HackTheBox - Hancliffe скачать в хорошем качестве

HackTheBox - Hancliffe

00:00 - Intro 01:00 - Start of nmap 02:25 - Identifying it is a windows box via ping and looking at its TTL, and running Gobuster with a lowercase wordlist since windows is not case sensitive. 04:30 - Looking at HashPass to see it just generates static passwords based upon Name/Website/Master Password 08:40 - Identifying a JSESSIONID cookie given when accessing /maintenance/ which enables a weird path traversal vuln [MasterRecon] 12:15 - Identifying the Nuxeo application and searching for the web vulnerability 15:55 - Testing for SSTI in an error message, normal SSTI doesn't work since it is java. Going to payloadallthethings to get a valid payload 19:40 - Testing an java EL SSTI Payload to get code execution. Don't get output but can validate we run code via ping 21:25 - Getting a reverse shell 24:25 - Looking at listening ports, running a powershell snippet to get process name and the port they listen on 29:15 - Looking for an exploit with Unified Remote. Using Chisel to forward the port it listens on to us. 33:30 - Going over the Unified Remote Exploit script, changing where it writes files to and using msfvenom to generate a malicious exe for us 37:00 - What i say here is wrong... I did not notice I got a shell back when writing to C:\Windows\Temp... lol. 39:09 - Converting the Unified Remote script to Python3 with some vim macro magic 42:10 - Running WinPEAS and discovering a Firefox credential 50:10 - Using HashPash with the creds WinPEAS displayed to get the development users password. Using chisel to forward WinRM to us and accessing the box as development 55:00 - Start of RE of the MyFirstApp Binary. Opening Ghidra 55:30 - Searching for Strings to find where Username: is in the program and looking at code around it to see how authentication works 1:00:40 - Looking at Encrypt1() and discovering it is just Rot47 1:04:30 - Looking at Encrypt2() and discovering it is just AtBash 1:12:45 - Logging into the application and discovering what is available to us after auth 1:16:10 - Discovering a buffer overflow in the code parameter, then opening it in x32dbg and seeing we overwrite EIP 1:22:55 - EIP Overwrote, looking at ESP we only have 10 bytes of space here. Talking about JMP Backwards to get to a spot where we have more space 1:25:00 - Start of pwntools script, using x32dbg to show us a JMP ESP 1:27:00 - Using msf-metasm_shell to generate shellcode for us 1:32:05 - Disabling DEP for our process on our windows box 1:35:10 - Showing we can use the JMP ESP, to execute our JMP -70 to get back to the start of our userinput. Its still not large enough for a revshell need to use Socket Reuse to increase buffer size 1:38:20 - Setting a breakpoint on a recv() call and looking at the stack.. We will have to mirror this. 1:42:40 - Getting the location of the Socket Handle which is ESP+0x48, then writing shell code to save that 1:45:50 - When trying to add 48, we get a null byte which is bad. Using an add/sub call to add 48 without null bytes 1:51:20 - Moving ESP to the other side of EIP so we don't have to worry about overwriting EIP and buffer overflowing the program again 1:55:30 - Getting 0 on the stack by just xor ebx, ebx - Then pushing the size of data we want 2:00:35 - Pointing the memory address recv saves data to within our junk data, as this is where the program returns to after the call 2:03:35 - Using Ghidra to get the memory address of the RECV() function, so we can call it 2:09:45 - Using MSFVenom to generate the shellcode for a reverse shell and testing out the exploit 2:13:50 - Showing by setting EXITFUNC=THREAD we don't kill the program when we exit our shell 2:15:50 - Updating our script to point at the hancliffe machine and getting our shell