HackTheBox - Fighter скачать в хорошем качестве

HackTheBox - Fighter

00:00:55 - Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb. 00:02:53 - Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and members.streetfighterclub.htb/old/login.asp 00:08:45 - Begin poking around the members.streetfighterclub.htb page - Find SQL Injection 00:12:00 - Boolean injection to force the query to return "valid login". Play with logins to find it always returns to "Service not available" 00:14:25 - Testing Union Injections for easy exfil of data 00:15:50 - Examining Stacked Queries to make running our own SQL Statements easy. Then bunch of injections to run Xp_CMDShell and get output. 00:19:30 - Some valuable recon/information in debugging our SQL queries. Noticing small things really helps. 00:34:40 - Start of making a program to give us a command shell. 01:09:40 - Explaining the program we just created. Then fix a small bug. 01:12:45 - Begin of popping the box the intended way. Finding powershell is blocked but specifying the 32-bit version is not 01:17:10 - Return of 32-bit PowerShell... Identifying we can append data to c:\users\decoder\clean.bat -- That's odd lets try to place a shell in it to see if it is being ran. 01:32:40 - Found the issue! Powershell is encoding in UTF-16 which is confusing cmd prompt. 64-bit Shell as Decoder returned! 01:35:30 - Exploiting Capcom Driver to gain root shell, this post is super helpful: http://www.fuzzysecurity.com/tutorial... 01:42:18 - Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dll to our box so we can reverse it. 01:47:25 - Looking at the binaries in Ida64 Free 01:51:14 - Explaining what's happening and then writing a script to bypass the password check. 01:55:35 - Start of unintended way (Juicy Potato) 01:58:10 - Finding a world write-able spot under System32 for AppLocker Bypass, thanks @Bufferov3rride -- Then uploading JuicyPotato 02:06:10 - Start of modifying JuicyPotato to accept uppercase arguments. 02:10:14 - Finding a vulnerable CLSID to get JuicyPotato working 02:28:25 - Running JuicyPotato with a vulnerable CLSID to gain a SYSTEM Shell, then create our own DLL to bypass the check.