HackTheBox - Sniper


01:05 - Begin of Nmap scans
02:30 - Checking out the website and running a few GoBuster dir searches
04:50 - Examining Links on the blog page and discover a LFI Vulnerability in the LANG Parameter
08:20 - Discovering .. is a bad character, working around it by starting the path with a slash
10:28 - Testing RFI via SMB, then failing to steal a hash and use impackets SMBServer
12:50 - Configuring SMBd to host a share that is accessible by anonymous users
15:00 - Testing the SMB Share locally, then testing the RFI with just text, and finally putting a PHP Script for code execution.
19:10 - Powershell Reverse Shells fail, find out we are in constrained language mode, switch to netcat for reverse shell
24:30 - Reverse Shell Returned!
29:00 - Discovering Chris's password then using Powershell to run a command as him to upgrade the shell.
40:10 - Going over to Windows to create a malicious CHM file with Nishang's out-chm (via NC on a SMB Share)
46:55 - Copying the malicious CHM File to c:\Docs and not getting any shell. Simplify the exploit to run ping instead.
51:30 - Using Out-CHM to have it execute NC out of c:\users\chris\downloads\ instead of a SMB Share and getting shell as administrator
53:25 - Start of doing the box the second way.
54:15 - Explaining the LFI + PHP Session Exploit Chain
56:30 - Identify bad characters by creating a in python to to create accounts and test logins
1:07:00 - Testing minimal php code for code execution
1:08:30 - Testing Code exeuction with Powershell Encoded commands
1:18:26 - Downloading Netcat to the box then executing it for a reverse shell
1:23:00 - Uploading Chisel to the box then forwarding ports 3306 and 5985 to us
1:31:40 - Using Evil-WinRM to get a shell on the box as chris through our chisel tunnel
1:32:20 - Creating a CHM File that includes a file off a SMB Server so we can use Responder to steal the hash
1:40:00 - Uploading the CHM and stealing the hash with Responder
1:31:20 - Using Hashcat to crack a NetNTLMv2 hash from Hashcat (5600)
1:42:40 - Using PSexec to remote into the boxh

HackTheBox - Sniper HackTheBox - Sniper Reviewed by Anonymous on March 28, 2020 Rating: 5