HackTheBox - HackBack
Support me on Patreon: https://patreon.com/ippsec
00:01:30 - Begin of Recon, discovery of an HTTP API that has a few commands
00:06:00 - Using JQ to parse json output, use NetStat/Proc to find GoPhish
00:15:00 - Logging into GoPhish with default creds admin:gophish, finding DNS Names
00:21:15 - Discovery of Obfuscated JavaScript Deobfuscating it to find a hidden section
00:33:20 - Using wfuzz to bruteforce the password for webadmin.php
00:37:10 - Finding Code Execution in WebAdmin.php
00:44:00 - Creating a Python Script to give a pseudo shell to cat, ls, and upload
01:10:45 - Script finished, uploading reGeorg to create a proxy onto the box to bypass FW
01:16:20 - Using WinRM to access low privilege shell as Simple User
01:25:08 - Exploring /Util/Scripts to find a way to privesc to Hacker
01:30:29 - Exploring GetSystem functionality of meterpreter
01:37:20 - Starting to create program to steal a token from NamedPipe Clients
01:41:00 - Creating XOR Encrypter for payloads in C (There is a bug used & instead of %)
01:48:20 - Using MSFVenom to generate raw payload to XOR then generate in C Format
01:51:38 - Creating the Stager to execute meterpreter, with some fun old AV Evasion tactics
(Testing/Bug Hunting)
02:03:45 - Found the issue, AND'd the payload instead of XOR'd in encrypt.c
02:08:30 - Creating the NamedPipe portion of code
02:28:30 - Creating the Pipe Impersonation part of the code
02:43:16 - Had some weird errors, adding the ability to enable token privileges
(more troubleshooting....)
03:01:00 - Editing the /util/scripts/clean.ini to execute our NamedPipe Creation File
03:06:10 - Meterpreter Session Loaded. Unfortunately it grab the impersonation token, more troubleshooting.
03:08:20 - Found the bug that caused us to not pass the token
03:09:45 - Re-Explaining all the code
03:14:57 - Meterpreter loaded, using incognito to grab our impersonation token for HACKER user
- https://googleprojectzero.blogspot.co...
03:30:15 - Creating a bat file to run NetCat and upload into /util/scripts/spool which gets executed
03:35:50 - Start of looking at UserLogger Service, download it, un-UPX it
03:41:30 - Using ProcessMonitor to Dynamically Analyze the UserLogger binary (think of strace on windows)
03:49:40 - UserLogger lets us write binaries as SYSTEM with 777 permissions! Lets chain Diagnostic Hub Exploit
03:52:00 - Changing CMDLine in FakeDLL and valid_dir in Diaghub_exploit.cpp
(Tons of trouble shooting)
04:18:05 - Changing from DEBUG mode to RELEASE mode for compiling. Which fixes it.
04:25:15 - Root.txt is hidden behind alternate data streams.
04:27:39 - ALTERNATE PATH THAT LETS YOU SKIP NAMEDPIPE STUFF