HackTheBox - Office
Рет қаралды 8,498
Күн бұрын00:00 - Introduction
01:00 - Start of nmap
02:00 - Testing the XAMPP PHP Vulnerability, which doesn't work
06:20 - Getting the Joomla Version from the manifest, then exploiting CVE-2023-23752 to get the MySQL Password (same as devvortex)
11:30 - Using KerBrute to bruteforce valid usernames and then NetExec to spray the MySQL Password to get DWOLFE's password
16:40 - Examining the PCAP on the FileShare then building a Kerberos Hash for ETYPE 18
22:30 - Logging into Joomla then getting a shell through editing a template
30:00 - Looking at the other VHOSTS on the box, discovering a site running on localhost
42:00 - Discovering an old version of LibreOffice, exploiting CVE-2023-2255 to get a shell
51:10 - Showing another way, since TSTARK can edit the registry to allow macros to run then just sending a malicious document
57:40 - Pillaging DPAPI with the RPC flag, since we don't know the password and gained access to an interactive login
1:12:00 - We have the ability to edit GP as HHOGAN, using SharpGPOAbuse to create a local admin
@jcbenge08 9 күн бұрын
I'm constantly amazed when I watch these videos and thinking "HOW DOES HE KNOW TO DO THAT?!?" Great stuff!!!
@Securesyntax 9 күн бұрын
I'm watching every video of yours, and they are fantastic! I learn something new every time. Keep up the amazing work!
@BrunoBsso 9 күн бұрын
Excellent as always, impressive. Good job dude!!!!!
@Giugiu7077 8 күн бұрын
I wish I was half as good as him. You are a pro, keep it up
@h8handles 8 күн бұрын
Relaxing this Sunday morning watching my favorite hacker before my first OSCP attempt in a couple hours.
@Yayaisbadatchess 7 күн бұрын
How did it go??
@AUBCodeII 9 күн бұрын
Hey Ipp, do you go hard in the paint?
@eIicit 9 күн бұрын
He clearly does
@Ambassador_Kobi 9 күн бұрын
A new ippsec video nice!
@GokEnsar 9 күн бұрын
Very good video ippsec. Thank you. Do you think making videos for poc ‘s ?
@SOLOxUNS 9 күн бұрын
You bestt 🎉😂❤
@mr-robot8452 5 күн бұрын
Great video! There's another way to pwn the box, but I think it might be not intended. By assigning the SEImpersonatePrivs to the ppotts or even the tstark user using the MySQL UDF payload, you can skip the entire ODT upload/import & DPAPI step. However, the method you used is much more fun and educational!
@xprnmz8263 4 күн бұрын
mind explaining it better? 🙏🏻
@mr-robot8452 10 сағат бұрын
@@xprnmz8263 Hi, KZfaq keeps deleting my posts. But google for MySQL UDF payload and look at the Rapid7 post :)
@entertainment_in_blood 8 күн бұрын
Just Wowww..!
@Marco_Ris 7 күн бұрын
Hey IppSec. Are you really always telling the same about nmap or do you have a script doing it? xD btw is there a reason why you put the flags -sC and -sV separately? I' doing it with -sCV. Thanks for your videos and take care...
@ippsec 7 күн бұрын
I don't often run nmap with scripts. No real reason to put -sC and -sV separately other than muscle memory and ease of read. Not all arg parsing libs allow for putting muiltiple args in 1 arg, but all will support it the long way of 1 arg per arg. So it's easier for me to always just use the long way, to avoid keeping track of which programs support what format. It also helps when playing with new tools, as the way you are used to will always just work. I guess my way of thinking is - if all you do is focus on optimizing, you will become excellent at that one thing, but won't become good at many things. I prefer to be good at many things as when I have a problem, I have more skills to lean on.
@Marco_Ris 7 күн бұрын
@@ippsec thanks for your explanation. I will have it in my mind for the next time
@meshelishaool8808 5 күн бұрын
Hi app, Thank you for the video I learned a lot, I was hoping that you put any resources you used in the description so we can read it after watching the video. Again thank you for your hard work
Low Level Learning
Рет қаралды 582 М.