HackTheBox - Zetta
00:57 - Begin of NMAP, then examining FTP to see the banner leak time and IPv6 compatibility.
05:10 - Running GoBuster so we always have recon running in the background
05:38 - Examining the Web Page to see it has some usernames and FTP Creds
07:40 - Logging into FTP and testing basic things like downloading/uploading files
08:45 - Ran out of things to test. Run NMAP on all ports, then look into things we don't know.
09:20 - Explaining what FXP is and what an FTP Bounce Attack is
13:00 - Performing the FTP Bounce Attack to get the IPv6 Address, then doing a nmap on the ipv6 address
16:20 - Identifying what port 8730 is (RSYNC) using both NMAP and NETCAT
18:45 - Downloading /etc via rsync, then explaining a bunch of configurations on the box
22:30 - Identifying there is an RSYNCD.SECRETS via the RSYNCD.CONF file. Cannot download but can identify filesize which will tell us the number of characters the password is.
26:50 - Extracting all 8/9 character words out of RockYou.txt then using bash to script a rsync bruteforce (end of video we code a better brute force)
32:00 - Got Roy's password (computer),then downloading his directory to get user.txt. After that upload an SSH Key
39:48 - SSH into the box as roy with the key, then failing to run lynis before running LinPEAS
48:08 - Using find to list files edited around the time User.txt was created (newermt) to identify git repo's under RSYSLOG and FTP
52:05 - Examining git repo in RSYSLOG to identify it sends syslog to POSTGRES and is SQL Injectable
57:10 - Performing the SQL Injection with logger, but before that tailing the postgres log for some output
59:50 - Running commands on Postgres 9.3 via PROGRAM command. Get into trouble with quotes, find postgres has a third quote option which is $$
01:13:57 - EXTRA CONTENT: Building a threaded RSYNC Bruteforcer
01:14:20 - Script 1: Figuring out how RSYNC Authentication works, its a Challenge/Response.
01:22:44 - Script 1: Downloading the RSYNC Source and searching how it creates the hash
01:32:40 - Script 1: Adding SOCKET Support so we can connect to the RSYNC Server
01:45:40 - Script 2: Python3 Threading example
01:50:45 - Script 3: Combining the Threaded example with our RSYNC Auth to get a good bruteforcer!00:57 - Begin of NMAP, then examining FTP to see the banner leak time and IPv6 compatibility.
05:10 - Running GoBuster so we always have recon running in the background
05:38 - Examining the Web Page to see it has some usernames and FTP Creds
07:40 - Logging into FTP and testing basic things like downloading/uploading files
08:45 - Ran out of things to test. Run NMAP on all ports, then look into things we don't know.
09:20 - Explaining what FXP is and what an FTP Bounce Attack is
13:00 - Performing the FTP Bounce Attack to get the IPv6 Address, then doing a nmap on the ipv6 address
16:20 - Identifying what port 8730 is (RSYNC) using both NMAP and NETCAT
18:45 - Downloading /etc via rsync, then explaining a bunch of configurations on the box
22:30 - Identifying there is an RSYNCD.SECRETS via the RSYNCD.CONF file. Cannot download but can identify filesize which will tell us the number of characters the password is.
26:50 - Extracting all 8/9 character words out of RockYou.txt then using bash to script a rsync bruteforce (end of video we code a better brute force)
32:00 - Got Roy's password (computer),then downloading his directory to get user.txt. After that upload an SSH Key
39:48 - SSH into the box as roy with the key, then failing to run lynis before running LinPEAS
48:08 - Using find to list files edited around the time User.txt was created (newermt) to identify git repo's under RSYSLOG and FTP
52:05 - Examining git repo in RSYSLOG to identify it sends syslog to POSTGRES and is SQL Injectable
57:10 - Performing the SQL Injection with logger, but before that tailing the postgres log for some output
59:50 - Running commands on Postgres 9.3 via PROGRAM command. Get into trouble with quotes, find postgres has a third quote option which is $$
01:13:57 - EXTRA CONTENT: Building a threaded RSYNC Bruteforcer
01:14:20 - Script 1: Figuring out how RSYNC Authentication works, its a Challenge/Response.
01:22:44 - Script 1: Downloading the RSYNC Source and searching how it creates the hash
01:32:40 - Script 1: Adding SOCKET Support so we can connect to the RSYNC Server
01:45:40 - Script 2: Python3 Threading example
01:50:45 - Script 3: Combining the Threaded example with our RSYNC Auth to get a good bruteforcer!