HackTheBox - Bounty


00:38 - Begin of recon
01:48 - Gobuster, using -x aspx to find aspx pages
03:16 - Playing with a file upload form, seeing what can be uploaded
05:15 - Using Burp Intruder to automate checking file extensions
07:00 - Finding a way to execute code from file upload in ASPX (web.config)
10:55 - Executing code via web.config file upload
13:08 - Installing Merlin to be our C2
15:25 - Compiling the Merlin Windows Agent
18:37 - Modifying web.config to upload and execute merlin
21:14 - Merlin Shell returned!
24:18 - Checking for SEImpersonatePrivilege Token then doing Juicy Potato
27:44 - Getting Admin via Juicy Potato
29:44 - Box completed
30:00 - Start of doing this box again, with Metasploit! Creating a payload with Unicorn
33:00 - Having troubles getting the server call back to us, trying Ping to see if the exploit is still working
34:17 - Reverted box. Have to update our payload with some updated VIEWSTATE parameters
36:45 - Metasploit Session Returned! Checking local_exploit_suggester
40:01 - Comparing local_exploit_suggester on x32 and x64 meterpreter sessions
40:30 - Getting Admin via MS10-092
42:05 - Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, but good learning experience)
47:20 - Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed

HackTheBox - Bounty HackTheBox - Bounty Reviewed by Anonymous on October 27, 2018 Rating: 5