HackTheBox - Office

  Рет қаралды 10,756

IppSec

IppSec

Күн бұрын

00:00 - Introduction
01:00 - Start of nmap
02:00 - Testing the XAMPP PHP Vulnerability, which doesn't work
06:20 - Getting the Joomla Version from the manifest, then exploiting CVE-2023-23752 to get the MySQL Password (same as devvortex)
11:30 - Using KerBrute to bruteforce valid usernames and then NetExec to spray the MySQL Password to get DWOLFE's password
16:40 - Examining the PCAP on the FileShare then building a Kerberos Hash for ETYPE 18
22:30 - Logging into Joomla then getting a shell through editing a template
30:00 - Looking at the other VHOSTS on the box, discovering a site running on localhost
42:00 - Discovering an old version of LibreOffice, exploiting CVE-2023-2255 to get a shell
51:10 - Showing another way, since TSTARK can edit the registry to allow macros to run then just sending a malicious document
57:40 - Pillaging DPAPI with the RPC flag, since we don't know the password and gained access to an interactive login
1:12:00 - We have the ability to edit GP as HHOGAN, using SharpGPOAbuse to create a local admin

Пікірлер: 21
@jcbenge08
@jcbenge08 Ай бұрын
I'm constantly amazed when I watch these videos and thinking "HOW DOES HE KNOW TO DO THAT?!?" Great stuff!!!
@Securesyntax
@Securesyntax Ай бұрын
I'm watching every video of yours, and they are fantastic! I learn something new every time. Keep up the amazing work!
@BrunoBsso
@BrunoBsso Ай бұрын
Excellent as always, impressive. Good job dude!!!!!
@mr-robot8452
@mr-robot8452 28 күн бұрын
Great video! There's another way to pwn the box, but I think it might be not intended. By assigning the SEImpersonatePrivs to the ppotts or even the tstark user using the MySQL UDF payload, you can skip the entire ODT upload/import & DPAPI step. However, the method you used is much more fun and educational!
@xprnmz8263
@xprnmz8263 27 күн бұрын
mind explaining it better? 🙏🏻
@mr-robot8452
@mr-robot8452 23 күн бұрын
@@xprnmz8263 Hi, KZfaq keeps deleting my posts. But google for MySQL UDF payload and look at the Rapid7 post :)
@Giugiu7077
@Giugiu7077 Ай бұрын
I wish I was half as good as him. You are a pro, keep it up
@Ambassador_Kobi
@Ambassador_Kobi Ай бұрын
A new ippsec video nice!
@GokEnsar
@GokEnsar Ай бұрын
Very good video ippsec. Thank you. Do you think making videos for poc ‘s ?
@h8handles
@h8handles Ай бұрын
Relaxing this Sunday morning watching my favorite hacker before my first OSCP attempt in a couple hours.
@Yayaisbadatchess
@Yayaisbadatchess Ай бұрын
How did it go??
@AUBCodeII
@AUBCodeII 18 күн бұрын
How did it go?
@SOLOxUNS
@SOLOxUNS Ай бұрын
You bestt 🎉😂❤
@AUBCodeII
@AUBCodeII Ай бұрын
Hey Ipp, do you go hard in the paint?
@eIicit
@eIicit Ай бұрын
He clearly does
@entertainment_in_blood
@entertainment_in_blood Ай бұрын
Just Wowww..!
@Marco_Ris
@Marco_Ris Ай бұрын
Hey IppSec. Are you really always telling the same about nmap or do you have a script doing it? xD btw is there a reason why you put the flags -sC and -sV separately? I' doing it with -sCV. Thanks for your videos and take care...
@ippsec
@ippsec Ай бұрын
I don't often run nmap with scripts. No real reason to put -sC and -sV separately other than muscle memory and ease of read. Not all arg parsing libs allow for putting muiltiple args in 1 arg, but all will support it the long way of 1 arg per arg. So it's easier for me to always just use the long way, to avoid keeping track of which programs support what format. It also helps when playing with new tools, as the way you are used to will always just work. I guess my way of thinking is - if all you do is focus on optimizing, you will become excellent at that one thing, but won't become good at many things. I prefer to be good at many things as when I have a problem, I have more skills to lean on.
@Marco_Ris
@Marco_Ris Ай бұрын
@@ippsec thanks for your explanation. I will have it in my mind for the next time
@meshelishaool8808
@meshelishaool8808 28 күн бұрын
Hi app, Thank you for the video I learned a lot, I was hoping that you put any resources you used in the description so we can read it after watching the video. Again thank you for your hard work
HackTheBox   RegistryTwo
2:06:46
IppSec
Рет қаралды 11 М.
HackTheBox - Bookworm
2:05:30
IppSec
Рет қаралды 13 М.
HAPPY BIRTHDAY @mozabrick 🎉 #cat #funny
00:36
SOFIADELMONSTRO
Рет қаралды 17 МЛН
DEFINITELY NOT HAPPENING ON MY WATCH! 😒
00:12
Laro Benz
Рет қаралды 58 МЛН
Little girl's dream of a giant teddy bear is about to come true #shorts
00:32
HackTheBox - Hospital
1:14:44
IppSec
Рет қаралды 22 М.
HackTheBox - Rope
3:51:02
IppSec
Рет қаралды 54 М.
HackTheBox - Coder
2:09:39
IppSec
Рет қаралды 15 М.
HackTheBox - AppSanity
1:27:34
IppSec
Рет қаралды 13 М.
3 Levels of WiFi Hacking
22:12
NetworkChuck
Рет қаралды 1,7 МЛН
HackTheBox - Monitored
1:02:07
IppSec
Рет қаралды 10 М.
HackTheBox - APT
2:49:19
IppSec
Рет қаралды 39 М.
HackTheBox - Analysis
1:24:03
IppSec
Рет қаралды 8 М.
HAPPY BIRTHDAY @mozabrick 🎉 #cat #funny
00:36
SOFIADELMONSTRO
Рет қаралды 17 МЛН