Hackthebox Complete Tutorial Beginner to advance

Hack The Box 2021

What you’ll learn !

Begin of recon

Start of NMAP

Exploiting lcars plugin

Logging into WP and Getting Reverse Shell

WordPress RevShell Returned

Using Meterpreter to pivot and provide access to MySQL

MySQL Shell Returned

Logging into Joomla and Getting Reverse Shell

Joomla Reverse Shell returned

Getting Reverse Shell on Host OS (port 443)

Shell Returned begin of local privesc recon

Beginning of Binary Exploitation

Start writing exploit script

Cracking the NTLMv2 Hash of k.svensson

Extra Content

Analyzing the PHP SQL Injection Scripts

Viewing what SQLMap does to exploit this

Stepping through Double Query Injection

Writing our own SQL Injection Exploit Script

OWA Discovering the Exchange version based upon login interface

Exploring the custom System Backup Timer Service

NOTE:: DOWNLOAD FILE ACCORDING TO YOUR REQUIREMENTS ALL FILES DOWNLOAD LINK AT THE LAST OF THAT RESPECTED COURSE CONTENTS.

Advanced PHP Deserialization – Phar Files 

▪️00:27​ – Little bit of history about PHP Serialization

 ▪️02:13​ – Why is uploading Phar Files different than normal file upload vulns? 

▪️02:42​ – What are Phar Files? 

▪️03:38​ – Prevention by disabling the phar stream wrapper 

▪️04:00​ – Going over the PHP Upload script created for this video ▪️06:15​ – Reviewing a PHP Script to generate malicious PHAR Files 

▪️07:20​ – Setting our PHP Config to allow PHAR to operate in Read/Write mode 

▪️08:00​ – Showing we can control the beginning bytes of the PHAR File to trick magic byte checks 

▪️08:40​ – Copying the logging class from the intro to deserialization video into our upload script 

▪️09:35​ – Adding the PHP Object/POP Chain to our PHAR Generation Script 

▪️11:30​ – Starting a PHP Webserver so we can upload our image 

▪️12:20​ – Explaining why the existing image upload script, isn’t vulnerable. 

▪️13:00​ – Creating a seperate script which performs the file operation unlink() against user input 

▪️14:45​ – Trying to trigger this vulnerability via Curl (doesn’t work yet, forgot to include our PHP Class) 

▪️16:00​ – Adding the PHP Object to our script 

▪️17:17​ – Begin of adding a phar file to a legitimate image 

▪️19:00​ – Modifying our PHAR File to also be a valid image 

▪️20:12​ – Triggering the PHAR Unserialize with our image, but this time with a different file operation (md5_file) 

▪️21:50​ – Mentioning PHPGGC which is handy to utilize with this exploit 

▪️22:13​ – Showing how to unregister PHP Stream wrappers to prevent this attack

How to open video tutorial can be found here :- https://youtu.be/kEBqA1Xq2ak

HackTheBox – APT

00:00​ – Intro 

01:42​ – Start of nmap and poking at the webserver 

09:45​ – Looking into MSRPC, showing MSF info overflow which is why I had historically ignored it 

14:10​ – Poking at RPC with Impacket’s RPCMap 

18:30​ – Converting a RPC Script to get IPv6 address from Python2 to Python3 

20:15​ – Using nmap to scan the IPv6 Address 

22:30​ – Showing how I would enumerate a Firewall, nothing works here but something I do. 

27:30​ – Finding SMB accepts anonymous users and contains an Active Directory Backup 

32:45​ – Using Impacket’s SecretsDump to extract the NTDS.DIT with password last set, user status, and history 

41:15​ – Using KerBrute to enumerate valid users on the box based upon the AD Backup

49:15​ – Using PyKerbrute to bruteforce Henry.Vinson’s account

1:04:00​ – Using Socat + CrackMapExec to enumerate IPv6 (if i updated CME, it would be able to do IPv6)

1:08:00​ – Using Impacket’s reg.py to query Windows Registry remotely from linux 

1:17:30​ – Using Evil-WINRM to run WinPEAS/Seatbelt and bypass AMSI

1:26:00​ – Some good information talking about LmCompatibilityLevel and NetNTLMv1 

1:29:15​ – Unintended method. Using Defender to make a SMB Request then decrypting the NetNTLM-v1 hash

1:30:50​ – Editing responder to use a pre-set challenge (1122334455667788 used by Crack.SH) 

1:35:30​ – Modifying RoguePotato to allow for IPv6

 1:41:15​ – RoguePotato flagged by defender… Some weird AV Bypass… 

1:48:30​ – Showing the Compiler flags will make RoguePotato undetectable by defender 

1:58:05​ – RoguePotato working, lets start modifying impacket to allow us to stand up an RPC Server 

2:21:03​ – Start debugging our impacket studd with pdb set_trace 

2:30:00​ – Got the NetNTLM v1 hash from Rogue Potato 

2:39:50​ – Cleaning up notes

How to open video tutorial can be found here :- https://youtu.be/kEBqA1Xq2ak

HackTheBox – Enterprise

01:00​ – Begin of recon

10:00​ – Finding the vulnerable WordPress Plugin

17:50​ – Exploiting lcars plugin

28:30​ – Logging into WP and Getting Reverse Shell 

35:00​ – WordPress RevShell Returned

40:00​ – Using Meterpreter to pivot and provide access to MySQL 

50:00​ – MySQL Shell Returned

52:00​ – Logging into Joomla and Getting Reverse Shell 

57:20​ – Joomla Reverse Shell returned

59:00​ – Getting Reverse Shell on Host OS (port 443) 

1:02:00​ – Shell Returned begin of local privesc recon

1:12:06​ – Beginning of Binary Exploitation 

1:21:00​ – Start writing exploit script 

===== Extra Content ======

1:28:30​ – Analyzing the PHP SQL Injection Scripts 

1:36:30​ – Viewing what SQLMap does to exploit this 

1:40:00​ – Stepping through Double Query Injection 

1:47:20​ – Writing our own SQL Injection Exploit Script

How to open video tutorial can be found here :- https://youtu.be/kEBqA1Xq2ak

HackTheBox – Laboratory

01:00​ – Start of nmap, looking at SSL Certificates to get a hostname 

02:20​ – Examining the website

04:30​ – Getting git.Laboratory.htb out of the certificate and checking that host 

06:10​ – Registering for a GitLab Account then poking at gitlab

07:20​ – Getting the GitLab Version and finding a Vulnerability 

09:20​ – Creating two issues, so we can perform the LFI 

11:45​ – Using the LFI to extract the application secret then b 

15:55​ – Installing a vulnerable gitlab docker so we can build our serialized payload 

17:00​ – Starting the docker container, then executing bash inside of it 

17:55​ – Changing the docker secret to the one of Laboratory 

18:25​ – Restarting with gitlab-ctl restart, then entering the console with gitlab-rails console 

19:20​ – Creating the serialization payload

22:10​ – Reverse shell as git returned. Discovering we are inside of docker

23:00​ – Running the automated docker script DeepCe

24:50​ – Playing with the gitlab console to turn our user into an admin 

27:00​ – Sorry for the abrupt cut, phone went off and edited that out poorly.

27:15​ – Viewing projects on gitlab as admin to find an SSH Key 

31:20​ – Shell as dexter, running LinPEAS 

34:05​ – SetUID Binary docker-security found, searching for strings then running ltrace 

34:50​ – ltrace shows the binary does not use absolute path, doing a PATH HIJACK to trick the program into executing a shell 

36:50​ – Going over notes

How to open video tutorial can be found here :- https://youtu.be/kEBqA1Xq2ak

HackTheBox – Laser 

00:00​ – Intro 

01:11​ – Running nmap 

03:20​ – Discovering port 9100, and poking at it with nmap/pret 

05:30​ – Got access to the printer via PRET, dumping print jobs

 07:20​ – Running ENT to see the entropy is 7.99 which means it is probably encrypted… Then doing the same thing in Cyber Chef 

10:50​ – Discovering the encryption algorithm via inspecting variables on the printer. Then dumping the memory of the printer to get the AES Key and trying to decrypt in Cyber Chef 

12:50​ – Cutting up the Print Job with DD to extract the IV/Encrypted payload out of the print job. 

18:58​ – CyberChef decrypted our AES! Reading the PDF 

23:46​ – Creating the Protobuf object and converting to python

27:20​ – Interacting with Port 9000 with our protobuf payload 

31:10​ – Attempting to Pickle a deserialization payload, to see its disabled

34:30​ – Taking the example JSON Data and sending it to port 9000 and finding a SSRF Vulnerability! 

41:00​ – Using SSRF to scan ports on localhost and discovering SOLR 

54:00​ – Forcing the SSRF to send an HTTPS Post Request via GOPHER 

58:00​ – Sending the SOLR Post Payload

01:07:30​ – Creating the second payload for SOLR

01:19:50​ – Verifying our payloads doing some JSON Validation 

1:31:50​ – Finally fixed our payload! Darn URL Encoding issues.

1:35:50​ – Reverse shell returned, doing some basic enumeration and seeing SSHPass

1:43:10​ – Using PSPY to monitor processes and catching SSHPASS before it can rewrite its commandline 

1:48:00​ – Gaining root on the Docker Container, disabling SSH, and bending the port back at the host and gaining code execution

How to open video tutorial can be found here :- https://youtu.be/kEBqA1Xq2ak

HackTheBox – Node

00:45​ – Begin of NMAP 

03:00​ – GoBuster (Fails) 

08:15​ – Screw GoBuster, BurpSpider FTW 

09:12​ – Examing Routes File to find more pages 

10:10​ – Finding Credentials and downlo huading backup 

14:45​ – Cracking the zip with fcrackzip 

16:45​ – Finding more credentials (SSH) within MongoSource 

21:50​ – Privesc to Tom User 

35:04​ – Analyzing Backup Binary File

36:49​ – Using strace to find binary password 

40:25​ – Finding blacklisted characters/words 

50:00​ – Unintended method one, abusing CWD 

52:20​ – Unintended method two, wildcards to bypass blacklist 

54:45​ – Unintended method three, command injection via new line

59:15​ – Intended root Buffer Overflow ASLR Brute Force

How to open video tutorial can be found here :- https://youtu.be/kEBqA1Xq2ak

HackTheBox – October Low 

Priv: Default Account + File Upload PrivEsc: Return to LibC + ASLR Bruteforce

00:45​ – Pulling up Web Page. 

01:10​ – Searchable 

02:40​ – Enumerating Version (Download Versions, Hash Static Files) 

08:20​ – Default cred /backend — Upload Shell 

09:41​ – User Reverse Shell 

12:10​ – Transfering file over nc 

14:45​ – Begin “fuzzing” Binary

16:15​ – GDB Analysis

18:46​ – Get a full reverse shell with tab autocomplete. 

19:00​ – Showing ASLR changing address

20:20​ – Disable ASLR on Exploit Dev Machine

21:15​ – Start of exploit development for ovrflw binary (Pattner_Create) 

27:27​ – Start of Return to LibC attack – Getting Addresses 

37:20​ – Grabbing memory locations off October Machine 

41:00​ – Convert script to Bruteforce ASLR

How to open video tutorial can be found here :- https://youtu.be/kEBqA1Xq2ak

HackTheBox – Reel2.mp4

00:00​ – Intro

01:10​ – Start of NMAP 

04:20​ – Gobuster using a case insensitive wordlist because windows 

08:50​ – Checking out the application on port 8080, wallstant

10:30​ – OWA Discovering the Exchange version based upon login interface 

12:00​ – OWA How the “User Enumeration” of Exchange may work… It’s time based 

14:20​ – Troubleshooting the Metasploit Module, SSL Error prevents it from loading ECONNRESET SSL_CONNECT

19:00​ – Using Wallstant to build a username list to perform password spray

24:15​ – Using Username Anarchy to take our list of names and build a wordlist of usernames 

32:00​ – For some reason when using Metasploit’s OWA Password Spray, OWA_2010 is broken… but settiing it to OWA_2013 works. 

34:30​ – Showing SprayingToolkit to bruteforce OWA without metasploit 

39:10​ – Sending an email address to all users and seeing if anyone clicks the link 

41:40​ – Using Responder to attempt to force the user’s computer to give up an NTLMv2 Hash over HTTP 

47:00​ – Cracking the NTLMv2 Hash of k.svensson 

49:50​ – Failing to use Evil-WinRM to access the box, switching to powershell on linux 

54:10​ – Using Powershell on Linux to Enter-PSSession on a Windows Box then finding out we are in constrainedlanguage mode 

56:20​ – Breaking out of ConstrainedLanguage Mode by creating a function 

1:00:00​ – Getting a reverse shell in FullLanguage mode, then looking at some PSRC and PSSC files

1:04:20​ – Finding a link to StickyNotes on the desktop

1:06:50​ – Doing a hex dump of the stickynote log to see there is a password written 

1:08:30​ – Attempting to use the JEA_TEST_ACCOUNT but failing without ConfigurationName parameter due to JEA 

1:11:50​ – Using an LFI Vulnerability in the function JEA can do in order to access any file 

1:13:30​ – Using the LFI to get root.txt

1:14:30​ – Box is done.. Trying to dump the proces and flailing, never get it working but figured people may still enjoy it.

How to open video tutorial can be found here :- https://youtu.be/kEBqA1Xq2ak

HackTheBox – Time

00:00​ – Intro

01:00​ – Start of nmap 

03:30​ – Poking at the website 

04:20​ – Finding a way to generate error messages

06:45​ – Researching the error message 

08:50​ – Throwing a random exploit from the internet and getting a new error

11:40​ – Trying another exploit but this one will make a HTTP Request back to our server

14:00​ – Testing RCE with this exploit with a simple ping 

15:50​ – RCE Confirmed switching to a reverse shell 

18:04​ – Running LinPEAS 

22:40​ – Exploring the custom System Backup Timer Service 

25:30​ – Editing the Timer Backup Shell Script to get Root 

26:25​ – Extra Content – Explaining some forensics with time stamps 

29:20​ – Writing a quick script to search our path for files with full time stamps 

31:25​ – Cleaning up our notes.

HOW TO OPEN VIDEO TUTORIAL CAN BE FOUND HERE :- https://youtu.be/kEBqA1Xq2ak

* THIS COURSE IS JUST FOR EDUCATIONAL PURPOSES I OR THIS COURSE’S OWNER ISN’T RESPONSIBLE FOR ANY OF YOUR DEEDS *