HackTheBox - Office
ฝัง
- เผยแพร่เมื่อ 27 มิ.ย. 2024
- 00:00 - Introduction
01:00 - Start of nmap
02:00 - Testing the XAMPP PHP Vulnerability, which doesn't work
06:20 - Getting the Joomla Version from the manifest, then exploiting CVE-2023-23752 to get the MySQL Password (same as devvortex)
11:30 - Using KerBrute to bruteforce valid usernames and then NetExec to spray the MySQL Password to get DWOLFE's password
16:40 - Examining the PCAP on the FileShare then building a Kerberos Hash for ETYPE 18
22:30 - Logging into Joomla then getting a shell through editing a template
30:00 - Looking at the other VHOSTS on the box, discovering a site running on localhost
42:00 - Discovering an old version of LibreOffice, exploiting CVE-2023-2255 to get a shell
51:10 - Showing another way, since TSTARK can edit the registry to allow macros to run then just sending a malicious document
57:40 - Pillaging DPAPI with the RPC flag, since we don't know the password and gained access to an interactive login
1:12:00 - We have the ability to edit GP as HHOGAN, using SharpGPOAbuse to create a local admin
I'm constantly amazed when I watch these videos and thinking "HOW DOES HE KNOW TO DO THAT?!?" Great stuff!!!
I'm watching every video of yours, and they are fantastic! I learn something new every time. Keep up the amazing work!
Excellent as always, impressive. Good job dude!!!!!
Hey Ipp, do you go hard in the paint?
He clearly does
I wish I was half as good as him. You are a pro, keep it up
A new ippsec video nice!
Relaxing this Sunday morning watching my favorite hacker before my first OSCP attempt in a couple hours.
How did it go??
Very good video ippsec. Thank you.
Do you think making videos for poc ‘s ?
Great video! There's another way to pwn the box, but I think it might be not intended. By assigning the SEImpersonatePrivs to the ppotts or even the tstark user using the MySQL UDF payload, you can skip the entire ODT upload/import & DPAPI step. However, the method you used is much more fun and educational!
mind explaining it better? 🙏🏻
You bestt 🎉😂❤
Just Wowww..!
Hey IppSec. Are you really always telling the same about nmap or do you have a script doing it? xD btw is there a reason why you put the flags -sC and -sV separately? I' doing it with -sCV. Thanks for your videos and take care...
I don't often run nmap with scripts. No real reason to put -sC and -sV separately other than muscle memory and ease of read. Not all arg parsing libs allow for putting muiltiple args in 1 arg, but all will support it the long way of 1 arg per arg. So it's easier for me to always just use the long way, to avoid keeping track of which programs support what format. It also helps when playing with new tools, as the way you are used to will always just work.
I guess my way of thinking is - if all you do is focus on optimizing, you will become excellent at that one thing, but won't become good at many things. I prefer to be good at many things as when I have a problem, I have more skills to lean on.
@@ippsec thanks for your explanation. I will have it in my mind for the next time
Hi app,
Thank you for the video I learned a lot, I was hoping that you put any resources you used in the description so we can read it after watching the video. Again thank you for your hard work