Resume of poking around the host, discover passwords and other hosts in /home
23:14 - Uploading a static-compiled nmap to the box (static-binaries is a github repo)
24:57 - SSH Local Port Forward and Dynamic, to let our Kali box communicate with the next hop.
27:27 - Discovery of a page that lets us create ovpn (openvpn) configs and test the VPN
28:45 - Think i broke the box here, sent unicode to the box.... It stops responding on web.
32:55 - Machine reverted, getting back to where I started.
34:50 - Trying this again, and get a shell on ubuntu -- Lets do a Reverse Port Forward to get a shell on our kali box.
36:12 - Shell returned to Kali Box, explaining how to use socat if SSH Forward cannot listen on all ports.
38:58 - Exploring the DNS Server box.
39:26 - Finding a password in /home/dave/ssh
40:15 - Discovering Vault's IP Address in /etc/hosts
41:20 - Perfoming a NMAP on the vault box, discover two ports closed
41:50 - Doing a NMAP with the source port of one of the above ports to test for a lazy firewall, discover SSH on port 987
43:20 - ALTERNATIVE: Bypassing the firewall by using IPv6
49:47 - How to set the source port with SSH via ncat
50:45 - Discovering root.txt.gpg on Vault, it is encrypted with RSA Key D1EB1F03
51:35 - Dave has the above RSA Key, use SCP to send the file back to Ubuntu
54:45 - The file has been copied, using gpg to decrypt the file.
55:39 - MAJOR UNINTENDED WAY: Discovering SPICE ports are listening on localhost:5900-5903, this is like VNC
57:05 - Using Remote-Viewer to connect to the SPICE Port and getting physical access to the machine.
57:42 - Rebooting Vault by sending the Ctrl+Alt+delete key
58:00 - Editing grub to get a root shell without a password
58:56 - Changing the password to root, then rebooting again
59:30 - Logging in with the new password.</p>
HackTheBox - Celestial
https://www.youtube.com/watch?v=aS6z4NgRysU&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=5&t=0
00:58 - Begin of Recon
03:00 - Looking at the web application and finding the Serialized Cookie
04:38 - Googling for Node JS Deserialization Exploits
06:30 - Start of building our payload
07:10 - Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is
09:10 - Moving our serialized object to "Name", hoping to get to read stdout
11:30 - Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE)
13:25 - Failing to convert an object (stdout) to string.
14:02 - Verifying code execution via ping
15:32 - Code execution verified, gaining a shell
18:49 - Reverse shell returned, running LinEnum.sh
21:26 - Examining logs to find the Cron Job running as root
22:09 - Privesc by placing a python root shell in script.py
24:15 - Going back and getting a shell with NodeJSShell</p>
HackTheBox - Falafel
https://www.youtube.com/watch?v=CUbWpteTfio&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=6&t=0
01:15 - Begin of Recon
04:25 - Bruteforcing valid users
11:15 - Manually finding SQL Injection
13:13 - Using --string with SQLMap to aid Boolean Detection
15:41 - PHP Type Confusion ( == vs === with 0e12345) [Type Juggling]
18:35 - Attempting Wget Exploit with FTP Redirection (failed)
26:39 - Exploiting wget's maximum file length
33:30 - Reverse Shell Returned
36:19 - Linux Priv Checking Enum
41:00 - Checking web crap for passwords
44:00 - Grabbing the screenshot of tty
49:00 - Privesc via Yossi being in Disk Group (debugfs)
50:15 - Grabbing ssh root key off /dev/sda1
52:15 - Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll)
01:07:42 - Manually exploiting the SQL Injection! with Python</p>
HackTheBox - Arkham
https://www.youtube.com/watch?v=krC5j1Ab44I&list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0&index=7&t=0
00:55 - Begin of Recon
02:20 - Checking the WebPages
03:50 - Examining /userSubscribe.faces, to discover potential deserialization
05:00 - Exploring javax.faces.ViewState
05:50 - Googling around to see what an unencrypted serialized object should look like
07:15 - Checking out SMB to discover an openshare
09:00 - Downloading appserver.zip from batshare via smbclient
11:00 - Cracking a luks encrypted file with dd and hashcat
14:00 - Luks cracked, mounting the disk with luksOpen
16:20 - Discovery of the secret used to encrypt the java object
18:10 - Creating a python script to decrypt the ViewState to verify we have correct crypto settings
23:10 - Script completed, lets test the decryption!
24:15 - Downloading ysoserial to create a deserialization CommonCollections gadget
26:00 - Creating a python script to exploit the deserialization vuln
31:00 - Script complete! We got a ping, testing the MyFaces serialization objects (did not work)
33:00 - Modifying the script to run commands other than what ySoSerial provided
41:10 - Script updates finished, trying to get a reverse shell via nishang (did not work)
42:40 - Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for constrained mode)
45:00 - Downloading netcat to upload to the box
46:00 - Netcat returned a powershell reverse shell
47:20 - Discovering Backup.zip, downloading, using readpst to convert it to a plaintext mbox file
50:00 - Using evolution to view mbox file and find Batman's password
52:45 - Using Powershell's Invoke-Command to execute commands as Batman (like runas)
55:40 - Reverse shell as batman returned! Running a few commands to find out he is localadmin but needs to break out of UAC
58:10 - Unintended: Using net use to mount c$ and view the flag
59:30 - Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HTB Member
01:02:10 - Using GreatSCT/MSBuild to launch Meterpreter
01:02:45 - While GreatSCT installs, create a DLL to return a reverse shell
01:06:00 - copying the DLL into c:\users\batman\appdata\local\microsoft\windowsapps
01:08:30 - Using GreatSCT to generate payloads
01:11:50 - Getting a Meterpreter Session then migrating into an interactive process
01:17:45 - Running SystemPropertiesAdvanced.exe, which elevates and executes our dll</p>
HackTheBox - Fulcrum
https://www.youtube.com/watch?v=46RJxJ-Fm0Y&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=10&t=0
02:08 - Begin of Recon
14:00 - XXE Detection on Fulcrum API
17:40 - XXE Get Files
23:40 - XXE File Retrieval Working
24:30 - Lets Code a Python WebServer to Aid in XXE Exploitation
39:45 - Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution
47:28 - Shell Returned + Go Over LinEnum
56:49 - Finding WebUser's Password and using WinRM to pivot
01:06:00 - Getting Shell via WinRM, finding LDAP Credentials
01:14:00 - Using PowerView to Enumerate AD Users
01:27:06 - Start of getting a Shell on FILE (TroubleShooting FW)
01:35:35 - Getting shell over TCP/53 on FILE
01:37:58 - Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare
01:58:10 - Troubleshooting the error correctly and getting Domain Admin!
02:03:54 - Begin of unintended method (Rooting the initial Linux Hop)
02:09:54 - Root Exploit Found
02:12:25 - Mounting the VMDK Files and accessing AD.</p>
HackTheBox - Ariekei
https://www.youtube.com/watch?v=Pc4tzsn-ats&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=11&t=0
00:23 - Explaining VM Layout
01:47 - Nmap Start
05:20 - Poking at Virtual Host Routing (Beehive &amp; Calvin)
10:25 - Fixing GoBuster to find /cgi-bin/
11:48 - Enumerating WAF (Web Application Firewall), to see how it detects Shellshock
15:08 - Using VirtualHostRouting to navigate to Calvin.htb.htb
18:15 - Using ImageTragick to exploit Calvin
25:30 - Calvin Reverse shell returned
31:35 - Poking at /common, which allows pivot to Bastion Host
34:20 - SSH into the Bastion Host
38:45 - Explain SSH Local and Remote Port Forwarding
46:00 - Beehive Reverse Shell Returned
50:00 - Finding the root password via /common/containers/bastion-live/Dockerfile
54:50 - PrivEsc via Docker (much like the LXC shown in Calamity)
57:05 - Getting root access to filesystem
58:10 - Failing to get root shell via Crontab
01:06:20 - Yeah screw crontab, lets just create an ssh key.</p>
HackTheBox - Jail
https://www.youtube.com/watch?v=80-73OYcrrk&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=12&t=0
00:52 - Recon - NMAP
04:05 - Recon - Getting Linux Distro
04:35 - Recon - GoBuster
05:40 - Analyzing Jail.c source
09:45 - Begin Binary Exploitation
15:10 - Verify Buffer Overflow
17:35 - Create Exploit Skeleton
20:50 - Finding EIP Overwrite
23:02 - Adding Reverse TCP Shellcode
30:15 - Switching to "Socket Re-Use" Shellcode
32:20 - Shell Returned
34:00 - NFSv3 Privesc Begin
40:15 - Begin incorrectly playing with SetUID
43:10 - SELinux Escape
45:25 - Using SELinux Escape to copy SSH Key
48:55 - Logging in as Frank
50:00 - Privesc to adm (sudo rvim)
51:44 - Begin of finding a way to root
55:58 - Begin cracking rar file
57:18 - Using Hashcat to generate custom wordlist
HackTheBox - Brainfuck
https://www.youtube.com/watch?v=o5x1yg3JnYI&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=13&t=0
0:20 - Recon
3:40 - Start of WP Hacking
10:30 - Logged into WP
15:00 - Login to SuperSecretForum
25:00 - Cracking the SSH Key
27:15 - Begin of getting root.txt (RSA Cracking)
HackTheBox - Smasher2
https://www.youtube.com/watch?v=ELiicja60jI&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=2&t=0
00:58 - Begin of Recon
02:30 - Using Wireshark to see why Nmap said HTTP 403
06:15 - Running GoBuster to identify /backup
07:05 - Performing a DNZ Zone Transfer with dig axfr
08:50 - Manually playing with the login form to hunt for SQL Injection
10:50 - Downloading files out of /backup, opening auth.py with vim and ses.so with ghidra
16:42 - Examining /auth endpoint
18:10 - Examining ses.so in Ghidra
20:31 - Renaming variables from Ghidra's decompiler to try to make sense of the code
30:00 - Examining get_internal_usr and pwd to discover the bug
33:20 - Using GDB to debug python and step through ses.so, which makes analyzing decompiled code easier
36:50 - First time attaching the debugger - Seg faults for some reason.
38:30 - Attaching the debugger again, this time it works. Explaining important registers
39:00 - Stepping through the code trying to make sense of registers. This part may not make sense.
51:50 - Logging in with Administrator:Administrator and then looking at auth.py to see how the /api works
54:25 - Getting command execution
55:50 - Trying to get a Reverse Shell, discovering a WAF, identifying the bad characters
56:50 - Configuring burp to have a hotkey to "Issue Repeater Request" so we don't have to click send
57:18 - Tips to avoid a web filter/WAF ex: {echo,test}|{ba''se64,-''-d}
1:01:00 - Getting a reverse shell, then upgrading to a SSH Terminal by dropping SSH Key
1:05:05 - Running LinPEAS to identify paths to privesc
1:09:10 - Downloading the custom Linux Kernel Module: DHID then examine in Ghidra
1:12:00 - Looking at Snowscans blog to test the dev_read function
1:14:15 - Looking at the dev_mmap call
1:15:20 - Looking at MWR LAbs paper on insecure MMAP use in kernel modules
1:16:30 - Explaining what we are going to do - Rewrite credentials in memory
1:19:20 - Going over the first MMAP Call to map memory
1:21:05 - Setting a SSH CONFIG to make it easier to ssh and SCP into Smasher2
1:26:00 - Searching for a credential structure in memory
1:31:20 - Running GetUID to see if the cred structure we modified is ours, if not set it back
1:34:00 - Setting capabilities and running bash upon getting root
1:36:10 - Showing what would of happened if we did not revert credentials back to original.</p>
HackTheBox - Kryptos
https://www.youtube.com/watch?v=4uCoI5YzOwk&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=3&t=0
00:45 - Begin of Recon
02:50 - Examining login request while GoBuster runs
05:35 - Noticing weird behavior by modifying db parameter in login request
07:30 - Finding what the Error numbers mean. (SQL Error Codes)
08:50 - Testing if we can trick the application into authentication against us
09:50 - Starting up metasploit to steal the login hash of a MYSQL Login
12:30 - Cracking the MySQL Hash with Hashcat
16:45 - Creating a databse locally for the application to authenticate to
23:00 - Examining what MySQL Does after authentication in Wireshark
24:30 - Creating the database structure so the application will authenticate against our database
27:00 - Begin of the File Encryptor PHP App
27:30 - Performing a Known Plaintext attack against the RC4 Encryption
28:50 - Explaining the Known Plaintext
37:00 - Creating a Python Script to perform a SSRF attack and decrypt content
54:25 - Script done, discovering a LFI Exploit in /dev/
57:30 - Using PHP Filters to convert LFI to source code disclosure
59:50 - Extracting sqlite_test_page.php source code
01:01:00 - Manually analyzing the source code to discover a way to write files
01:03:00 - Checking PayloadAllTheThings to get a payload for dropping files
01:15:38 - Testing dropping a php script for code execution
01:18:00 - Using Chankro to bypass PHP Disabled functions
01:20:45 - Creating a PHP Script to download Chankro Script to avoid bad characters in the RCE
01:24:50 - Reverse shell returned, finding a VIMCrypted file in Rijndael Home
01:25:35 - Decrypting Creds.txt with a known plaintext attack in VimCrypt 02 (Blowfish)
01:28:20 - Downloading the files to our local box and explaining the attack
01:30:30 - Copying our Python Script from earlier and modify it to work with our VIM File
01:38:20 - Decrypted the creds and use them to SSH
01:39:10 - Analyzing the kryptos.py file
01:41:00 - Testing how random the random is
01:46:00 - Creating a python script to bruteforce the key as we know the randomness is broken
01:57:00 - Script to brute force signing key done
01:58:45 - Getting code execution within the eval statement
02:04:30 - Extra content, showing by using the encrypt method twice early on — you can decrypt pages</p>
HackTheBox - Fortune
https://www.youtube.com/watch?v=_BLd046r-co&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=4&t=0
01:04 - Begin of recon
04:41 - Exploring the web page on port 80
06:02 - Using wfuzz to do a special character fuzz to identify odd behavior and discover command injection
11:06 - Creating a hotkey in Burpsuite to send requests in repeater pane
11:50 - Start of creating a python program to automate this
17:30 - Script finished
18:30 - Exploring /var/appsrv
21:15 - Exploring authpf
22:30 - Hunting for the signing key for the CA to view HTTPS
24:40 - Copying the certificates to our box
26:00 - Creating and signing a Client Certificate
28:50 - Importing the certificate into FireFox
30:49 - Discovering the reason our certificate isn't working (time of server is behind)
31:50 - Accessing the HTTPS Website to get a SSH key for NFSUSER
33:40 - Discovering additional ports are open after using SSH with NFSUSER
34:45 - Installing the NFS-COMMON package to get the showmount binary
35:10 - Mounting a NFS Share with Version 2
36:00 - Editing our User ID on our box to gain access to the NFS Directories
37:00 - Reading mail to discover that the root password is set to the Postgres databases root pw
37:30 - Testing if we could setup a SetUID Binary with this NFS (Check Jail Video for this being successful)
40:20 - SSH into the box as Charlie and dumping the database
43:40 - Exploring the source code to the web application
47:00 - Copying the crypto python script to our box, which will let us decrypt it
47:40 - Copying the secrets into the crypto python script and decrypting the password</p>
HackTheBox - CTF
https://www.youtube.com/watch?v=51JQg202csw&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=5&t=0
00:52 - Start of Recon, discovering CentOS Version via HTTPD Version
02:15 - Checking out the HTTP Page
03:32 - Checking out login.php
05:15 - Identifying a Secure Token is used, most likely STOKEN
07:05 - Failing to enumerate usernames through BruteForce
09:45 - Fuzzing the login form with special characters to identify a blacklist
11:45 - Trying Double URL Encoding to bypass the BlackList
12:55 - Explaining Double URL Encoding
14:45 - Discovering this is most likely a LDAP Injection
16:50 - Explaining how a LDAP Query Works
19:15 - Identifying the LDAP Query Structure with a Null Byte
20:40 - Injecting the WildCard (*) to enumerate usernames
24:00 - Using Wfuzz to extract the username
26:00 - Enumerating LDAP Attributes that are utilized
30:26 - Creating a python script to extract the Pager Attribute
41:38 - Script complete, lets extract the token
43:45 - Using STOKEN to generate the OTP and logging in
46:00 - Disabling NTP so we can math the server time
46:44 - Discovery of that second half of the original LDAP Query at 16 minutes.
47:33 - Using a Null Byte to remove the GROUP Check.
50:33 - Running Commands
50:25 - Reverse Shell Returned
53:17 - Checking for the LDAP Bind password, then SSHing into the box
55:00 - Going over the /backup directory
58:20 - Using ListFiles to have 7za print our the contents of root.txt</p>
HackTheBox - Reddish
https://www.youtube.com/watch?v=Yp4oxoQIBAM&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=6&t=0
00:55 - Begin of Recon (Port Scans)
04:09 - Reverse Image Searching an favicon to get application used
08:20 - NODE-RED: Reverse Shell Returned
15:30 - NODE-RED: Running IP and Port Scans to identify lateral movement targets
24:29 - Downloading Chisel (Go Program for Tunnels).
25:00 - Shrinking Go Programs by using ldflags and upx packing from 10Mb to 3Mb!
27:00 - PowerPoint: Explaining Reverse Pivot Tunnel using Chisel
31:25 - WWW: Tunnel online, examining the website
34:23 - Full Port Scan to 172.19.0.2, discover REDIS
36:30 - Searching for ways to execute code against REDIS
38:07 - Using REDIS to create a PHP Shell
41:06 - PowerPoint: Explaining Local Pivot Tunnel using Chisel
44:30 - WWW: Reverse Shell Returned
45:45 - Notice wildcard used with RSYNC, go search GTFOBins
51:32 - Abusing the wildcard within RSYNC
57:23 - WWW: Got Root, but no flag... Lets go look at RSYNC again.
01:00:15 - Explaining how to tunnel from Backup - WWW - NODE-RED - Kali
01:17:50 - Getting reverse shell on BACKUP via uploading CronJob through rsync
01:20:30 - BACKUP: Reverse Shell Returned... No root.txt here either!?
01:26:30 - BACKUP: Noticing this is has /dev/sda*, where other dockers do not
01:28:15 - BACKUP: Dropping a cronjob on root disk to get shell on the host
01:30:45 - ExtraContent: PowerPoint Reverse SOCKS5 Proxy with Chisel</p>
HackTheBox - Mischief
https://www.youtube.com/watch?v=GKo6xoB1g4Q&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=7&t=0
01:20 - Begin of NMAP
02:30 - Extra nmaps, SNMP and AllPorts
04:00 - Playing with OneSixtyOne (SNMP BruteForce)
07:00 - Looking at SNMPWalk Output
08:40 - Installing SNMP Mibs so SMPWalk is readable
10:05 - Accessing the box over Link Local IPv6 Address
14:00 - Looking at Por 3366 (Website), getting PW from SNMP Info
17:50 - Getting IPv6 Routable Address via SNMP
19:20 - NMAP the IPv6 Address
21:00 - Accessing the page over IPv6
23:00 - Getting output from the command execution page
24:55 - Viewing Credentials Files and accessing the box via SSH
29:00 - Examining why loki cannot use /bin/su (getfacl)
31:00 - Getting a shell as www-data
40:30 - Extra content, reading files via ICMP</p>
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
https://www.youtube.com/watch?v=TVhtjiSedjU&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=8&t=0
01:10 - End of intro, Start of nmap
02:47 - Playing with Second-Order Union Injection
05:44 - Dumping all users
07:15 - Converting SFTP Exploit from 64bit to 32bit
13:27 - Reversing SLS Binary
15:19 - Kernel Exploit
22:31 - First Method - Executing ELF Binaries from memory (Reflective loading elf)
35:57 - Second Method - Crashing a program to create a write-able file.</p>
HackTheBox - Nightmare
https://www.youtube.com/watch?v=frh-jYaUvrU&list=PLidcsTyj9JXLI9mAR4MPiL19hq5lpaYNd&index=9&t=0
01:50 - Start of Recon
04:58 - /documents and /secret rabbit hole enumeration
08:13 - Using wfuzz on the /secret rabbit hole to find argument for download.php
13:40 - Begin of Web Application Enumeration, some XSS Found
18:23 - Throwing bad characters in username and finding Second-Order SQL Injection.
23:50 - Begin of Union Injection to dump the database via second order sql injection
39:36 - Dumping users and passwords from SysAdmin table and using Hydra to bruteforce SSH
43:54 - Enumerating SFTP (Using SSHFS to Dump a File Listing)
53:00 - Converting 64-Bit SFTP Exploit to 32-Bit
01:11:46 - Reverse Shell Returned, some stuff and finding Set-GID Binary
01:22:55 - Reversing SLS binary with Radare2 (r2)
01:47:53 - Exploiting SLS Binary with new line character (Get to Decoder User)
01:51:47 - Begin of Kernel Exploitation (CVE-2017-1000112)
01:56:00 - Kernel Exploit Compiled (silly mistake before)
01:59:52 - Creating a new lsb-release file so exploit can identify kernel
02:07:03 - Recap of Box
02:09:56 - Creating a Tamper Script to do Second-Order SQL Injection
HackTheBox - CrimeStoppers
https://www.youtube.com/watch?v=bgKth1K44QA&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=10&t=0
01:18 - Begin of Recon: Getting ubuntu version
04:00 - Navigating to the CrimeStoppers Page
05:15 - First Hint - Read The Source!
05:50 - 2nd Hint - No SQL Databases and playing with the upload form
07:55 - 3rd Hint - Setting Admin cookie to 1 to see whiterose.txt
09:00 - Explanation of PHP App and why I went down testing $op parameter
10:45 - Testing $op parameter, another hint what year is it?
12:20 - Finding out $op appends .php
13:05 - Using php b64 filter to view php files ("Read the source luke")
22:50 - Looking into PHP Wrappers to try to gain code execution
24:50 - Placing our PHP Script in a zip so we can reference it with zip://, also improperly upload it to the server
26:20 - Attempting to use the zip:// wrapper to execute our php script, then troubleshooting the bad upload.
30:30 - Easy way to copy binary data into BurpSuite (Base64)
34:10 - Getting a shell
37:18 - Downloading ThunderBird Directory and reading email + getting dom's password
46:20 - Begin of looking into Apache Rootkit (mod_rootme)
48:04 - Begin of using r2 (Radare) to analyze rootkit, basic intro
50:55 - Analyzing DarkArmy Function
55:30 - Grabbing the strings and using python to XOR them to get secret that allows root
58:35 - Get Root
59:10 - Potential rabbit hole in the binary /var/www/html/whiterose.txt in the binary
01:04:20 - Second way to get root, looking around at file modification times to find FunSociety in logs</p>
HackTheBox - Kotarak
https://www.youtube.com/watch?v=38e-sxPWiuY&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=11&t=0
01:38 - Start of nmap
03:40 - Accessing port 60000
06:20 - Manually enumerating ports on localhost via SSRF
07:00 - Using wfuzz to portscan localhost via SSRF
10:00 - Tomcat creds exposed &amp; Uploading tomcat reverse shell
13:40 - Return of shell
14:20 - Extracting NTDS + SYSTEM Hive
20:20 - Using HashKiller to crack the hashes
21:30 - Escalating to Atanas &amp; Identifying wget vulnerability
27:10 - Starting exploit
33:22 - Exploit failed, light debugging
35:40 - Issue found, not listening all interfaces
39:35 - Root shell returned.
40:10 - Unintentional Root Method (Edited Footage, IP Change)</p>
HackTheBox - Shrek
https://www.youtube.com/watch?v=tI592BjTd4o&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=12&t=0
01:00 - Nmap
02:23 - Examining the Web Page
04:08 - GoBuster
04:53 - Finding /uploads/ Directory
05:50 - Finding /secret_area_51/ Directory
06:20 - Using Audacity to find Steg in Audio
08:50 - FTP With Creds revealed from Steg
10:06 - Examining files downloaded from FTP
12:43 - Finding decryption key + blob
14:33 - Using Python seccure to decrypt ecc
16:05 - SSH Into Shrek as SEC
16:35 - Farquad Rabbit Hole
17:42 - Incident Response : Finding files modified between two times
20:47 - What is /usr/src/thoughts.txt?
21:45 - Privesc through cron running: chown *</p>
HackTheBox - Calamity
https://www.youtube.com/watch?v=EloOaaGg3nA&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=13&t=0
01:28 - Begin of recon
02:20 - GoBuster
03:30 - admin.php discovered, finding the pw
04:50 - Getting Code Execution
07:45 - Finding out why Reverse Shells weren't working
09:45 - Getting a reverse shell by renaming nc
11:30 - Transfering files via nc
14:00 - Opening the wav file
16:25 - Using audiodiff to identify differences in sound
17:05 - The next step, why is the same song there twice?
19:25 - Importing files into Audacity and Inverting
22:25 - Attempting to exploit the process blacklist
24:25 - Unintended root LXC Background
28:30 - Creating an Alpine LXC
30:40 - Importing the image into lxc
32:00 - Creating the container
32:40 - Adding the host drive to container
34:20 - Starting the container and entering it
35:05 - Examining the Process Blacklist script
35:54 - Running through the exploit again on a Ubuntu Host</p>
HackTheBox - Holiday
https://www.youtube.com/watch?v=FvHyt7KrsPE&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=14&t=0
00:46 - NMAP Scan and Review
01:53 - GoBuster and identify User Agent based Routing
04:09 - SQLMap the Login
08:00 - Login to the page
08:55 - Begin of XSS
11:15 - Bypass first XSS Filter
14:45 - Encoded JS Payload - Getting XSS to call back to us
16:56 - Using Python to encode JS which will call back to us.
24:25 - Executing the paylaod
25:06 - Stage 2 XSS Attack - XMLHttpRequest
31:30 - Troubleshooting, No code works the first time.
36:00 - Stage 2 Fixed.
40:57 - Initial access to /admin
42:00 - Finding Command Injection
43:40 - Explanation of IP "Encoding"
48:40 - Rev Shell obtained
49:30 - How I found out about the IP Encode Trick
51:40 - Begin of PrivEsc
HackTheBox - Charon
https://www.youtube.com/watch?v=_csbKuOlmdE&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=15&t=0
1:30 - Rabbit Hole - Searching for SuperCMS
6:23 - Running enumeration in the background (GoBuster)
7:40 - Rabbit Hole - SQLMap Blog SinglePost.php
12:04 - Finding PHP Files in /cmsdata/ (GoBuster)
12:53 - Manual Identification of SQL Injection
15:50 - SQL Injection Explanation
17:20 - Rabbit Hole - Starting SQLMap in the Background
18:10 - SQL Union Injection Explanation
19:30 - Identifying "Bad/Filtered Words" in SQL Injection
21:02 - SQL Union Finding number of items returned
21:48 - Returning data from Union Injection
22:48 - SQL Concat Explanation
23:55 - Enumerating SQL Databases Explanation (Information_Schema)
25:46 - Returning Database, Table, Columns from Information_Schema
29:30 - Scripting to dump all columns
36:45 - Listing of columns in SuperCMS
37:15 - Dumping User Credentials
41:36 - Logging in and exploiting SuperCMS
47:00 - Return of reverse shell
48:40 - Transfering small files from shell to my machine
50:56 - Using RsaCtfTool to decrypt contents with weak public key
52:52 - Breaking weak RSA manually
1:01:20 - Begin PrivEsc to Root
1:02:40 - Transering large files with NC
1:03:50 - Analyzing SuperShell with BinaryNinja (Paid)
1:06:04 - Analyzing SuperShell with Radare2 (Free)
1:08:22 - Exploiting SuperShell
1:12:46 - Encore. Getting a Root Shell with SetUID Binary</p>
HackTheBox - Joker
https://www.youtube.com/watch?v=5wyvpJa9LdU&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=16&t=0
00:27 - Port Enumeration
02:54 - UDP Port Review
03:40 - TFTP Enumeration
06:30 - Cracking Squid PW
08:00 - FoxyProxy Setup
09:45 - Burp Setup
14:45 - Running Commands
21:20 - Reverse Shell
22:30 - PrivEsc to Alekos #1
28:00 - PrivEsc to Alekos #2
30:37 - Root #1 (SymLink)
30:48 - Root #2 (Tar Checkpoint)
44:45 - Root #3 (Remove Development)</p>
HackTheBox - Ellingson
https://www.youtube.com/watch?v=XVYgBetSvS8&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=2&t=0
01:12 - Begin of recon, examining website seeing the "Hackers" Theme
04:00 - Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015)
05:00 - Demoing how this is fixed now, with Werkzeug requiring a pin code
06:00 - Testing if we can connect back to our host with ping or curl (cannot)
08:00 - Dropping a SSH Key via python since we cannot reverse shell
13:00 - SSH into the box as the HAL User and clean up the authorized_key file
13:50 - Using xclip to copy and run LinEnum due to a firewall preventing us from curling it
21:00 - Discovering why the WERKZEUG PIN Code was disabled (Environment Variable)
22:27 - Checking out the Garbage SetUID Binary as HAL to discover he cannot run it
24:20 - Using Ghidra to verify we are not missing any functionality
27:30 - Using find to discover what files the adm group is an owner of
28:30 - Displaying exact modify times with ls using time-style argument, then checking logs to see what users changed their password after the shadow backup
31:30 - Cracking the Sha512Crypt (1800) hashes with Hashcat (Discovering Margo's password)
35:30 - Using Ghidra to discover the hardcoded password in the garbage binary
37:00 - Exploring the binary, using Ghidra to see if there are any hidden menu options
41:30 - Installing GDB Enhanced Features (GEF) and pwntools for python3
44:20 - Poorly explaining leaking memory addresses by creating a ROP Chain with puts
48:50 - Begin of Buffer Overflow ROP Chain - leak libc address, call main, overflow password with system(/bin/sh)
49:20 - Using pattern create and offset/search within gef to RSP Overwrite Location
51:30 - Using ropper to discover a pop rdi gadget
53:40 - Beging creating the pwntools skelton exploit, using objdump to get PLT/GOT location of PUTS and performing the memory leak.
01:06:30 - Using Readelf to get important locations in libc and strings to get location of /bin/sh. Then performing all the calculations based upon memory leak
01:15:41 - Putting it all togather to create a gadget chain to get a shell
01:20:00 - Replacing libc memory locations with the ones installed on ellingson
01:22:30 - Running the exploit, getting a root shell, then documenting the code</p>
HackTheBox - Ghoul
https://www.youtube.com/watch?v=kE36IGAU5rg&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=3&t=0
01:29 - Begin of Recon, notice multiple SSH Host Keys
06:15 - Discovering the HTTPD Website has a PHP Script, Run SQLMap and update gobuster to find PHP
07:30 - Moving onto enumerating TOMCAT, default password (admin:admin) logs in and attempting to discover framework via google images
09:00 - Discovering that this TOMCAT page allows the ability to upload images and zips
10:45 - Explaining the ZipSlip Vulnerability
12:20 - Walking through how ZipSlip Works
14:30 - Start of using EvilArc with a PHP-Reverse-Shell to perform ZipSlip
18:30 - Reverse Shell Returned
18:51 - Looking at Secret.php to get potential usernames and passwords
22:20 - Discovering tomcat listens on port 8080 then use that to drop SSH Key to get root (Unintended Path)
25:55 - Enumerating HTTPD PHP Scripts and TOMCAT Config to find some usernames and passwords
35:00 - Using find to list files modified between two dates
39:30 - Copying SSH Keys back to our box
42:30 - Logging into SSH over port 22 with Kaneki and SSH Key
44:00 - Creating a bash script to perform a ping scan to discover other hosts
49:55 - Extracting additional usernames from ~/.ssh/authorized_keys file and SSH Into the host
52:12 - Running the HostScan utility again to find another host, then modifying script to do a portscan
55:00 - Tunneling to the GOGS Box via SSH Tunnels
58:00 - Verifying the tunnel works by going to the GOGS HomePage and then searching for exploits
59:15 - SearchSploit turned up nothing, lets search for CVE's and hunt for a POC (CVE-2018-18925)
01:00:25 - Copying the GOGS Exploit, and logging in with a password we previously found. Note: There is a tool called gogsownz, but it automates so much you don't really learn anything.
01:02:30 - Creating a Repository in GOGS then dropping a file to the box
01:03:50 - Uploading the file to the repo, then modifying our i_like_gogs cookie to load it via an LFI and becoming admin
01:06:38 - As an Admin now we can create a Git Hook to execute code upon updating and get a shell
01:11:50 - Searching for what the gosu binary does, finding out it lets us privesc to root
01:18:15 - Examining the git history (git reflog) of the aogiri-chatapp found in the root directory to find credentials
01:22:00 - Escalating to root on kaneki-pc (second docker box) via password found
01:25:00 - Abusing SSH Agents to intercept the "SSO Like Token" and swim upstream to the Host OS</p>
HackTheBox - OneTwoSeven
https://www.youtube.com/watch?v=EXuEDHFjS9E&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=4&t=0
00:42 - Begin of recon
01:08 - Examining the webpage
04:28 - Discoving SFTP Credentials on the web page
07:00 - Playing with the SFTP Server
08:40 - Discoving the SymLink command to break out of home directory
09:40 - Symlinking the root directory to find the source of login.php through VIM SWP Files.
13:00 - Second way to get source code, symlink with a file naming ending in not PHP
15:30 - Examining the source code to login.php and getting a hard coded username
18:10 - Examining index.php to see how to access a login portal (admin)
19:20 - Using SSH to do port forwarding (Reddish)
21:20 - Examinig the admin web page
24:13 - Examing the Apache Rewrite Engine Rules
25:10 - Checking the source code to addon-manager to identify how upload/download features work
26:15 - Explaining the Rewrite attack
30:40 - Uploading a reverse shell, then executing
33:30 - Reverse shell returned
34:30 - Can sudo with apt, checking GTFO Bins
36:00 - Looks like we can MITM Apt due to passing a proxy through sudo
37:00 - Configuring Burp to act as an HTTP Proxy and pass it to Python
40:50 - Creating the Malicious APT Repo
45:30 - Creating the Malicious Deb File
51:30 - Getting the Root Shell</p>
HackTheBox - Flujab
https://www.youtube.com/watch?v=_f9Xygr-qHU&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=5&t=0
01:30 - Begin of Recon
04:15 - Adding DNS Names to /etc/hosts
05:20 - Using Aquatone to take HTTP Screenshots of a bunch of pages
11:00 - Start of looking at FreeFlujab.htb
15:40 - Looking at HTTP Cookies we send
17:40 - Editing Cookies in Firefox
19:50 - Discovering SMTP_CONFIG, which lets us change where the mail server is
21:50 - Using FireFox to remove character restrictions on a page
24:15 - The WebPage kept resetting our cookie, using Burp to auto replace
27:30 - Standing up a SMTP Server in python to read mail
30:20 - Discovering SQL Injection
34:50 - SQL Injection confirmed, testing Union Injections
37:40 - Creating a Python Script to aid us in running SQL Injections
37:40 - Script: Running a SMTP Server in background thread
41:35 - Script: Adding ability to use arrow keys to go to previous command
46:42 - Script: Making our command prompt send HTTP Requests
52:40 - Dumping database structure from INFORMATION_SCHEMA
1:05:00 - Dumping information out of the VACCINATIONS Table
1:07:50 - User information dumped, cracking a sha256 hash
1:11:00 - Accessing a new HOSTNAME from the database (sysadmin-console-01)
1:16:00 - Logging into Ajenti
1:17:00 - Discovering Notepad can read files from the server
1:24:10 - Looks like there was a SSH Key Compromise on the box from a README File
1:27:40 - Searching the compromised debian keys for one on the box
1:29:48 - Able to SSH Into the box with the Key! However we are in restricted bash
1:30:30 - rBash escape 1: Using GTFOBins to find a way to escape restricted bash
1:32:30 - rBash escape 2: Using -t bash argument in SSH to escape restricted bash
1:33:30 - Exploiting an old version of Screen to PrivEsc!
1:43:40 - Creating files in /home/sysadm
1:46:40 - SSH is configured to allow public keys to also be placed in ~/access
1:48:00 - Reading Ajenti Documentation to see API lets us change file permissions
1:50:00 - Ajenti wants the CHMOD Number to be in a weird format</p>
HackTheBox - Zipper
https://www.youtube.com/watch?v=RLvFwiDK_F8&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=6&t=0
01:15 - Start of NMAP
04:10 - Signing into Zabbix as Guest
05:30 - Getting potential usernames from inside Zabbix and guessing creds
06:30 - Running Searchsploit and looking for vulnerabilties
07:20 - Analyzing the "API" Script from SearchSploit as we have API Creds
10:15 - Modifying the "API" Script
11:15 - Showing a shortcut to skip the Container to Host Lateral Movement.
15:35 - Shell on the Container.
17:25 - Searching for Zabbix MySQL Password
18:35 - Dumping the Zabbix User Database
20:00 - Logging into Zabbix as Admin, discover ZBX Agent on Host. Testing if port is accessible
23:30 - Running commands on the Zabbix Agent (Host OS) from Zabbix Server (Guest OS)
29:53 - Getting a Reverse Shell on Zabbix (use nohup to fork)
32:40 - Running LinEnum on Zabbix Host
35:15 - Examining home directories to find Zapper Creds
36:42 - Examining the "Zabbix-Service" SetUID
39:00 - PRIVESC #1: Running ltrace to discover it is vulnerable to $PATH Manipulation
42:00 - PRIVESC #2: Weak permissions on Purge-Backups Service
48:30 - Extra Content: Building a Zabbix API Client from Scratch!
48:55 - "Pseudo Terminal" Skeleton Script via Cmd module
50:00 - Adding Login Functionality
56:08 - Making the script login upon starting
57:50 - Adding functionality to dump users
01:04:00 - Adding functionality to dump groups
01:05:25 - Adding functionality to add users
01:10:45 - Adding functionality to modify users</p>
HackTheBox - Dab
https://www.youtube.com/watch?v=JvqBaZ0WnV4&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=7&t=0
00:40 - Begin of the box
03:20 - Checking the HTTP Ports out
04:38 - Using wfuzz to bruteforce a login on port 80
08:15 - Begin examining port 8080, use wfuzz to bruteforce a cookie
11:30 - Using wfuzz to enumerate the WAF and determine bad characters
14:40 - Doing a SSRF Like attack with wfuzz and enumerating open ports on localhost.
16:50 - Begin examining port 11211 (MemCache)
18:00 - Dumping data from Memcache
23:50 - Using CVE-2018-15473 to enumerate valid users over SSH
27:35 - Cracking the users hash and logging into the box
29:00 - Using R2 to analyzing rabbit hole application "try_harder"
33:30 - Going through LinEnum
38:30 - Using r2 to examine myexec to find password
40:13 - Using r2 to examine libseclogin.so
41:30 - Examining ld.so.conf.d to identify if we can use ldconfig to hijack a library
42:10 - Creating a malicious library to hijack seclogin()
45:10 - Lets bypass the login by hijacking printf()</p>
HackTheBox - Oz
https://www.youtube.com/watch?v=yX00n1UmalE&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=8&t=0
00:50 - Start of the box
05:30 - Attempting GoBuster but wildcard response gives issue
07:40 - Start of doing wfuzz to find content
10:38 - Manually testing SQLInjection
13:07 - Running SQLMap and telling it exactly where the injection is
16:04 - Manually extracting files with the SQL Injection
19:50 - Cracking the hash with hashcat
25:00 - Start of examining the custom webapp, playing with Template Injection
27:00 - Explaining a way to enumerate language behind a webapp
35:17 - Reverse Shell returned on first Docker Container
38:00 - Examining SQL Database
39:40 - Doing the Port Knock to open up SSH
43:50 - Gain a foothold on the host of the docker container via ssh
46:00 - Identifying containers running
50:10 - Creating SSH Port Forwards without exiting SSH Session then NMAP through
55:11 - Begin looking into Portainer, finding a weak API Endpoint
59:00 - Start of creating a container in portainer that can access the root file
01:08:25 - Changing sudoers so dorthy can privesc to root
01:09:50 - Lets go back and create a python script to play with SQL Injection</p>
HackTheBox - Falafel
https://www.youtube.com/watch?v=CUbWpteTfio&list=PLidcsTyj9JXJlmHwZScT3He3rO4ni-xwH&index=9&t=0
01:15 - Begin of Recon
04:25 - Bruteforcing valid users
11:15 - Manually finding SQL Injection
13:13 - Using --string with SQLMap to aid Boolean Detection
15:41 - PHP Type Confusion ( == vs === with 0e12345) [Type Juggling]
18:35 - Attempting Wget Exploit with FTP Redirection (failed)
26:39 - Exploiting wget's maximum file length
33:30 - Reverse Shell Returned
36:19 - Linux Priv Checking Enum
41:00 - Checking web crap for passwords
44:00 - Grabbing the screenshot of tty
49:00 - Privesc via Yossi being in Disk Group (debugfs)
50:15 - Grabbing ssh root key off /dev/sda1
52:15 - Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll)
01:07:42 - Manually exploiting the SQL Injection! with Python</p>
HackTheBox - Vault
https://www.youtube.com/watch?v=LfbwlPxToBc&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=10&t=0
01:08 - Begin of Recon
03:08 - Begin of GoBustering
07:15 - Discovery of an image upload script
08:39 - Attempting to bypass the upload filter
12:46 - Reverse Shell to ubuntu Returned. Examining Web Source
15:28 - ALTERNATIVE: Checking out the host name pollution, setting host header to localhost
19:27 - Resume of poking around the host, discover passwords and other hosts in /home
23:14 - Uploading a static-compiled nmap to the box (static-binaries is a github repo)
24:57 - SSH Local Port Forward and Dynamic, to let our Kali box communicate with the next hop.
27:27 - Discovery of a page that lets us create ovpn (openvpn) configs and test the VPN
28:45 - Think i broke the box here, sent unicode to the box.... It stops responding on web.
32:55 - Machine reverted, getting back to where I started.
34:50 - Trying this again, and get a shell on ubuntu -- Lets do a Reverse Port Forward to get a shell on our kali box.
36:12 - Shell returned to Kali Box, explaining how to use socat if SSH Forward cannot listen on all ports.
38:58 - Exploring the DNS Server box.
39:26 - Finding a password in /home/dave/ssh
40:15 - Discovering Vault's IP Address in /etc/hosts
41:20 - Perfoming a NMAP on the vault box, discover two ports closed
41:50 - Doing a NMAP with the source port of one of the above ports to test for a lazy firewall, discover SSH on port 987
43:20 - ALTERNATIVE: Bypassing the firewall by using IPv6
49:47 - How to set the source port with SSH via ncat
50:45 - Discovering root.txt.gpg on Vault, it is encrypted with RSA Key D1EB1F03
51:35 - Dave has the above RSA Key, use SCP to send the file back to Ubuntu
54:45 - The file has been copied, using gpg to decrypt the file.
55:39 - MAJOR UNINTENDED WAY: Discovering SPICE ports are listening on localhost:5900-5903, this is like VNC
57:05 - Using Remote-Viewer to connect to the SPICE Port and getting physical access to the machine.
57:42 - Rebooting Vault by sending the Ctrl+Alt+delete key
58:00 - Editing grub to get a root shell without a password
58:56 - Changing the password to root, then rebooting again
59:30 - Logging in with the new password.</p>
HackTheBox - Carrier
https://www.youtube.com/watch?v=2ZxRA8BgmnA&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=11&t=0
00:53 - Begin of Recon
03:30 - Checking out the Web Page
04:20 - Doing UDP/GoBuster Scans
08:20 - Running SNMPWalk and then logging into web interface
10:20 - Reading the tickets on the web page
12:00 - Discovering code execution
16:00 - Reverse Shell Returned
23:15 - Discovering FTP Server 10.120.15.10
26:00 - Gaining access to a Router Interface
27:30 - Using Draw.io to draw out the network
32:40 - Examining routing information
35:45 - Looking at BGP Information
39:00 - First attempt at BGP Hijack, advertising a route
43:30 - Did not work, examining routing loop.
50:50 - Blocking the routing advertisement to AS300
56:50 - Showing the new routing loop (AS300 sends to AS200)
01:00:00 - Telling AS200 not to advertise the route to AS300
01:04:00 - Grabbing FTP Traffic to get root password
01:07:00 - Logging into all 3 routers for some fun
01:08:50 - Hiding from TraceRoute by mucking with TTL's
01:13:20 - Redoing the attack, but showing routing tables on all routers
01:17:30 - Unintended route, Just adding an IP to eth2</p>
HackTheBox - Waldo
https://www.youtube.com/watch?v=1klneIHECqY&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=12&t=0
01:15 - Begin of Recon
02:00 - Looking at what Filtered means in Nmap
05:00 - Start of looking at webpage (GoBuster)
06:30 - Manual HTTP Enumeration
09:50 - Start of exploiting with BurpSuite
17:00 - SSH Key Found, logging in with nobody
19:12 - Discovering a second SSH Server
23:36 - Using the same SSH Key to login to the second SSH Server as monitor
24:38 - Escaping rBash by modifying an executable file in our current $PATH
28:13 - Running LinEnum.sh to search for PrivEscs
30:50 - Enabling ThoroughTests in LinEnum to see what else it will check
36:30 - Looking into capabilities permission sin linux
39:00 - Begin of second way to escape rBash and setup a SSH Tunnel for fun</p>
HackTheBox - Hawk
https://www.youtube.com/watch?v=UGd9JE1ZXUI&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=13&t=0
01:00 - Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver
03:50 - Checking FTP Server for hidden files
04:30 - Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher
08:20 - Creating a bunch of files varying in length to narrow likely ciphers down.
14:35 - Encrypting all of the above files and checking their file sizes
22:45 - Decrypting file, obtaining a password
24:25 - Begin looking at Drupal, running Droopescan
25:12 - Manually examining Drupal, finding a way to enumerate usernames
25:50 - Placing invalid emails in create account, is a semi-silent way to enumerate usernames
28:15 - Logging into Drupal with Admin.
29:25 - Gaining code execution by enabling PHP Plugin, then previewing a page with php code
32:30 - Reverse Shell Returned
33:25 - Running LinEnum.sh - Discover H2 (Database) runs as root
37:00 - Hunting for passwords in Drupal Configuration
39:25 - Finding database connection settings. SSHing with daniel and the database password (not needed)
40:10 - Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk’s Loopback. Only need to do one of those, just showing its possible without daniel
44:30 - Accessing Hawk’s H2 Service (8082) via the loopback address
50:00 - Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console.
51:45 - Logging into H2 by using a non-existent database, then testing code execution
52:50 - Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service.
59:50 - Reverted box, cleaning up environment then getting reverse shell
01:02:45 - Discovering could have logged into the database with Drupal Database Creds.</p>
HackTheBox - Tartarsauce
https://www.youtube.com/watch?v=9MeBiP637ZA&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=14&t=0
01:10 - Begin of recon
03:00 - Discovery of Wordpress and fixing broken links with burp
06:50 - Start of WPScan
07:14 - Start of poking at Monstra, (Rabbit Hole)
13:05 - Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits
16:30 - Reverse shell returned as www-data
18:08 - Confirming monstra was read-only
18:50 - Running LinEnum.sh to see www-data can run tar via sudo
20:30 - Use GTFOBins to find a way to execute code with Tar
22:00 - Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script
24:10 - Examining backuperer script
26:00 - Hunting for vulnerabilities in Backuperer
32:15 - Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false
34:20 - Begin of exploiting the backuperer service by exploiting intregrity check
36:40 - Creating our 32-bit setuid binary
39:16 - Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)
40:54 - Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root
42:30 - Exploiting the Backuperer Service via SetUID!
45:00 - Unintended Exploit: Using SymLinks to read files via backuperer service</p>
HackTheBox - DevOops
https://www.youtube.com/watch?v=tQ34Ntkr7H4&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=15&t=0
00:54 - Start of Recon
03:10 - Start of GoBuster
04:00 - Looking at /upload, testing with a normal XML File
06:15 - Valid XML File created, begin of looking for XML Entity Injection XXE
08:20 - XXE Returns a a local file off the server
09:30 - Grabbing the source code to the webserver to find newpost function.
11:35 - Discovery of vulnerability due to user data being passed to pickle
12:44 - Creating the script to exploit pickle
16:38 - Reverse shell returns!
19:55 - Poking around at Source Code
20:15 - Discover of an SSH Key within deployment stuff.
21:15 - Trying SSH Key for other users on the box to see if it is valid
22:57 - Hunting for git filers, the boxes name is "Gitter" and we have an SSH Key that goes nowhere.
23:00 - Discovery ~roosa/work is the same as ~roosa/deploy but there's a .git repo in this one!
23:45 - Examining Git Log to see the SSH Key has changed!
25:20 - SSH'ing with the old key, to see it's root's key.
25:58 - The webserver could read Roosa's SSH Key. Could bypass the entire pickle portion
26:20 - Start of "Extra Practice"
27:40 - Creating a Python Script to automate the LFI With XXE
35:50 - Script completed, lets improve it to try to download an exposed git repo</p>
HackTheBox - Olympus
https://www.youtube.com/watch?v=7ifJOon5-G8&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=16&t=0
01:30 - Begin of Recon, nmap filtered explanation
03:30 - Begin of initial DNSRecon, hunting for a domain name
06:04 - Web page enumeration, finding xdebug in header
09:47 - Installing xdebug plugin in Chrome to show its use
12:50 - Getting a reverse shell on the first docker (Icarus)
15:00 - Setting up nginx to accept files uploaded over HTTP / WebDav
20:30 - Examining the Wireless Capture from Icarus
21:30 - Cracking WPA with aircrack / hashcat
25:00 - Decrypting WPA traffic in Wireshark
27:50 - Enumerating valid usernames via SSH (CVE-2018-15473)
33:15 - SSH into port 2222 with information from Wireless Capture
34:40 - Domain Name found! Time to do a DNS Zone Transfer
36:15 - Port Knocking to open up port 22
40:05 - PrivEsc to root via being a member of the Docker Group</p>
HackTheBox - Canape
https://www.youtube.com/watch?v=rs75y2qPonc&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=17&t=0
00:43 - Start of Recon, nmap and poking around the website
04:00 - Dirbusting a site that always respond 200
09:43 - Switching to a different Wordlist (SecLists/Discovery/Web/Common)
10:48 - Discovery of .git - Poking around to clone it and download
15:10 - Downloaded .git, examining commit history
19:50 - Start of Pickle Talk
21:25 - Begin writing of the pickle exploit
28:45 - Return of Reverse Shell as www-data
32:30 - Begin looking into CouchDB
34:00 - Poking around at documents within CouchDB
36:15 - Examining first exploit with creating a CouchDB User
39:50 - Exploring the passwords database with our newly created admin user and finding Homers Password.
42:00 - Getting root with sudo pip install
45:55 - Box Done. Begin second unintended way to get to Homer User
47:03 - Playing with the public RCE Exploit for CouchDB
48:20 - Running the exploit
49:36 - Examining the exploit, doing each step manually to see where it fails
54:30 - Searching on how to create a new CouchDB Cluster, maybe it will allow this work?
55:55 - Digging into how erlang works
57:30 - Finding default CouchDB Cookie
59:10 - Connecting to the Erlang pool then searching for how to run commands.
01:01:54 - Exploring how to send long commands as distributed task
01:04:30 - Getting reverse shell
HackTheBox - Poison
https://www.youtube.com/watch?v=rs4zEwONzzk&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=18&t=0
00:56 - Start of recon, use Bootstrap XSL Script to make nmap pretty
03:10 - Looking at nmap in web browser
03:52 - Navigating to the web page, and testing all the pages.
06:25 - Testing for LFI
07:00 - Using PHP Filters to view the contents of php file through LFI (Local File Inclusion)
08:40 - Testing for RFI (Remote File Inclusion) [not vuln]
10:00 - Code Execution via LFI + phpinfo()
14:45 - Modifying the PHP-LFI Script code to get it working
17:10 - Debugging the script to see why tmp_name couldn't be found
20:12 - Shell returned!
21:25 - Looking at pwdbackup.txt and decoding 13 times to get password.
23:37 - SSH into the box (Do not privesc right away!)
24:29 - Getting shell via Log Poisoning
26:39 - Whoops. Broke the exploit, because of bad PHP Code... We'll come back to this! (<a href="#" onclick="yt.www.watch.player.seekTo(42*60+50);return false
28:47 - Begin of PrivEsc, grabbing secret.zip off
32:38 - Searching for processes running as root, find VNC
33:49 - Setting up SSH Tunnels without exiting SSH Session.
37:43 - Something weird happend... Setting up SSH Tunnels manually.
40:10 - PrivEsc: VNC through the SSH Tunnel, passing the encrypted VNC Password
41:40 - Decrypting the VNC Password because we can.
42:50 - Examining the log file to see why our Log Poison Failed, then doing the Log Poison</p>
HackTheBox - Stratosphere
https://www.youtube.com/watch?v=uMwcJQcUnmY&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=19&t=0
01:11 - Begin of recon
03:48 - Manually checking the page out
04:30 - Discovering the webserver is java/tomcact
05:35 - Starting up GoBuster / Hydra
09:40 - The Directory /Monitoring was found - Discovering its Struts because of .action
11:00 - Stumbling upon an exploit trying to find out how to enumerate Struts Versions
14:10 - Searching Github for CVE-2017-5638 exploit script, exploiting the box to find out its firewalled off
21:10 - Using a HTTP Forward Shell to get around the strict firewall
22:40 - Go here if you want to start copying the Forward Shell Script
23:34 - Explaining how it works
25:10 - Explaining the code
31:06 - Forward Shell Returned - Enumerating Database to find creds
37:29 - Examining User.py
40:15 - Privesc: Abusing Python's Path to load a malicious library and sudo user.py</p>
HackTheBox - Craft
https://www.youtube.com/watch?v=3znkLWakuUA&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=2&t=0
01:20 - Begin of recon
03:18 - Checking out the HTTPS Certificate for potential hostnames
05:10 - Looking at api.craft.htb, appears to be some type of Documentation for the REST API
06:40 - Looking at gogs.craft.htb, no known exploits but there is some source code!
09:20 - Checking out the Git Issues, seeing Dinesh put a JWT Token in a comment. Checking the token out
11:25 - Attempting to crack the JWT (fails)
13:30 - Going back to the issues to see there is an eval() on user input
16:25 - Installing Go and Pip3 on Kali 2019.4, so we can install GitLeaks and TruffleHog
18:57 - Running GitLeaks and TruffleHog (find nothing) then manually analyzing the git commits
21:20 - Discovering Dinesh's credentials in an old git commit
25:05 - Logging into GOGS with Dinesh, then showing adding an SSH Key for potential port forwarding
28:28 - Testing Code Execution from the previous git issue, use the test.py script as a skeleton.
31:30 - Getting a reverse shell with this exploit using exec(base64)
35:10 - Reverse Shell Returned
36:15 - Grabbing settings.py on the server to get a bunch of credentials
37:30 - Fixing our terminal to have the correct rows/columns so we can use vi
40:18 - Editing dbtest.py to dump all users from the database
42:00 - Adding the JWT SECRET from settings.py to our hashcat wordlist to prove cracking would have worked if there was a weak secret
45:25 - Manually crafting a JWT in Python to show what to do if you are successful at cracking... Then trying to create a JWT that is not signed
49:10 - Logging into GOGS with the credentials we got from dumping the database
50:20 - Gilfoyle as a private repo, lets download it
53:30 - Running truffleHog and GitLeaks against Gilfoyle's craft-infra repo
58:00 - An SSH Key was found on Gilfoyle's repo, SSH in and run LinPEAS
01:00:00 - Bunch of references to Vault in LinPEAS, looking into what this is.
01:02:20 - The .vaulttoken file is saved creds, lets just use vault ssh to login to the box</p>
HackTheBox - Celestial
https://www.youtube.com/watch?v=aS6z4NgRysU&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=20&t=0
00:58 - Begin of Recon
03:00 - Looking at the web application and finding the Serialized Cookie
04:38 - Googling for Node JS Deserialization Exploits
06:30 - Start of building our payload
07:10 - Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is
09:10 - Moving our serialized object to "Name", hoping to get to read stdout
11:30 - Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE)
13:25 - Failing to convert an object (stdout) to string.
14:02 - Verifying code execution via ping
15:32 - Code execution verified, gaining a shell
18:49 - Reverse shell returned, running LinEnum.sh
21:26 - Examining logs to find the Cron Job running as root
22:09 - Privesc by placing a python root shell in script.py
24:15 - Going back and getting a shell with NodeJSShell</p>
HackTheBox - Aragog
https://www.youtube.com/watch?v=NFdi-2tgvxY&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=21&t=0
01:26 - Start of Recon
03:25 - Notice SSH configured for Pub Key Only. Hint at what to grab later!
03:50 - Grabbing test.txt off ftp server via anonymous auth
04:07 - Determining if I want to go down the "Exploit VSFTPD" rabbit hole
05:54 - Viewing test.txt and hosts.php
06:48 - Figuring out how hosts.php works and discovering XXE
08:58 - Start of XXE Discovery
10:16 - Making the XXE Output /etc/passwd
11:33 - Encoding output in Base64 in order to view PHP Files
12:58 - Using Burp Intruder to BruteForce Files
16:20 - Creating a program to bruteforce home directories
26:41 - Program Finished. Finding SSH ID_RSA Key
28:15 - Low Priv Access Granted
30:24 - LinEnum.sh shows Wordpress CHMOD'd to 777
31:05 - Examining Wordpress Site (big hint left by author)
32:10 - Enumerating MySQL Database
35:15 - Giving up on MySQL, lets edit PHP Files to dump passwords!
36:50 - Identifying the file we want to backdoor
37:51 - Placing our PHP Code
42:06 - Got the password!</p>
HackTheBox - Flux Capacitor
https://www.youtube.com/watch?v=XLIBbkQJKuY&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=22&t=0
01:25 - Begin of recon
02:20 - Wiresharking NMAP to identify fingerprint
05:53 - Checking the WebPage
09:15 - Finding /sync and why web browser has a 403
12:45 - Using wfuzz to find what arguments /sync takes
15:45 - The actual wfuzz command
20:30 - Finding Bad Characters with wfuzz
24:51 - Getting command execution
32:00 - Getting a reverse shell
43:40 - Privesc to root abusing custom script
47:48 - Examining how NGINX/OpenResty was configured</p>
HackTheBox - Inception
https://www.youtube.com/watch?v=J2I-5xPgyXk&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=23&t=0
01:05 - Start of Recon + Finding dompdf
08:30 - PHP Wrappers + Failed testing for RCE
11:35 - Writing Python Program to automate file disclosure bug
18:40 - Finding WebDav Configuration + Uploading Files for RCE
25:50 - Modifying Sokar's Forward Shell (PTY over HTTP)
33:55 - Forward shell returned
38:50 - Using Squid to pivot to ports listening locally + NMAP via ProxyChains
47:48 - Getting nmap on Inception to speed up scanning private network
59:16 - Nmap results returned for 192.168.0.1, FTP Anonymous Login
1:01:15 - Finding TFTP as a Running Service
1:06:35 - Using TFTP to grab crontab &amp; creating a pre-invoke apt script</p>
HackTheBox - Enterprise
https://www.youtube.com/watch?v=NWVJ2b0D1r8&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=24&t=0
01:00 - Begin of recon
10:00 - Finding the vulnerable Wordpress Plugin
17:50 - Exploiting lcars plugin
28:30 - Logging into WP and Getting Reverse Shell
35:00 - Wordpress RevShell Returned
40:00 - Using Meterpreter to pivot and provide access to MySQL
50:00 - MySQL Shell Returned
52:00 - Logging into Joomla and Getting Reverse Shell
57:20 - Joomla Reverse Shell returned
59:00 - Getting Reverse Shell on Host OS (port 443)
1:02:00 - Shell Returned begin of local privesc recon
1:12:06 - Beginning of Binary Exploitation
1:21:00 - Start writing exploit script
1:28:30 - Analyzing the PHP SQL Injection Scripts
1:36:30 - Viewing what SQLMap does to exploit this
1:40:00 - Stepping through Double Query Injection
1:47:20 - Writing our own SQL Injection Exploit Script</p>
HackTheBox - Node
https://www.youtube.com/watch?v=sW10TlZF62w&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=25&t=0
00:45 - Begin of NMAP
03:00 - GoBuster (Fails)
08:15 - Screw GoBuster, BurpSpider FTW
09:12 - Examing Routes File to find more pages
10:10 - Finding Credentials and downloading backup
14:45 - Cracking the zip with fcrackzip
16:45 - Finding more credentials (SSH) within MongoSource
21:50 - Privesc to Tom User
35:04 - Analyzing Backup Binary File
36:49 - Using strace to find binary password
40:25 - Finding blacklisted characters/words
50:00 - Unintended method one, abusing CWD
52:20 - Unintended method two, wildcards to bypass blacklist
54:45 - Unintended method three, command injection via new line
59:15 - Intended root Buffer Overflow ASLR Brute Force
HackTheBox - SolidState
https://www.youtube.com/watch?v=_QapCUx55Xk&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=26&t=0
HackTheBox - Nineveh
https://www.youtube.com/watch?v=K9DKULxSBK4&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=27&t=0
00:00 - Intro
01:58 - Begin Recon (NMAP)
04:19 - GoBuster HTTP + HTTPS
06:35 - Accessing Pages
07:05 - Using Hydra against HTTP + HTTPS Web Forms
11:30 - Logging into HTTP and hunting for vulns
17:00 - Second Hydra attempt against HTTPS
17:57 - Logging into HTTPS (phpLiteAdmin)
20:17 - Chaining Exploits to get Code Execution
26:38 - Reverse Shell Returned
28:00 - LinEnum.sh Script Review
31:30 - Watching for new Processes
37:00 - Found the error in script :)
39:30 - Getting reverse root shell
41:51 - Intended Route to get User
46:12 - Reviewing Knockd configuration
49:33 - Doing the PortKnock</p>
HackTheBox - Europa
https://www.youtube.com/watch?v=OsxDB41jg6A&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=28&t=0
00:24 - Recon with Sparta
02:00 - Enumerating SSL Certificate
03:55 - Manually View SSL Certificate
04:35 - VirtualHostRouting Explanation
07:42 - SQL Injection - Auth Bypass
13:00 - Dumping the Database with SQLMap
16:45 - Begin of Web Exploit (Regex //e)
23:00 - Getting a Shell
27:10 - Begin PrivEsc (CronJob)</p>
HackTheBox - Apocalyst
https://www.youtube.com/watch?v=TJVghYBByIA&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=29&t=0
01:26 - Enumeration Start
02:58 - WPScan Start
05:40 - Directory Scanning with GoBuster
10:54 - Examining WPScan Output
13:40 - Bruteforcing with WPScan
14:40 - Bruteforcing HTTP Post with Hydra
18:30 - Edit WP Theme to get Code Execution
22:09 - Return of Reverse Shell
26:25 - Privelege Escalation Word Writeable Passwd</p>
HackTheBox - Luke
https://www.youtube.com/watch?v=gaBdfD4BGBo&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=3&t=0
00:40 - Begin of Recon
02:45 - Checking FTP to get a note
03:38 - Going to each of the three websites
04:30 - Running Gobuster on port 80/3000
06:30 - Taking notes of all the login pages (forgot Ajenti)
07:55 - config.php found which has a password
10:15 - Discovering /login on port 3000 accepts username=&amp;password=
11:25 - Successful login! JWT Token returned
14:00 - Using curl to add the JWT Token in the header to access other api endpoints
15:10 - Using BurpSuite to add headers
18:30 - Navigating the Rest API to dump the usernames and passwords
20:30 - Attempting logins on other services
21:30 - Derry can login to /management
22:50 - Ajenti Password! Lets try logging in
22:30 - Ajenti has a virtual terminal that is running as root!
26:20 - Extra Content - Getting a reverse shell
28:30 - Grabbing the JWT Secret, so we can forge our own tokens!
29:10 - Creating a python script to generate JWT Tokens
30:20 - This token has no expiration time, and is assigned at 0. Should never expire!
31:30 - Adding Requests to our script, so the script can make web requests
33:15 - Lets try removing all signing algorithms from the token and see if server accepts it
34:40 - Cracking the JWT Token Signing key with Hashcat</p>
HackTheBox - Sneaky
https://www.youtube.com/watch?v=1UGxjqTnuyo&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=30&t=0
00:00 - Intro
00:44 - Recon + Web Enum
01:33 - SQL Injection
05:30 - Start of IPv6 Talk
06:30 - What is an IPv6 IP Address?
11:27 - Types of IPv6 Addresses
14:06 - IPv6 Subnetting Explained
21:20 - End of IPv6 Primer, Exploit time!
22:43 - Method 1: Getting MAC and calculating fe80
30:30 - Method 2: Enumerating Networks by pinging Multicast
33:56 - Extra: Getting Windows to respond from Multicast Ping
38:07 - Extra: NMAP Scanning ipv6 local networks
40:15 - Convert RPM to DEB (Needed for install nmap on tenten)
41:30 - Intended Solution: Getting IPv6 via SNMP
43:58 - No SNMP MIB Output
45:58 - Getting SNMP MIBS Installed and Configured
47:52 - Tool: Enyx - SNMPv6 Enumeration via Python
50:44 - Privesc Enumeration
52:49 - Buffer Overflow</p>
HackTheBox - Lazy
https://www.youtube.com/watch?v=3VxZNflJqsw&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=31&t=0
00:39 - Basic Web Page Discovery
03:30 - Examining Cookies - Pt1 (Burp Sequencer)
05:05 - Fuzzing Usernames (2nd Order SQL Injection)
07:15 - Examining Cookies - Pt2
07:40 - Cookie Bitflip
12:45 - Oracle Padding Attack - Pt1
15:30 - Rooting the Box
22:50 - Oracle Padding Attack - Pt2</p>
HackTheBox - Haircut
https://www.youtube.com/watch?v=9ZXG1qb8lUI&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=32&t=0
01:45 - GoBuster
04:40 - Exploiting exposed.php
11:40 - Getting Shell
20:09 - Screen Privesc</p>
HackTheBox - CronOS
https://www.youtube.com/watch?v=CYeVUmOar3I&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=33&t=0
HackTheBox - Tenten
https://www.youtube.com/watch?v=A4U3xiRWfsU&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=34&t=0
HackTheBox - October
https://www.youtube.com/watch?v=K05mJazHhF4&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=35&t=0
00:45 - Pulling up Web Page.
01:10 - Searchsploit
02:40 - Enumerating Version (Download Versions, Hash Static Files)
08:20 - Default cred /backend -- Upload Shell
09:51 - User Reverse Shell
12:10 - Transfering file over nc
14:45 - Begin "fuzzing" Binary
16:15 - GDB Analysis
18:46 - Get a full reverse shell with tab autocomplete.
19:00 - Showing ASLR changing address
20:20 - Disable ASLR on Exploit Dev Machine
21:15 - Start of exploit development for ovrflw binary (Pattner_Create)
27:27 - Start of Return to LibC attack - Getting Addresses
37:20 - Grabbing memory locations off October Machine
41:00 - Convert script to Bruteforce ASLR</p>
HackTheBox - Popcorn
https://www.youtube.com/watch?v=NMGsnPSm8iw&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=36&t=0
00:25 - TMUX and Connecting to HTB
02:00 - Virtual Host Routing Explanation
02:40 - File Enumeration (Dirb)
03:59 - Discover of Web App
05:45 - Starting SQLMap in the Background
09:30 - Uploading a PHP Shell
14:01 - Python PTY Reverse Shell (Tab Autocomplete!)
19:25 - MOTD Root (Method 1)
23:50 - Dirtyc0w Root (Method 2)
HackTheBox - Unattended
https://www.youtube.com/watch?v=2SATzCQY0Zw&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=4&t=0
01:00 - Begin of recon
03:30 - Running GoBuster to discover /dev and index.php
06:50 - Checking out the web application
07:55 - Discovering SQL Injection in ID and playing with it
11:45 - Running SQLMap to dump pieces of the database
14:55 - Nginx Misconfiguration, missing trailing slash
19:10 - Downloading source code of the application
21:20 - Exploring the source of the application
25:47 - Specifying an error string in SQLMap to have it do boolean logic versus time-based
27:00 - Installing a Docker LAMP Server to run the web application
45:40 - Finally got the application running locally (Missed a comma which created a lot more work)
46:15 - Analyzing the SQL Injection with Debug turned on to see how it works
50:00 - Explanation of gaining code execution through an LFI + PHP Cookies
53:00 - Exploring the cookie
55:40 - Have code execution on our docker, lets exploit the server
01:00:00 - Reverse Shell returned
01:02:35 - Exploring MySQL database and escalating to GULY
01:08:30 - Running LinEnum as Guly and going through the results
01:12:00 - Exploring files Guly can access due to Grub Group, downloading initrd
01:14:10 - Decompressing initrd.img and looking for the file GULY modified
01:21:20 - Running STRACE to see what uinitrd does
01:24:20 - Running uinitrd after modifying /etc/hosts and /boot/guid
01:26:20 - Extra Content: If you had trouble with TTY, SSH is accessible via IPv6
01:30:50 - Extra Content: Runing GIXY to analyze the NGINX Configuration
01:35:20 - Extra Content: Looking at uinitrd in Ghidra</p>
HackTheBox - LaCasaDePapel
https://www.youtube.com/watch?v=OSRCEOQQJ4E&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=5&t=0
01:05 - Start of nmap
02:50 - Attempting to execute an VSFTPD Backdoor via MSF
03:40 - Discovering the backdoor opened 6200, discovering a weird shell
04:50 - Lets figure out what just happened
06:50 - Triggering the backdoor without Metasploit
09:05 - Exploring the Psy PHP Shell opened up by the backdoor
10:20 - Several functions for executing bash aren't working, checking disable_functions
11:40 - Attempting to bypass disabled_functions (does not work)
12:50 - Using ScanDir() and File_Get_Contents(), to explore the filesystem
14:50 - Identifying we are probably running as the Dali User (Unintended Path)
17:00 - Downloading CA.KEY, which is a private key to a webserver
21:40 - Using the CA.KEY to generate client certificates to access the HTTPS Page
30:25 - Weird it didn't work, lets just verify all our certificates are good
32:28 - This time it worked! We connected to the server
33:20 - Failing to add the certificate to BurpSuite
33:50 - Discovering File Traversal by editing the PATH variable
36:38 - Discovering the LFI just puts the path as Base64 Encoded
37:15 - Using the LFI to download the SSH Private Key
38:45 - Testing SSH Key against users on the box to gain access!
39:13 - UNINTENDED: Skipping the HTTPS Certificate - Generating SSH Keys to upload via PHP Shell
40:30 - UNINTENDED: Using file_put_contents() to append our public key to authorized_keys
41:30 - UNINTENDED: Using SSH to tunnel through Dali (SOCKS Proxy)
42:30 - UNINTENDED: Scanning ports on Dali that are listening on LocalHost
43:08 - UNINTENDED: Port 8000 is open, and its one step after the Reverse_Proxy that performs SSL Authentication!
45:35 - Running PSPY and LinEnum
50:20 - Using PSPY to view FileSystem Events which will show the cron
52:30 - Taking control of ~/memcached.ini because we own the folder!
54:45 - Exploiting the cron that utilizes memcached.ini to get a root shell
55:55 - Exploring how the SSL Authentication is working
HackTheBox - FriendZone
https://www.youtube.com/watch?v=Zf8p49IzEEA&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=6&t=0
00:45 - Begin of Recon
04:10 - Running SMBMap to identify and crawl file shares
05:00 - Downloading creds.txt from an smb share and checking FTP/SMB
06:50 - Checking the webpage and grabbing potential DNS Names for the box
10:40 - Using dig to perform a DNS Zone Transfer to obtain additional host names
12:00 - Adding all hostnames to /etc/hosts
12:55 - Running Aquatone to take screenshots of all the pages for quick examination
15:15 - Testing Uploads.Friendzone.red
16:30 - Testing admin.friendzone.red
17:00 - Testing administrator1.friendzone.red, logging in with creds found from SMB
18:35 - Found an LFI in the Dashboard.PHP script (PageName Variable)
20:15 - Using PHP Wrappers with the LFI To obtain PHP Script Source
23:00 - Revisiting recon to find ways to upload files, end up using SMBClient
25:10 - Gaining code execution through the LFI Exploit and SMB File Share
27:30 - Reverse Shell Returned
28:50 - Exploring /var/www/html to see if any troll directories had useful files in them, find creds to Friend user
31:20 - Running PSPY to identify cron jobs we don't have permission to see
33:15 - Running LinEnum.sh to enumerate the box and discover the Python OS Library is writeable
38:20 - Fixing our reverse shell by setting ROWS and COLUMNS of our terminal so we can use Vi
40:45 - Placing a reverse shell in the Python OS library</p>
HackTheBox - Chaos
https://www.youtube.com/watch?v=no9UnySBQrU&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=7&t=0
01:05 - Begin of recon
02:20 - Starting up GoBuster then editing /etc/hosts to add the hosts in nmap
03:20 - Going over the website
06:00 - Discovering a wordpress instance (/wp/ form goBuster)
09:50 - Finding webmail credentials from a wordpress Protected Post
10:30 - Discovering webmail.chaos.htb (Method 1)
12:50 - Testing IMAP, then configuring Evolution to login to the mail server (Method 2)
16:40 - Decrypting the message that was in the draft.
22:55 - Message decrypted, new page discovered
23:11 - Discovering a webpage for creating pdfs
24:10 - Searching for a code injection path for LaTex
24:45 - Discovering the blacklist is on "input"
25:30 - Testing for blind command execution via ping
27:43 - Reverse Shell Returned
28:10 - Enumerating the web directory to find passwords
29:11 - Switching to the "Ayush" user with mail password, discover we are in rBash
29:45 - Escaping rBash by via tar (Method 1: GTFOBins)
31:00 - Escaping rBash by editing path (Method 2)
32:55 - Discovering a mozilla user configuration directory, copying it off to export passwords
36:30 - Using firefox_decrypt to export root password
37:30 - Logging into webmin with credentials from firefox
37:50 - Privesc via switching to root user with known password (Method 1)
38:10 - Using webmin to execute commands as root (Method 2)</p>
HackTheBox - LightWeight
https://www.youtube.com/watch?v=yQgtDoCDAYk&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=8&t=0
00:45 - Begin of recon, Nmap
01:30 - Taking the CentOS Apache Version to find major version
03:20 - Running GoBuster with a Common-PHP-Files wordlist.
06:00 - Enumerating Ldap with ldapsearch
07:30 - Discovery of Password Hashes within ldap information
10:55 - Attempting to crack the hashes. (does not crack)
12:30 - Back to the web page
13:15 - Page says to login with ip@Lightweight with the password of your ip
15:35 - Running LinEnum
20:15 - Discovery of Extended Capabilities set on tcpdump
20:50 - Performing a packet capture over SSH without touching disk
23:45 - Examining the pcap created, don't see anything on ens33
24:20 - Performing a packet capture through SSH and piping live results to WireShark
26:00 - Discovery of LDAP Traffic, ldapuser2 password passed in clear-text
28:15 - Using bash to exfil a file over the network (backup.7z)
29:25 - Using 7z2john and hashcat to crack a 7zip file
32:05 - Examining extracted files to discover a new credential (ldapuser1)
33:30 - The openssl binary in ldapuser1 has an empty capability (which is all)
35:00 - Using GTFOBins to see what we can do with openssl
37:11 - Reading /etc/shadow with openssl
37:35 - Adding an entry into /etc/sudoers to allow us to escalate to root</p>
HackTheBox - Redcross
https://www.youtube.com/watch?v=-GNyDEQ9UDU&list=PLidcsTyj9JXJKC2u55YVa5aMDBRXsawhr&index=9&t=0
00:20 - Flow chart of potential paths through this box
02:25 - Begin of recon, SSL Enumeration, examining PHP Behavior
06:23 - Using GoBuster to dicover directories, pdf's, and php scripts
08:10 - Using wfuzz to discover subdomains (virtual host routing)
12:15 - Guessing credential, logging in with guest:guest disover SQL Injection
16:45 - Manually doing an error-based SQL Injection with extractquery()
31:50 - A good screenshot showing the SQL Inject Queries used, then cracking
35:00 - Doing the SQLInjection with SQLMap, needed the delay flag!
37:50 - Examining the account-signup.pdf to create a user
39:50 - Doing XSS (cross site scripting) to steal a cookie of the admin
43:15 - Going to admin.redcross.htb and showing that any way you got the PHPSESSID cookie would work
46:15 - Poking at admin.redcross.htb, creating a user that lands us in an SSH Jail
48:38 - Playing with the Firewall portion of the site, discover command injection in deleting rules!
52:28 - Reverse shell as www-data
54:40 - Discover postgresql credentials in actions.php, this database lets you create users!
1:00:21 - Inserting a user into the database, then logging in with SSH
1:02:40 - Examining /etc to discover a different postgresql account-signup
1:04:50 - Adding a root user with the new credentials, then sudo to root!
1:06:29 - Discovering Haraka running
1:09:10 - Using Metasploit to exploit haraka, get shell as penelope
1:12:26 - Doing the PG thing again but this time specify sudo group, so we don't need to use the other PG account.
1:15:50 - Examining iptctl.c
1:19:56 - Using Pattern_Create to discover where the RSP (RIP) Overwrite occours.
1:21:15 - Start of python script
1:24:11 - Dumping PLT Functions to use with our rop chain (no aslr on binary)
1:28:00 - Getting pop gadgets with radare
1:29:40 - Building our ROP Chain
1:34:28 - Exploiting the binary! To get root.</p>
HackTheBox - Curling
https://www.youtube.com/watch?v=Paajc2Dupms&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=10&t=0
01:12 - Begin of Recon
01:55 - Running Cewl to generate a wordlist
02:50 - Finding secret.txt in the HTML Source, which happens to be the password
03:28 - Runninh JoomScan so we have something running in the background
04:20 - Checking the manifest to get the Joomla Version
06:20 - Explaining what equals mean in base64
07:50 - Begin of hunting for Joomla Username
08:30 - BruteForcing Joomla Login with WFUZZ
10:35 - Troubleshooting by sending wfuzz through burp
12:25 - Turns out the CSRF Token is tied to cookie, adding that to the wfuzz command
17:10 - Success! Logged into Joomla
17:58 - Gaining code execution by modifying a template
20:20 - Getting a reverse shell
23:20 - Finding the file: password_backup which is encoded
23:55 - Extracting password_backup manually with xxd, zcat, bzcat, tar
25:43 - Extracting Password_Backup with CyberChef
27:35 - Logging in with Floris
28:17 - Looking at /home/floris/AdminArea
28:50 - Testing the input file by changing the url to us
29:30 - Getting LFI by using file:// within curl
30:38 - Pulling the cron, to see what is going on
31:25 - Cron shows curl -K to use curl with a config file, checking man page.
32:05 - Changing where curl saves to, in order to gain a root shell
33:45 - Showing another good file to read with the LFI (logs)
34:18 - Using pspy to show when processes start/end, which shows the curl command with no exploits</p>
HackTheBox - Frolic
https://www.youtube.com/watch?v=b6WGQSJu_zQ&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=11&t=0
01:16 - Begin of Recon, until around 13 minutes gathering information to avoid rabbit holes
04:04 - Using nc/ncat to verify a port is open (-zv)
11:17 - Doing gobuster across man of the sub directories
13:03 - Examining /admin/ - Examine the HTML Source because login is not sending any data
14:09 - Discover some weird text encoding (Ook), how I went about decoding it
15:44 - Decoded to base64 with some spaces, clean up the base64 and are left with a zip file
19:19 - After cracking the zip, there is another text encoding challenge (BrainF*)
25:11 - With potential information, return to our long running recon for more information
28:49 - Discovering /playsms
32:00 - Reading ExploitDB Articles and then attempting to manuall exploit PlaySMS via uploading a CSV
34:34 - Getting a reverse shell
39:00 - Running LinEnum.sh
40:00 - Finding the SetUID file: rop
42:00 - Exploiting ROP Program with ret2libc
45:30 - Getting offsets of system, exit, /bin/sh from libc using ldd, readelf, and strings
50:34 - Running our exploit to get root shell
54:00 - Begin of recovering rop.c source code
56:41 - Recreating rop.c then compiling
59:44 - Copying the physical disk to our local box via SSH and DD
01:01:44 - Using PhotoRec to restore files and finding rop.c</p>
HackTheBox - Sunday
https://www.youtube.com/watch?v=xUrq29OTSuM&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=12&t=0
00:48 - Begin of NMAP Discovery of Finger
03:36 - Enumerating Finger with Finger-User-Enum
05:00 - Nmap'ing all port quickly by lowering max-retries
08:40 - Adding an old Key Exchange Alogorithm to SSH
09:30 - Showing Hydra doesn't work, then using Patator
11:19 - Using find to count lines in all wordlist files
14:07 - Logged in with sunny:sunday
14:45 - Grabbing /backup/shadow.backup and cracking sha256crypt with Hashcat
16:46 - Just noticed this box is oooooold, try to privesc with sudo and ShellShock (Fail)
18:53 - Privesc by overwriting the /root/troll binary
23:30 - Using wget to exfil files quickly
24:50 - Viewing what wget --post-file looks like
25:50 - Creating a PHP Script to accept uploaded files
27:30 - Hardening our upload location to prevent executing PHP Files and/or reading what was uploaded
29:10 - Starting a php webserver with php -S (ip):(port) -t .
31:10 - Replacing the root password by changing the shadow file
33:30 - Demoing a way to create directories and upload files!</p>
HackTheBox - Valentine
https://www.youtube.com/watch?v=XYXNvemgJUo&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=13&t=0
00:25 - Start of Recon, identifying end of life OS from nmap
03:20 - Running vulnerability scripts in nmap to discover heartbleed
04:16 - Going to the HTTP Page to see what it looks like
06:30 - Begin of Heartbleed - Grabbing Python Module
07:13 - Explaining Heartbleed -- XKCD ftw
10:15 - Explaining and running the exploit
13:40 - Exporting large chunks of memory by running in a loop
14:10 - Finding an encrypted SSH Key on the server
15:35 - Examining heartbleed output to discover SSH Key Password
17:45 - SSH as low priv user returned
21:55 - Finding a writable tmux socket to hijack session and find a root shell
23:50 - Alternative Privesc, DirtyC0w</p>
HackTheBox - Nibbles
https://www.youtube.com/watch?v=s_0GcRGv6Ds&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=14&t=0
00:18 - Start of Recon
01:15 - Finding hidden directory via Source
02:15 - Downloading NibbleBlog to help us with finding version information
03:59 - Identifying what vresion of NibblesBlog is running
04:42 - Using SearchSploit to find vulnerabilities
05:36 - Examining the Exploit
06:08 - Explanation of exploit
07:25 - Attempting to find valid usernames for NibblesBlog
09:13 - Finding usernames in /content/private
10:15 - Using Hydra to attempt to bruteforce
14:08 - Oh crap. Hydra not good idea we're blocked...
15:40 - Using SSH Proxies to hit nibbles from another box (Falafel)
18:20 - Guessing the password
20:10 - Logged in, lets attempt our exploit!
22:46 - Code Execution achieved. Lets get a reverse shell
24:53 - Reverse shell returned.
26:00 - Running sudo -l examine sudoer, then finding out why sudo took forever to return
26:50 - Privesc via bad sudo rules
32:10 - Alternative PrivEsc via RationalLove</p>
HackTheBox - Bashed
https://www.youtube.com/watch?v=2DqdPcbYcy8&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=15&t=0
HackTheBox - Sense
https://www.youtube.com/watch?v=d2nVDoVr0jE&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=16&t=0
01:20 - Star of Recon
03:40 - GoBuster
04:45 - Getting banned and Pivoting to verify
10:20 - Logging into PFSense
16:50 - Manually Exploiting PFsense
38:30 - Using Metasploit to exploit
42:00 - Creating a Bruteforce Script in Python ( CSRF )</p>
HackTheBox - Shocker
https://www.youtube.com/watch?v=IBlTdguhgfY&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=17&t=0
00:39 - Begin Nmap, OS Enum via SSH/HTTP Banner
05:00 - GoBuster
07:08 - Viewing CGI Script
08:50 - Begin NMAP Shellshock
09:50 - Debugging Nmap HTTP Scripts via Burp
11:10 - Fixing the HTTP Request &amp; nmap script
14:45 - Performing Shellshock &amp; more fixing
18:25 - Getting a reverse shell
21:19 - Running LinEnum.sh
23:00 - Rooting the box</p>
HackTheBox - Mirai
https://www.youtube.com/watch?v=SRmvRGUuuno&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=18&t=0
00:49 - Nmap
01:31 - Examining some odd behavior. Nmap different result than browser.
04:00 - Getting to /admin and testing for Zone Transfer
05:40 - Testing SSH Default Raspberry Pi Creds
06:11 - Escalate to root 'sudo su'
07:10 - Recovering the deleted root.txt
08:38 - GrepFu
10:40 - Downloading /dev/sdb via SSH
12:48 - Running Binwalk against it
13:18 - Trying to recover with TestDisk
14:37 - Trying to recover with PhotoRec</p>
HackTheBox - Blocky
https://www.youtube.com/watch?v=C2O-rilXA6I&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=19&t=0
01:15 - Begin Recon with Reconnoitre
03:15 - Examining findings from Reconnoitre
06:50 - Decompiling java Jar Files with JAD
08:18 - Using JD-GUI
10:33 - Running WPScan
12:10 - Manually enumerating wordpress users
12:43 - SSH To the box and PrivEsc
15:30 - Rabbit hole, gaining access through FTP
17:09 - Finding Wordpress DB Password
18:33 - Switching to WWW-DATA by using phpMyAdmin + Wordpress
20:10 - Generating a PHP Password for Wordpress
21:50 - Gaining code execution with Wordpress Admin access
25:40 - Shell as www-data
26:40 - Enumerating Kernel Exploits with Linux-Exploit-Suggester
30:10 - Attempting CVE-2017-6074 Dccp Kernel Exploit (Unstable AF)</p>
HackTheBox - Networked
https://www.youtube.com/watch?v=H3t3G70bakM&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=2&t=0
00:45 - Begin of recon
01:45 - Looking at the website, checking source, robots.txt, etc
02:30 - Using GoBuster with PHP Extensions as HTTP Header said it had PHP Enabled
03:50 - Writing a simple PHP Code Execution script and trying to upload it
05:30 - Discovery of backup.tar, examining timestamps between downloading with wget/firefox
07:40 - Searching php scripts for superglobals as that will show user-input
11:10 - Explaining what magic bytes are
14:30 - Using PHP interactive mode to demonstrate what is happening
16:15 - Showing error codes are different based upon where image validation failed
17:30 - Uploading a malicious PHP Shell
18:40 - Navigating to our php shell and getting a reverse shell
21:40 - Reverse shell returned
23:40 - Examining check_attack.php to discover vulnerability when doing exec() to escalate to guly
27:30 - Explaining the code execution vulnerability of creating a malicious file
28:30 - Creating the malicious file
31:57 - Shell returned as Guly, checking sudo list
33:09 - Examining the changename.sh script (guly can run it as root)
37:00 - Exploiting the script by inserting a command into a network configuration file
38:40 - Explaining why Apache executed PHP when files did not have the PHP Extension
39:08 - Checking php.conf to see it was user created
41:15 - Modifying php.conf to include "FilesMatch .php$", so it only executes php when the name ends in .php</p>
HackTheBox - Bank
https://www.youtube.com/watch?v=JRPWFSzFaG0&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=20&t=0
00:39 - Nmap Results
01:15 - DNS Enumeration
04:08 - HTTP VirtualHost Routing
05:28 - DirSearch (Web Enumeration)
08:50 - HTTP Redirect Vulnerability
13:23 - PW in Balance-Transfer
18:00 - File Upload, WebShell
21:48 - First Shell
30:10 - First Privesc Method (SUID)
31:38 - Second Privesc Method (passwd)</p>
HackTheBox - Beep
https://www.youtube.com/watch?v=XJmBpOd__N8&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=21&t=0
1:35 - Method 1: LFI + Password
16:03 - Method 2: Turning LFI into RCE
37:46 - Method 3: Code exec via call
54:00 - Method 4: Shellshock</p>
HackTheBox - Haystack
https://www.youtube.com/watch?v=oGO9MEIz_tI&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=3&t=0
00:54 - Begin of Recon find Elastic Search on 9200
02:00 - Checking the exif data in the image, nothing interesting, but showing FF changes some metadata when downloading (foresnic tip)
03:55 - Navigating to port 9200 and seeing the Elastic Search JSON Response
04:48 - Searching Elastic Search Documentation to see how to make queries
06:00 - Using /_cat/indices to see the "tables" withing ES
07:37 - Using /quotes/_search to dump the Quotes indicy, then using jq to extract desired data
13:20 - Lets switch over to Python to extract this data so we can translate this into English
17:00 - Installing googletrans, so our script can translate this. Using python3 cli to test this out
20:10 - Adding googletrans to our script
21:10 - Running our script to translate everything and then using grep to "find the needle"
22:50 - SSH'ing to the box with the security user
24:00 - Running LinEnum, noticing kibana listening on 5601
28:15 - Creating a Local Port forward so we can access kibana from out box
29:50 - Checking Kibana's version to see there are known exploits for it
30:50 - Getting a reverse shell as the Kibana user
36:00 - Using find to see what files the kibana user can write to
37:10 - Going into the Logstash directory to see that it will execute code with a specific log message
38:45 - Explaining the logstash pipeline of how it gets data
39:33 - Getting a reverse shell as the LogStash user (root)
42:00 - Reverse shell returned, but we screwed up creating a file -- figuring out what we did wrong</p>
HackTheBox - Safe
https://www.youtube.com/watch?v=CO_g3wtC7rk&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=4&t=0
00:40 - Begin of nmap
02:31 - Discovering MyApp in the HTML Source
03:30 - Examining MyApp on port 1337
05:30 - Opening myapp up in Ghidra
07:20 - Testing out the buffer overflow
08:40 - Using pattern search to see where we can overwrite RSP
10:15 - Create a PwnTool Skeleton and having it call main instead of crashing
12:30 - Testing calling main (error: need to do recvline to send text)
13:50 - Explaining hijacking the SYSTEM() call
17:11 - Finding a way to put user input into RDI
17:30 - Examining the Test Function which places RSP to RDI
19:50 - Finding a pop r13 as the Test Function jumps to r13
23:30 - Putting the gadget togather for code execution
27:00 - Setting pwntools to exploit the remote host
28:30 - Shell on the box
29:15 - Dropping SSH Key to get a normal shell and copying keepass files
31:40 - Using keepass2john to create hashes to crack
35:00 - Cracking keepass hashes with hashcat
37:50 - Using kpcli to export the root password
39:20 - Using the root password to su to the root user</p>
HackTheBox - Writeup
https://www.youtube.com/watch?v=GKq4cwBfH24&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=5&t=0
01:04 - Start of recon identifying a debian box based upon banners
02:30 - Taking a look at the website, has warnings about DOS type attacks.
03:17 - Discovering the /writeup/ directory in robots.txt
04:18 - Checking the HTML Source to see if there's any information about what generated this page. Discover CMS Made Simple
05:15 - CMS Made Simple is an opensource product. Search through the source code to discover a way to identify version information.
07:30 - Using SearchSploit to find an exploit
09:05 - Running the exploit script with a bad URL and triggering the servers anti-DOS protection
10:10 - Running the exploit script with correct URL and analyze the HTTP Requests it makes via Wireshark to see how the SQL Injection works
16:20 - Explaining how password salts work
19:00 - Using Hashcat to crack a salted md5sum
21:15 - Demonstrating the --username flag in hashcat, this allows you to associate cracked passwords to users
24:14 - Begin of low-priv shell, running LinEnum to discover we are a member of staff
27:58 - Using google to see what the Staff group can do (edit /usr/local/bin)
28:40 - Explaining path injection
29:40 - Using PSPY to display all the processes that start on linux, useful for finding crons or short-running processes
31:58 - Running PSPY to see run-parts is called without an absolute path upon user login
33:13 - Performing the relative path injection by creating the file /usr/local/bin/run-parts which will drop our SSH Key</p>
HackTheBox - Swagshop
https://www.youtube.com/watch?v=qECG2_8xw_s&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=6&t=0
00:45 - Begin of recon
01:36 - Examining the web page to find Magento, noticing /index.php/ mod-rewrite misconfig and old copyright
04:50 - Whoops should of done apt search magescan, either way this package is not in Kali
05:30 - Running MageScan to scan the website
08:20 - Finding an open configuration file (app/etc/local.xml)
10:30 - Running searchsploit to identify public exploits
12:10 - Examining an exploit that will add an administrative user via SQL Injection
15:15 - Running the exploit out of the box didn't work, send it through burp in order to debug it
16:45 - Exploit needed to be modified to include index.php due to mod-rewrite misconfig
19:25 - Going back to SearchSploit and using the Authenticated RCE Exploit
21:30 - Making the obvious changes to fix the exploit script
24:17 - Debugging the exploit by running it through burpsuite, find out we need to use an login page
29:00 - Bit more in-depth debugging by setting a breakpoint with pdb
30:30 - The regex is failing due to page not returning anything, the URL has a time span lets increase that
33:15 - Finally fixed this exploit! Reverse Shell Returned
35:30 - Noticing we can exec vim with sudo, lets privesc
37:10 - Mentioning GTFOBins which helps find privesc paths from privileged programs
38:15 - EXTRA: Examining the PHP Object Injection RCE Exploit</p>
HackTheBox - Help
https://www.youtube.com/watch?v=XB8CbhfOczU&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=7&t=0
00:49 - Begin of recon
01:45 - Running gobuster to find /support
02:50 - Searching for a way to find version of HelpdeskZ
03:35 - Reading over the File Upload exploit script to see it requires server time
05:10 - Uploading a PHP Reverse Shell Script
07:45 - Going back to GitHub to find where uploads are saved
09:10 - Begin of modifying the script to pull the server time out of HTTP Headers
10:30 - Figuring out the python to pull the "Date" HTTP Header
14:30 - Getting the Time Format right with STRFTIME.COM
19:40 - Testing out the exploit and getting a shell
23:20 - Discovery of an old kernel, looking for an exploit
24:30 - Copying the exploit, compiling, and privesc!
25:50 - Looking into port 3000
27:00 - /graphql discovered
27:42 - Dumping the schema to discover what data is inside
30:15 - Dumping username, password from the database
32:12 - Logging into HelpdeskZ
33:40 - Discovering the Boolean SQL Injection
34:50 - Running SQLMap
36:00 - Explaining the Injection
37:10 - Begin of creating a python script to exploit this</p>
HackTheBox - Irked
https://www.youtube.com/watch?v=OGFTM_qvtVI&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=8&t=0
31:35 . Sorry, was an extremely busy week and didn't get to verify everything was good.
00:39 - Begin on Recon
01:39 - Starting a full nmap scan
04:15 - Discovery of IRC
04:35 - Manually looking at IRC
06:00 - Looking at the IRC to understand how to connect to an IRC Server
07:00 - Pulling the IRC Version and discovering the exploit
08:50 - Going into the history of the IRC Backdoor
09:45 - Manually exploiting the IRC Server
13:10 - Shell returned on the server
14:30 - Discovery of .backup which gives a steg password
16:45 - Logging in with djmardov
21:20 - Discovery of SetUID enabled custom binary, viewuser
23:25 - Using ltrace to see what the binary does, executes the file /tmp/listusers
23:50 - Getting a root shell
25:50 - Testing exploiting the binary with "who", fails due to no setuid
27:50 - Looking at the binary within Ghidra</p>
HackTheBox - Teacher
https://www.youtube.com/watch?v=u2-te8n2WbY&list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&index=9&t=0
00:40 - Begin of recon
02:00 - Poking around at the website to identify what techologies it utilizes
02:30 - Discovering something odd about images/5.png
03:25 - Downloading 5.png to discover it is a text file with a portion of a password
06:00 - Finding a place to login (/moodle), attempt to enumerate valid usernames
08:00 - Using wfuzz to bruteforce the password
11:20 - Looking for a way to enumerate Moodle Versions
13:20 - Searching for exploits for this version and finding "Bad Teacher"
14:40 - Start of manually exploiting this vulnerability
16:00 - Adding a "Calculated Question" which has the formula (vulnerable) parameter
20:16 - Finding artifacts of creating/testing the machine which spoils what we are supposed to do
24:21 - Fixing our forumla to allow for code execution
28:30 - Getting a reverse shell
30:00 - Looking around the MySQL Database to discover hashes of other users
31:52 - The account Giovannibak stands out due to the hash being just MD5
32:30 - Attempting the password (expelled) of the MD5 hash above to login to "Su" to Giovannibak
36:20 - Grabbing and compiling pspy to find a cronjob
38:30 - Running PSPY to discover /usr/bin/backup.sh
40:00 - Abusing the backup cron to have it chmod 777 /etc/shadow (could do anything, sudoers is a bit less noisy)</p>
HackTheBox - HackBack
https://www.youtube.com/watch?v=B9nozi1PrhY&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=2&t=0
00:01:30 - Begin of Recon, discovery of an HTTP API that has a few commands
00:06:00 - Using JQ to parse json output, use NetStat/Proc to find GoPhish
00:15:00 - Logging into GoPhish with default creds admin:gophish, finding DNS Names
00:21:15 - Discovery of Obfuscated JavaScript Deobfuscating it to find a hidden section
00:33:20 - Using wfuzz to bruteforce the password for webadmin.php
00:37:10 - Finding Code Execution in WebAdmin.php
00:44:00 - Creating a Python Script to give a pseudo shell to cat, ls, and upload
01:10:45 - Script finished, uploading reGeorg to create a proxy onto the box to bypass FW
01:16:20 - Using WinRM to access low privilege shell as Simple User
01:25:08 - Exploring /Util/Scripts to find a way to privesc to Hacker
01:30:29 - Exploring GetSystem functionality of meterpreter
01:37:20 - Starting to create program to steal a token from NamedPipe Clients
01:41:00 - Creating XOR Encrypter for payloads in C (There is a bug used &amp; instead of %)
01:48:20 - Using MSFVenom to generate raw payload to XOR then generate in C Format
01:51:38 - Creating the Stager to execute meterpreter, with some fun old AV Evasion tactics
02:03:45 - Found the issue, AND'd the payload instead of XOR'd in encrypt.c
02:08:30 - Creating the NamedPipe portion of code
02:28:30 - Creating the Pipe Impersonation part of the code
02:43:16 - Had some weird errors, adding the ability to enable token privileges
03:01:00 - Editing the /util/scripts/clean.ini to execute our NamedPipe Creation File
03:06:10 - Meterpreter Session Loaded. Unfortunately it grab the impersonation token, more troubleshooting.
03:08:20 - Found the bug that caused us to not pass the token
03:09:45 - Re-Explaining all the code
03:14:57 - Meterpreter loaded, using incognito to grab our impersonation token for HACKER user
03:30:15 - Creating a bat file to run NetCat and upload into /util/scripts/spool which gets executed
03:35:50 - Start of looking at UserLogger Service, download it, un-UPX it
03:41:30 - Using ProcessMonitor to Dynamically Analyze the UserLogger binary (think of strace on windows)
03:49:40 - UserLogger lets us write binaries as SYSTEM with 777 permissions! Lets chain Diagnostic Hub Exploit
03:52:00 - Changing CMDLine in FakeDLL and valid_dir in Diaghub_exploit.cpp
04:18:05 - Changing from DEBUG mode to RELEASE mode for compiling. Which fixes it.
04:25:15 - Root.txt is hidden behind alternate data streams.
04:27:39 - ALTERNATE PATH THAT LETS YOU SKIP NAMEDPIPE STUFF</p>
HackTheBox - Sizzle
https://www.youtube.com/watch?v=YVhlfUvsqYc&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=3&t=0
01:04 - Begin of Recon
06:45 - Checking the web interfaces
07:20 - Discovering there is a Certificate Authority
08:50 - Taking a look at LDAP
10:55 - Examining SMB to find shares
12:00 - Searching the Operations and Department Shares
14:50 - Viewing permissions of a SMB Share with SMBCACLS
19:10 - Discovering a writeable share, dropping a SCF File to get a hash
22:04 - Using Hashcat to crack NetNTLMv2
24:40 - Using SMBMap to identify if this user has access to anything extra
25:40 - Discovering the CertSRV Directory
28:00 - Discovering Powershell Remoting
30:00 - Error from WinRM (Need SSL)
31:00 - Using openSSL to generate a private key
31:52 - Going to /CertSRV to sign our certificate as Amanda
34:00 - Adding the SSL Authentication to WinrM
35:15 - Playing with LDAP Again (with the Amanda Creds)
37:50 - Shell on the box with WinRM as Amanda
38:15 - Running SharpHound
40:29 - Applocker is on the box, lets move it in the windows directory
42:00 - Trying to get the bloodhound data off the box.
44:20 - Starting bloodhound
45:27 - File didn't copy lets load up Covenant
49:30 - Covenant is up and running - Create a HTTP Listener
50:30 - Hosting a Launcher
52:30 - Getting a grunt
54:40 - Running SeatBelt
57:00 - Running SharpHound
01:01:18 - Running Bloodhound with all Collection Methods
01:05:15 - Discovering the MRLKY can DCSYNC
01:07:25 - Cannot kerberoast because of the Double Hop Problem, create token with MakeToken
01:12:30 - Cracked the Kerberoasted Hash, doing maketoken with mrlky and running DCSYnc
01:14:40 - Running WMIExec to get Administrator
01:22:00 - UNINTENDED Method 1: Amanda can write to Clean.bat
01:24:30 - UNINTENDED Method 2: Forensic artifacts leave MRKLY Hash in C:\windows\system32\file.txt</p>
HackTheBox - Bighead
https://www.youtube.com/watch?v=VBt-CmjMYiM&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=4&t=0
00:01:10 - Begin of Nmap
00:04:45 - Pulling important information from the website
00:06:00 - Discovering DNS Names, adding stuff to /etc/hosts
00:18:30 - Odd behavior with code.bighead.htb, redirects us to 127.0.0.1; change that with Burp
00:23:50 - Using wfuzz to dirbust, with the ability to see HTTP Codes (hunting for 418)
00:27:00 - Found BigHead Web Server on Github, pulling Zips and cracking
00:36:40 - Before reversing the binary, keep hunting for information about the OS
00:43:40 - Discovering PHPInfo within the PhpMyAdmin directory, has OS.
00:46:00 - Installing Immunity and Mona
00:47:30 - Grabbing MinGW so we can run the Bighead Webserver
00:55:40 - Crashing the webserver, seeing we have
01:00:00 - Sending a pattern to the box and examining the stack to see where our overwrites are
01:06:15 - Validating we know where all our overwrites are (EAX,EBX,EIP,ESP)
01:10:06 - Explanation of EggHunters
01:16:05 - Grabbing the shellcode we want, then adding it to our exploit script
01:24:50 - Validating our exploit is working as we intended by setting a break point on JMP ESP
01:27:00 - Our box complains about DEP, lets disable that on our OS and hope its disabled on target
01:30:00 - Running the exploit against the target and getting a shell back!
01:35:00 - Searching the registry (HKLM) for "password"
01:37:00 - Dumping information about services on the box (HKLM\System\CurrentControlSet\Services)
01:38:15 - Discovery of NGINX password, then looking at ports listening on localhost
01:41:08 - Found SSH Listening on 127.0.0.1:2020, Setting up a reverse tunnel with Chisel
01:45:10 - SSH into nginx@Bighead over port 2020, land in an extremely restricted shell
01:50:30 - Searching for vulnerable PHP Code, discovering testlink
02:02:55 - Exploiting an LFI Vulnerability
02:07:00 - Using Netcat to get a reverse shell
02:16:10 - Looking at the KeePass Configuration File to see where the KDBX and Key is
02:18:55 - A bunch of pain trying to get data off the Alternate Data Stream.
02:31:30 - Finally got the KDBX back to my box, then crack the KeePass file</p>
HackTheBox - Ethereal
https://www.youtube.com/watch?v=Bhh5yPHjwUY&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=5&t=0
00:50 - Begin of Recon, Downloading FTP and inspecting websites
10:23 - Recap of what we saw on the recon. Limited pages that provide paths for exploitation, Server Hostname, and FTP
11:30 - Sending MD5Hashes to VirusTotal to get file age
15:45 - Downloading PasswordBox sourcecode to examine pbox.dat and discover a password manager.
21:00 - Use Hydra to try to bruteforce ethereal.htb:8080, find blind command injection in page by running various ping commands but no way to view output.
25:45 - Using nslookup to exfil the results of commands executed.
33:15 - Creating Python Script to automate exploitaiton of this program. Using Scapy, BeutifulSoup, and Requests.
55:23 - Script working! Now to make the output a bit more pretty using tokens to sepereate spaces
01:02:00 - Running commands to get interesting information about the page
01:05:20 - Enumerating the Firewall via netsh
01:09:10 - Using OpenSSL to get a reverse shell on windows
01:17:25 - Reverse shell returned.
01:19:40 - Creating a malicious shortcut via powershell
01:22:40 - Using OpenSSL To transfer files
01:28:00 - Getting reverse shell as Alan, then using OpenSSL to convert files to base64 to make exfil easier
01:32:30 - Creating and signing a malicious MSI with WiX.
01:48:15 - First attempt failed, creating a less complicated MSI File by just having it execute our shortcut
01:53:00 - Getting reverse shell as SYSTEM - Cannot read EFS Files
01:55:20 - Having our MSI not run as SYSTEM by changing impersonation in WiX
01:58:30 - Shell as Rupal returned.</p>
HackTheBox - Fighter
https://www.youtube.com/watch?v=CW4mI5BkP9E&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=6&t=0
00:00:55 - Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb.
00:02:53 - Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and members.streetfighterclub.htb/old/login.asp
00:08:45 - Begin poking around the members.streetfighterclub.htb page - Find SQL Injection
00:12:00 - Boolean injection to force the query to return "valid login". Play with logins to find it always returns to "Service not available"
00:14:25 - Testing Union Injections for easy exfil of data
00:15:50 - Examining Stacked Queries to make running our own SQL Statements easy. Then bunch of injections to run Xp_CMDShell and get output.
00:19:30 - Some valuable recon/information in debugging our SQL queries. Noticing small things really helps.
00:34:40 - Start of making a program to give us a command shell.
01:09:40 - Explaining the program we just created. Then fix a small bug.
01:12:45 - Begin of popping the box the intended way. Finding powershell is blocked but specifying the 32-bit version is not
01:17:10 - Return of 32-bit PowerShell... Identifying we can append data to c:\users\decoder\clean.bat -- That's odd lets try to place a shell in it to see if it is being ran.
01:32:40 - Found the issue! Powershell is encoding in UTF-16 which is confusing cmd prompt. 64-bit Shell as Decoder returned!
01:35:30 - Exploiting Capcom Driver to gain root shell, this post is super helpful: <a class="yt-uix-sessionlink" data-sessionlink="itct=CDoQ6TgYACITCIL5pKSqmOcCFcHK1QodC78DYUjR_5CDucSJtwk" data-target-new-window="True" data-url="/redirect?redir_token=O35kGE6gG98zlOWp5O0IogZvkTF8MTU3OTgyMTA4MUAxNTc5NzM0Njgx&amp;q=http%3A%2F%2Fwww.fuzzysecurity.com%2Ftutorials%2F28.html&amp;v=CW4mI5BkP9E&amp;event=video_description" href="/redirect?redir_token=O35kGE6gG98zlOWp5O0IogZvkTF8MTU3OTgyMTA4MUAxNTc5NzM0Njgx&amp;q=http%3A%2F%2Fwww.fuzzysecurity.com%2Ftutorials%2F28.html&amp;v=CW4mI5BkP9E&amp;event=video_description" rel="nofollow noopener" target="_blank">http://www.fuzzysecurity.com/tutorial...
01:42:18 - Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dll to our box so we can reverse it.
01:47:25 - Looking at the binaries in Ida64 Free
01:51:14 - Explaining what's happening and then writing a script to bypass the password check.
01:55:35 - Start of unintended way (Juicy Potato)
01:58:10 - Finding a world write-able spot under System32 for AppLocker Bypass, thanks @Bufferov3rride -- Then uploading JuicyPotato
02:06:10 - Start of modifying JuicyPotato to accept uppercase arguments.
02:10:14 - Finding a vulnerable CLSID to get JuicyPotato working
02:28:25 - Running JuicyPotato with a vulnerable CLSID to gain a SYSTEM Shell, then create our own DLL to bypass the check.</p>
HackTheBox - Rabbit
https://www.youtube.com/watch?v=5nnJq_IWJog&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=7&t=0
01:40 - Begin of Recon (nmap, setting hostname, dns, nmap, ipv6)
05:45 - Checking websites (80,443,8080)
08:10 - Attempting to enumerate users of OWA-2010 (Fails)
14:10 - Checking out Joomla Version (/administrator/manifets/files/joomla.xml)
15:50 - Using SearchSploit with (Complain Management System)
19:38 - Register Account, Login, Verify/Play with SQL Union Injection
23:30 - Enumerating SQL Injection with SQLMap
29:18 - Going back to MSF/OWA_LOGIN and testing credentials.
32:15 - Logging into OWA and reading email to find out OpenOFfice, Defender, and Powershell Constain Mode is installed
36:20 - Creating a malicious OpenOffice macro with LibreOffice + Downloading an Executing a file without Powershell (certutil ftw)
40:18 - Compiling Merlin (like MSF/Empire)
48:40 - Sending the email and waiting.
50:20 - Merlin call back, Switch to Powershell Nishang to get a interactive shell
54:30 - Running PowerUp to find we are an Administrator
56:56 - Running JAWS to do some more Windows Enumeration
01:03:04 - Found an odd scheduled task "System Maintenance"
01:06:03 - Attempting to write a php shell to HTTPD
01:12:30 - Frusterated creating a PHP Script... Switch to the SCHTask Privesc
01:18:20 - Uhh. Testing if echo is somehow breaking .bat/.php files
01:21:50 - Going back to test PHP to verify it just didn't like echo.
HackTheBox - Minion
https://www.youtube.com/watch?v=IbVmpr6IFQU&list=PLidcsTyj9JXJSn8KxSr_-9eKEwxJJtf_x&index=8&t=0
00:40 - Begin of Recon
04:00 - Start of GoBuster
05:40 - Finding a SSRF
09:00 - Passing arguments to cmd.aspx via SSRF
12:05 - Firewall Enumeration
16:35 - Begin of setting up ICMP Reverse Shell
22:25 - Begin of sending ICMP Rev Shell to Server (Warning: Lots of Fail)
46:31 - Return of ICMP Rev Shell
52:20 - PrivEsc form IIS to Decoder
01:11:15 - Unzipping via Powershell
01:14:05 - Finding Administrator password hidden in NTFS File Stream
01:16:30 - Using Net Use to mount C: As Administrator
01:19:30 - Using IDA to analyze root.exe and grab the flag (Misses last character of hash)
01:24:15 - Using Invoke Command to execute root.exe as admin (Lots of Fail)
01:32:52 - Opening up the Firewall then just using RDP to gain access</p>
HackTheBox - Helpline
https://www.youtube.com/watch?v=Vs3oSDlzxwA&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=2&t=0
00:35 - Begin of Recon
01:42 - Checking the ManageEngine Page
02:23 - Running Searchsploit to see potential exploits
03:40 - Enumerating valid usernames via AjaxDomainServlet
05:40 - Logging in with guest:guest
07:10 - Running the privilege escalation script to get Administrator access
08:00 - Searching for information on this exploit
08:20 - Blog post missing... Searching Archive.org and Google Cache for a mirror
10:00 - Making curl go through burp to step through the exploit in BurpSuite
18:00 - Copying the admin cookies into FireFox
19:25 - Going to Admin then Custom Triggers to execute code on the server
21:50 - Getting a reverse shell via Nishang
22:30 - Using iconv to create UTF-16LE encoded Base64 for use with "-EncodedCommand" option
25:45 - Reverse Shell as System returned, but EFS Protects the flags
26:45 - Finding interesting files with get-childitem -recurse . | select FullName
28:50 - Copying mimikatz over to the box to steal NTLM Hashes
31:00 - Defender blocked us. Disable defender with Set-MpPreference -DisableRealtimeMonitoring $true
32:50 - Using hashes.org to view password of Zachary, checking his groups to see he can view event logs
33:30 - Doing some powershell goodness to search event logs!
40:50 - Extracting ProcessCommandLine from the logs (Tolu Password), its a shame Nishang screws with how some commands output to stdout. This could of been a lot cleaner.
43:00 - Using Mimikatz to decrypt the EFS Protected file with Tolu's password
57:25 - Need to read Leo's admin-pass.xml, load meterpreter and migrate into his namespace
01:00:20 - admin-pass is the output of SecureString, lets decrypt it to get the admin password
01:02:20 - Using Invoke-Command with the credential object created to execute commands as administrator
01:03:50 - Cannot read root.txt because of "Double Hop Problem" (how PowerShell Authenticates), using CredSSP Authentication to fix this.</p>
HackTheBox - Conceal
https://www.youtube.com/watch?v=1ae64CdwLHE&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=3&t=0
01:15 - Begin of recon
02:54 - Checking SNMP with snmpwalk
03:29 - Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decrypted value
04:18 - Getting more SNMP Information with snmp-check
07:35 - Going over UDP Ports discovered by snmp-check
10:55 - Running ike-scan
11:55 - Examining ike-scan results to build a IPSEC Config
13:50 - Installing Strongswan (IPSEC/VPN Program)
14:19 - Adding the PSK Found earlier to /etc/ipsec.secrets
15:30 - Begin configuring /etc/ipsec.conf
20:08 - Starting and debugging ipsec
21:55 - Explaining why we add TCP to strongswan config
24:00 - Starting IPSEC, then using NMAP through IPSEC.
25:55 - Enumerating SMB Quickly (SMBMap/cme)
26:50 - Enumerating FTP, discovering we can upload files
27:20 - Checking HTTP, hunting for our uploaded file. Then uploading files that may lead to code execution
29:44 - Grabbing an ASP Webshell from Github/tennc/webshell
32:08 - Webshell has been uploaded
32:30 - Explaining a weird MTU Issue you *may* run into due to the nested VPN's
35:40 - Back to playing with the web shell, getting a reverse shell with Nishang
38:03 - Explaining RLWRAP
38:40 - whoami /all shows SEImpersonation, so we run JuicyPotato to privesc
44:35 - JuicyPotato fails with the default CLSID, changing it up to get it working.
46:30 - Doing the box again with Windows
47:15 - Setting up the IPSEC Connection through Windows Firewall
50:00 - Installing a DotNet C2 (The Covenant)
54:20 - Covenant/Elite open, starting a Listener then a Powershell Launcher
01:00:10 - Grunt activated. Running Seatbelt, then compiling Watson and reflectively running it
01:05:00 - Grabbing the Sandbox Escaper ALPC Privesc
01:08:03 - Being lazy and compiling a CPP Rev Shell in Linux because it wasn't installed on Windows
01:25:35 - Box is reverted, trying the ALPC Exploit again</p>
HackTheBox - Reel
https://www.youtube.com/watch?v=ob9SgtFm6_g&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=4&t=0
00:42 - Begin of Nmap
04:23 - Examining the anonymous FTP Directory and discovering email addresses in Meta Data
06:50 - Manually enumerating valid email addresses via SMTP
10:50 - Creating a "Canary Document" in Word to ping back to our server when a word document is opened
13:14 - Generating a malicious RTF Document (CVE-2017-0199)
26:28 - Shell Returned. Enumerating the AppLocker Policy
32:53 - Decrypting a PowerShell Secure String to reveal Tom's Password, Testing access with SSH
35:22 - Lets forget we had Tom and run Bloodhound from Nico!
40:30 - First time opening BloodHound on this box.
49:45 - Lets update Bloodhound, looks like some data is missing and there were errors when running it
53:25 - Finding a path from Nico to BACKUP_ADMINS and explaining AD Security Objects (GenericWrite, WriteOwner,etc)
58:23 - Taking Ownership over Herman then allowing Nico to change his password and examining bloodhound
01:01:40 - Adding Herman to the Backup_Admins group
01:04:30 - Finding the Administrator Password within backup scripts.
01:07:00 - Attempting to run Watson (ends up not working)
01:23:22 - Using Metasploit to do the box
01:25:42 - Since Watson failed, lets just look at last patch times on the box to get an idea whats vulnerable.
01:27:19 - Attempting to do the ALPC Exploit within Metasploit
01:31:00 - That failed - Lets just prove the box is vulnerable, by overwriting a DLL</p>
HackTheBox - DropZone
https://www.youtube.com/watch?v=QzP5nUEhZeg&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=5&t=0
01:00 - Start of Recon
02:15 - TFTP Enumeration - Identifying configuration and OS information
06:32 - Finding a path to code execution
07:17 - Examining PSExec Metasploit Module
08:55 - Using irb within metasploit to print a powershell payload
12:30 - Examining PsExec()
15:40 - Examining native_upload
18:10 - Examining mof_upload
20:34 - Using irb within metasploit to print the MOF File
22:35 - Quick explanation of MOF Files
25:05 - Modifying the MOF to run NetCat
27:30 - Uploading nc to the target
28:50 - Uploading the malicious MOF File and getting a shell!
29:50 - Using Streams to view Hidden text within ADS
33:08 - Start of Bonus Content, finging a TFTP Exploit that uses MOF
35:05 - Attempting to use distrinct_ftp_traversal against DropZone
36:30 - Installing pry.byebug in order to allow us to drop to a debug console and step through metasploit modules
40:50 - Testing out pry.byebug
42:30 - Finding why the exploit module didn't work
44:50 - Module still doesn't work, TFTP Stopping mid transfer
49:30 - Whoops, changed the delay on the wrong timeout
51:00 - Meterpreter Shell returned, showing off the extended API and some WMI Commands.</p>
HackTheBox - Tally
https://www.youtube.com/watch?v=l-wzBhc9wFc&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=6&t=0
01:45 - Start of NMAP
04:17 - Begin of Sharepoint/GoBuster (Special Sharepoint List)
06:32 - Manually browsing to Sitecontent (Get FTP Creds)
10:18 - Mirror FTP + Pillage for information, Find keypass in Tim's directory and crack it.
18:22 - Mounting/Mirroring ACCT Share with found Creds and finding hardcoded SQL Creds
25:24 - Logging into MSSQL with SQSH, enabling xp_cmdshell and getting a Nishang Rev Shell
34:35 - Finding SPBestWarmUp.ps1 Scheduled Task that runs as Administrator
40:00 - Begin of RottenPotato without MSF (Decoder's Lonely Potato)
45:56 - Using Ebowla Encoding for AV Evasion to create an exe for use with Lonely Potato
58:00 - Lonely Potato Running to return a Admin Shell
01:04:22 - Finding CVE-2017-0213
01:08:33 - Installing Visual Studio 2015 &amp;&amp; Compiling the exploit
01:15:50 - Exploit Compiled, trying to get it to work....
01:18:11 - Just noticed the SPBestWarmUp.ps1 executed and gave us a shell!
01:28:37 - Found the issue, exploit seems to require interactive process
01:30:00 - Begin of Firefox Exploit Cluster (Not recommended to watch lol). It's a second unreliable way to get user</p>
HackTheBox - Mantis
https://www.youtube.com/watch?v=VVZZgqIyD0Q&list=PLidcsTyj9JXK2sdXaK5He4-Z8G0Ra-4u2&index=7&t=0
01:20 - Start of nmap
03:22 - Poking at a rabbit hole (8080)
08:08 - GoBuster to find hidden directory
09:50 - Finding SQL Creds in hidden directory
13:40 - Using dbeaver to enumerate database
16:50 - Impacket-PSExec to Admin
19:00 - Proving James is not an Admin
20:35 - Using MSF to Enable Remote Desktop to do Incident Response
27:00 - Start of Remote Desktop Looking at Event Log + Active Directory
31:00 - Installing Sysmon to get better logs
36:15 - Looking at Sysmon Logs
42:20 - Proving the PrivEsc was due to Impacket-PSExec not cleaning up
48:00 - Using Forensics to get Service Creation Date
53:30 - Finding a HTB User creating a Git Issue to Impacket (LOL)
55:10 - Intended Route - Forging a Kerberos Ticket MS14-068
HackTheBox - Bastard
https://www.youtube.com/watch?v=lP-E5vmZNC0&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=10&t=0
HackTheBox - Arkham
https://www.youtube.com/watch?v=krC5j1Ab44I&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=2&t=0
00:55 - Begin of Recon
02:20 - Checking the WebPages
03:50 - Examining /userSubscribe.faces, to discover potential deserialization
05:00 - Exploring javax.faces.ViewState
05:50 - Googling around to see what an unencrypted serialized object should look like
07:15 - Checking out SMB to discover an openshare
09:00 - Downloading appserver.zip from batshare via smbclient
11:00 - Cracking a luks encrypted file with dd and hashcat
14:00 - Luks cracked, mounting the disk with luksOpen
16:20 - Discovery of the secret used to encrypt the java object
18:10 - Creating a python script to decrypt the ViewState to verify we have correct crypto settings
23:10 - Script completed, lets test the decryption!
24:15 - Downloading ysoserial to create a deserialization CommonCollections gadget
26:00 - Creating a python script to exploit the deserialization vuln
31:00 - Script complete! We got a ping, testing the MyFaces serialization objects (did not work)
33:00 - Modifying the script to run commands other than what ySoSerial provided
41:10 - Script updates finished, trying to get a reverse shell via nishang (did not work)
42:40 - Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for constrained mode)
45:00 - Downloading netcat to upload to the box
46:00 - Netcat returned a powershell reverse shell
47:20 - Discovering Backup.zip, downloading, using readpst to convert it to a plaintext mbox file
50:00 - Using evolution to view mbox file and find Batman's password
52:45 - Using Powershell's Invoke-Command to execute commands as Batman (like runas)
55:40 - Reverse shell as batman returned! Running a few commands to find out he is localadmin but needs to break out of UAC
58:10 - Unintended: Using net use to mount c$ and view the flag
59:30 - Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HTB Member
01:02:10 - Using GreatSCT/MSBuild to launch Meterpreter
01:02:45 - While GreatSCT installs, create a DLL to return a reverse shell
01:06:00 - copying the DLL into c:\users\batman\appdata\local\microsoft\windowsapps
01:08:30 - Using GreatSCT to generate payloads
01:11:50 - Getting a Meterpreter Session then migrating into an interactive process
01:17:45 - Running SystemPropertiesAdvanced.exe, which elevates and executes our dll</p>
HackTheBox - Querier
https://www.youtube.com/watch?v=d7ACjty4m7U&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=3&t=0
00:50 - Begin of Reocn
03:30 - Using SMBMap to enumerate fileshares
05:45 - Discovering an Excel Macro File
09:25 - Using olevba to extract macro from the document to discover credentials
11:15 - Using MSSQLClient.py from Impacket to log into the SQL Server
12:15 - Doing the SQL CMD:XP_DIRTREE to read a file off a UNC Share to steal the hash with Responder
13:15 - Cracking the NetNTLMv2 Hash
14:11 - Explaining the Responder Database file to view previously captured hashes
16:30 - Logging into the SQL Server with the cracked account, then doing XP_CMDSHELL to run commands
17:50 - Getting a Nishang Reverse Shell
22:00 - Running PowerUp, doing Invoke-ServiceAbuse and discovering creds in an old Group Policy Object
26:30 - Going back to the password disclosed via Group Policy and discovering they are an administrator
28:00 - Explaining how the PowerUp module decrypted a password out of Group Policy
29:10 - Getting VIM to highlight the syntax of Powershell
34:50 - Rooting the box with Invoke-ServiceAbuse</p>
HackTheBox - Giddy
https://www.youtube.com/watch?v=J2unwbMQvUo&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=4&t=0
01:00 - Begin of intro
02:17 - Examining port 80 and 443
03:15 - Using gobuster to discover directories
04:20 - /remote discovered, nothing to do here
05:25 - /mvc discovered
06:15 - SQL Injection everywhere
09:15 - Attempt to perform union injection on search
10:15 - Having trouble, send to SQLMap look at other places in the applicaiton
12:20 - SQLMap having trouble with search SQL, change to ITEM
16:50 - Attempting XP_CMDSHELL (Fails)
19:50 - Using XP_DIRTREE to read files off SMBShare
23:30 - Use Responder to steal the authentication attempt of XP_DIRTREE
25:00 - Cracking the NetNTLMv2 Hash
26:00 - Logging into /remote with cracked credentials
26:40 - Discovering unifi video is installed, this has a known privesc
29:30 - Attempting to use Meterpreter. (Fail: AV)
32:15 - Grabbing and compiling a DotNet Reverse Shell
35:15 - Actually compiling the reverse shell
38:58 - Using xcopy to copy our reverse shell to the victim
39:00 - Attempting to find Unifi Service name so we can restart it. End up searching registry due to permission issues.
42:10 - Restarting Unifi Service so it executes TaskKill.exe
44:25 - Start of Bypassing AppLocker Bypass by copying executable into a directory under Windows
45:50 - Escaping powershell constrained mode with PSBypassCLM
HackTheBox - SecNotes
https://www.youtube.com/watch?v=PJXb2pK8K84&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=5&t=0
01:05 - Begin of recon
02:45 - Checking out the website
03:50 - Using wfuzz to enumerate usernames
05:45 - Logging in with an account we created
07:23 - Checking out Change Password and noticing it does this poorly
09:25 - Using the contact form, to see if tyler will follow links
14:14 - Changing Tyler's password by sending him to the ChangePassword Page
15:00 - Logged in and find SMB Share with credentials.
16:15 - Found a webshare but not sure the directory it executes from. Begin hunting for a different webserver.
17:48 - Port 8808 found via nmap'ing all ports. Creating a php script to gain code execution
19:15 - Downloading netcat for windows to use as a Reverse Shell
21:14 - Playing with Bash on Windows
22:35 - Finding the administrator password in ~/.bash_history
23:45 - Alternate way to find the .bash_history file
25:36 - Unintended way to bypass the CSRF. SQL Injection + bad Static Code analysis
HackTheBox - Silo
https://www.youtube.com/watch?v=2c7SzNo9uoA&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=6&t=0
01:30 - Begin of recon
03:15 - Begin of installing SQLPlus and ODAT (Oracle Database Attack Tool)
08:45 - Bruteforcing the SID with ODAT
10:15 - Holy crap, this is slow lets also do it with Metasploit
13:00 - Bruteforcing valid logins with ODAT
16:00 - Credentials returned, logging into Oracle with SQLPlus as SysDBA
19:00 - Reading files from disk via Oracle
23:20 - Writing files to disk from Oracle. Testing it in WebRoot Directory
25:52 - File Written, lets write an ASPX WebShell to the Server
29:10 - WebShell Working! Lets get a Reverse Shell
31:28 - Reverse Shell Returned
32:24 - Finding a DropBox link, but password doesn't display well.
33:55 - Attempting to copy file via SMB to view UTF8 Text
35:18 - That didn't work, lets transfer the file by encoding it in Base64.
36:55 - Got the password lets download the dump!
39:10 - Begin of Volatility
45:20 - Running the HashDump plugin from volatilty then PassTheHash with Administrator's NTLM!
47:35 - Begin of unintended way, examining odat and uploading an meterpreter exe
50:30 - Using odat externaltable to execute meterpreter and get a system shell!
52:20 - Examining odat verbosity flag to see what commands it runs and try to learn.</p>
HackTheBox - Bart
https://www.youtube.com/watch?v=Cz6vQvGGiuc&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=7&t=0
01:54 - Begin Recon, Windows IIS/OS Mapping and GoBuster
05:20 - Explanation of Virtual Host Routing
09:50 - Developers name exposed in HTML Source, also discover /monitor
11:10 - Enumerating Username in PHP Server Monitor: Challenge Watch Sense to und
16:33 - Discover of Internal-01.bart.htb
19:17 - Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /Log/log.php)
29:34 - Finally got Hydra to return the password!
32:20 - Log Poisoning + LFI = Remote Code Execution
37:30 - Return of Reverse Shell
41:30 - Why you should check if you're a 32-bit process on a 64-bit machine
48:35 - Attempting to use b33f/FuzzySecurity Invoke-RunAs
56:00 - Mistake with Invoke-RunAs is probably pointing it to the wrong port. D:
01:03:40 - ARGH! Lets try to use this account via Empire
01:11:00 - Bring out the big guns, it's Metasploit Time!
01:18:10 - Alright, lets poke a hole in the firewall and connect over SMB!
01:21:17 - Failed to PSExec in MSF
01:21:40 - Found Impacket-PSExec! And it works!
01:23:45 - Lets go hunt for creds!
01:35:23 - Cracking Salted Hashes with Hashcat (Sha265.Salt)</p>
HackTheBox - Chatterbox
https://www.youtube.com/watch?v=_dRrvJNdP-s&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=8&t=0
01:18 - Begin of Recon
04:55 - Start of aChat buffer Overflow: Finding the exploit script with Searchsploit
07:24 - Begin of replacing POC's Calc Shellcode with what is generated from MSFVenom
09:42 - Correction: Payload Size wrong, should be 3,xxx -- look at "Payload Size" I accidentally highlighted the size of the python file.
14:30 - Whoops, erased too much out of POC. Lets correctly replace the shellcode this time and get a shell.
17:50 - Running PowerUp to find AutoLogon Credentials
20:05 - Running Code as Administrator
24:18 - First Privesc Method: Using Start-Process to execute commands as a different user because Invoke-Command did not work.
27:30 - Alternate way to read root.txt -- Alfred owns root.txt, so he can edit the files access list. Get-ACL to view access list and cacls to modify
33:12 - Summary of the box
34:37 - Doing the box with Metasaploit, Warning: Lots of fails.
43:10 - Using meterpreters PortFwd to bypass ChatterBox's firewall and access port 445
51:25 - Doing the box with Empire !
58:20 - Using Empire's Run_As module to execute commands as Administrator</p>
HackTheBox - Jeeves
https://www.youtube.com/watch?v=EKGBskG8APc&list=PLidcsTyj9JXI9E9dT1jgXxvTOi7Pq_2c5&index=9&t=0
01:19 - Begin of Enumeration
04:15 - Avoiding the Rabbit Hole on port 80 (IIS)
06:00 - Begin of Jenkins
09:00 - Using Jenkins Script Console (Groovy) to gain code execution
12:00 - Reverse TCP Shell via Nishang
17:00 - Reverse Shell returned. PowerSplit dev branch to find unintended privesc (Tokens)
22:20 - Powersploit's Invoke-AllChecks completes
24:20 - Finding Keepass Database using Impack-SMBServer to transfer files
27:00 - Cracking the KeePass Database
30:20 - Using KeePass2 to open database
34:25 - PassTheHash via pth-winexe to gain administrator shell
35:20 - Grabbing root.txt that is hidden via Alternate Data Streams (ADS)
39:00 - Using RottenPotato to escalate to root via MSF
41:00 - Using Unicorn to gain a reverse MSF SHell
45:20 - Performing the attack
48:00 - Impersonating Token to gain root
HackTheBox - Pivoting Update: Granny and Grandpa
https://www.youtube.com/watch?v=HQkDL-xh7es&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=10&t=0
HackTheBox - Granny and Grandpa
https://www.youtube.com/watch?v=ZfPVGJGkORQ&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=11&t=0
1:50 - Nmap Results (Discovery of WebDav)
4:35 - DavTest
6:22 - HTTP PUT Upload Files
7:00 - MSFVenom Generate aspx payload
13:00 - User Shell Returned
16:23 - Get Admin Shell (ms14-070)
17:14 - Beginning of Pivot Fail. Socks Proxy
29:35 - Shell on Grandpa (CVE-2017-7269)
32:45 - Using portfwd to access ports not exposed to routable interfaces
34:45 - Cracking LM Hash Explanation
38:30 - Cracking LM Hashes via Hashcat
41:30 - Grandpa acts cranky. Revert.
42:30 - Expected behavior when exploiting via CVE-2017-7269. None of that auto system weirdness (<a href="#" onclick="yt.www.watch.player.seekTo(45*60+20);return false
45:50 - Using Hashcat to crack NTLM using LM Hashes
48:50 - Finally log into SMB using the portfwd from <a href="#" onclick="yt.www.watch.player.seekTo(32*60+45);return false
49:07 - Random pivot attempt failure.</p>
HackTheBox - Granny and Grandpa
https://www.youtube.com/watch?v=ZfPVGJGkORQ&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=12&t=0
1:50 - Nmap Results (Discovery of WebDav)
4:35 - DavTest
6:22 - HTTP PUT Upload Files
7:00 - MSFVenom Generate aspx payload
13:00 - User Shell Returned
16:23 - Get Admin Shell (ms14-070)
17:14 - Beginning of Pivot Fail. Socks Proxy
29:35 - Shell on Grandpa (CVE-2017-7269)
32:45 - Using portfwd to access ports not exposed to routable interfaces
34:45 - Cracking LM Hash Explanation
38:30 - Cracking LM Hashes via Hashcat
41:30 - Grandpa acts cranky. Revert.
42:30 - Expected behavior when exploiting via CVE-2017-7269. None of that auto system weirdness (<a href="#" onclick="yt.www.watch.player.seekTo(45*60+20);return false
45:50 - Using Hashcat to crack NTLM using LM Hashes
48:50 - Finally log into SMB using the portfwd from <a href="#" onclick="yt.www.watch.player.seekTo(32*60+45);return false
49:07 - Random pivot attempt failure.</p>
HackTheBox - Devel
https://www.youtube.com/watch?v=2LNyAbroZUk&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=13&t=0
01:02 - Going over NMAP
02:00 - Anonymous FTP + File Upload
04:30 - MSFVenom
07:20 - Metasploit
10:00 - Exploit Suggestor
11:30 - Getting Root</p>
HackTheBox - Arctic
https://www.youtube.com/watch?v=e9lVyFH7-4o&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=14&t=0
00:00 - Intro
00:12 - Enumerate with nmap
00:40 - Going to the webpage
01:50 - Using SearchSploit to find ColdFusion Exploits
02:40 - Attempt to exploit through MSF. Debug why it failed.
03:50 - Setting up a Burp Redirect listener
04:55 - Examining request send by MSF Exploit
06:35 - Getting a reverse shell
07:50 - Using Unicorn to create a Powershell Meterpreter Loa
11:35 - Reverseshell returned
12:10 - Using the MSF post module local_exploit_suggestor
15:29 - Privesc via MS10-092</p>
HackTheBox - Bastion
https://www.youtube.com/watch?v=2j3FNp5pjQ4&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=2&t=0
01:33 - Begin of recon
02:30 - Using SMBClient to view open shares, discover /Backups
03:00 - Mount the SMB Share
03:40 - Playing with SMBMap which is a bit more automated but write files!
05:22 - Checking out files in the /Backups share
06:30 - Using 7zip to view files in a VHD file
07:50 - Installing libguestfs-tools in order to use guestmount
09:25 - Mounting the VHD with guestmount
11:00 - Extracting local passwords from SAM and SYSTEM with secretsdump
13:30 - Cracking the hash and then using SSH to login to the box
14:30 - Viewing local adminstrators and seeing administrators is not actually disabled (backup indicated it was)
16:30 - Running JAWS
19:30 - Discovering mRemoteNG installed
20:30 - Looks like there is a way to decrypt passwords stored in mRemoteNG
21:40 - Installing mRemoteNG-Decrypt then decrypting the passwords in the config
24:30 - Using PSEXEC or SSH to remote in as administrator</p>
HackTheBox - Netmon
https://www.youtube.com/watch?v=ZxvgniJXbOo&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=3&t=0
01:00 - Begin of Recon
03:50 - Searching for good files to view via FTP
09:00 - Nothing really found, searching for where PRTG creation file is
14:34 - Backup configuration found!
16:20 - Logging in by incrementing the password from 2018 to 2019
17:55 - Searching for CVE's
19:45 - Searching for where to send notification emails like CVE Said
20:30 - Testing for Command Injection via Cmd
22:20 - Testing for Command Injection via Powershell
23:00 - Getting a reverse shell
26:55 - Encoding powershell in Base64 to eliminate potential bad characters
29:10 - Getting a reverse shell</p>
HackTheBox - Access
https://www.youtube.com/watch?v=Rr6Oxrj2IjU&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=4&t=0
00:58 - Begin of recon: ftp, telnet, IIS 7.5
03:00 - Downloading all files off an FTP Server with WGET
05:30 - Examining the "Access Control.zip" file.
06:30 - Cracking a zip file with John
07:45 - Creating a wordlist for cracking the zip (strings of the mdb file)
10:00 - Exploring the MDB Files (Access Database) with MDBTools (mdb-sql and mdb-tables)
12:30 - Grabbing the same password we cracked by checking the auth_user table
13:35 - Converting the PST File (Outlook Email) to PlainText via readpst
15:00 - Logging into telnet with the credentials from the email
15:45 - Switching to a Nishang Shell to execute powershell
18:15 - Running JAWS (Just Another Windows Scanner)
23:34 - Discovering Stored Credentials on the box for ACCESS\Administrator
25:11 - Examining the Shortcut on PUBLIC\DESKTOP which shows us how the "Stored Credential" is used.
25:58 - Using powershell to view information of a Shortcut
27:25 - Using the Stored Credential via runas /savecred
30:31 - Creating Base64 (UTF-16LE) on linux to use in as a Powershell EncodedCommand
31:54 - Box done, Administrator returned.
54:20 )
32:38 - Begin of decrypting the Stored Credential, uploading Mimikatz
33:40 - Using powershell to download files
36:36 - Discovering that I was trying to save mimikatz to a directory i cannot write to :(
37:15 - Testing Applocker methods to bypass the Software Restriction Policy (Give up on this one)
38:50 - Trying to get Meterpreter shell via Unicorn (Fails, unknown reason)
41:28 - Getting a Empire Agent running
43:35 - Empire Agent Returned, Injecting meterpreter shellcode.
45:46 - Attempting to use Mimikatz from within Meterpreter to decrypt dpapi::creds
46:52 - Explaining Mimikatz Arguments when in "non-interactive" mode
54:20 - Grabbing needed files to decrypt DPAPI::CREDS offline
56:09 - Switing to Windows to run Mimikatz
01:02:32 - Decrypting the Creds stored in DPAPI</p>
HackTheBox - Active
https://www.youtube.com/watch?v=jUc1J31DNdw&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=5&t=0
01:10 - Begin of recon
03:00 - Poking at DNS - Nothing really important.
04:00 - Examining what NMAP Scripts are ran.
06:35 - Lets just try out smbclient to list shares available
07:25 - Using SMBMap to show the same thing, a great recon tool!
08:30 - Pillaging the Replication Share with SMBMap
09:20 - Discovering Groups.xml and then decrypting passwords from it
13:10 - Dumping Active Directory users from linux with Impacket GetADUsers
16:28 - Using SMBMap with our user credentials to look for more shares
18:25 - Switching to Windows to run BloodHound against the domain
26:00 - Analyzing BloodHound Output to discover Kerberostable user
27:25 - Performing Kerberoast attack from linux with Impacket GetUsersSPNs
29:00 - Cracking tgs 23 with Hashcat
30:00 - Getting root on the box via PSEXEC</p>
HackTheBox - Jerry
https://www.youtube.com/watch?v=PJeBIey8gc4&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=6&t=0
00:45 - Introduction, nmap
01:30 - Clicking around in Tomcat
02:20 - Playing around with HTTP Authentication
05:45 - Bruteforcing tomcat default creds with Hydra and seclists
08:20 - Sending hydra through a proxy to examine what is happening
12:50 - Logging into tomcat and using msfvenom + metasploit to upload a malicious war file
22:42 - Begin of doing this box without MSF
23:45 - Downloading a cmd jsp shell and making a malicious war file
26:25 - WebShell returned
28:00 - Begin of installing SilentTrinity
30:55 - SilentyTrinity Started, starting listener and generating a payload
33:00 - Pasting the payload into the webshell
34:00 - Debugging SSL Handshake errors
37:00 - Starting SilentTrinity back up, how to use modules
39:10 - Start of Execute-Assembly, compiling Watson
43:10 - Running Watson
43:30 - Start of Seatbelt and debugging why some dotNet code may not run (versioning issues)
HackTheBox - Bounty
https://www.youtube.com/watch?v=7ur4om1K98Y&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=7&t=0
00:38 - Begin of recon
01:48 - Gobuster, using -x aspx to find aspx pages
03:16 - Playing with a file upload form, seeing what can be uploaded
05:15 - Using Burp Intruder to automate checking file extensions
07:00 - Finding a way to execute code from file upload in ASPX (web.config)
10:55 - Executing code via web.config file upload
13:08 - Installing Merlin to be our C2
15:25 - Compiling the Merlin Windows Agent
18:37 - Modifying web.config to upload and execute merlin
21:14 - Merlin Shell returned!
24:18 - Checking for SEImpersonatePrivilege Token then doing Juicy Potato
27:44 - Getting Admin via Juicy Potato
29:44 - Box completed
30:00 - Start of doing this box again, with Metasploit! Creating a payload with Unicorn
33:00 - Having troubles getting the server call back to us, trying Ping to see if the exploit is still working
34:17 - Reverted box. Have to update our payload with some updated VIEWSTATE parameters
36:45 - Metasploit Session Returned! Checking local_exploit_suggester
40:01 - Comparing local_exploit_suggester on x32 and x64 meterpreter sessions
40:30 - Getting Admin via MS10-092
42:05 - Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host <a class="yt-uix-sessionlink" data-sessionlink="itct=CEEQ3NcEIhMI75HjrqqY5wIVkavVCh0ZZwun" data-url="/results?search_query=%23PivotProblems" href="/results?search_query=%23PivotProblems">#PivotProblems
47:20 - Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed</p>
HackTheBox - Blue
https://www.youtube.com/watch?v=YRsfX6DW10E&list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&index=8&t=0
00:38 - Start of Recon
01:20 - Finding NMAP Scripts (Probably a stupid way)
02:00 - Running Safe Scripts - Not -sC, which is default.
02:52 - Listing NMAP Script Categories (Prob a really stupid way)
03:18 - Really Cool Grep (Only show matching -oP)
04:40 - Nmap Safe Script Output
06:30 - Exploiting MS17-010 with MSF
07:40 - Setting up Dev Branch of Empire
09:07 - Starting a Listener
10:55 - Getting a PowerShell Oneliner to launch payload
12:16 - Invoke-Expression (IEX) to Execute Launcher
13:25 - Interacting with a single agent
13:40 - Using Modules - PowerUp Invoke-AllChecks
14:40 - Fixing weird issue with PS Module
16:15 - Invoke-AllChecks finished
17:15 - Loading PS Modules into Memory
17:40 - Executing funcitons out of above module
18:20 - Why I don't pass to MSF via InjectShellcode
22:45 - How I pass from Empire to MSF (Unicorn + IEX)
25:53 - Just running Powershell CMDs from Empire (Shell)</p>