HackTheBox - Office

Подписаться 241 тыс.

Просмотров 8 тыс.

50% 1

00:00 - Introduction
01:00 - Start of nmap
02:00 - Testing the XAMPP PHP Vulnerability, which doesn't work
06:20 - Getting the Joomla Version from the manifest, then exploiting CVE-2023-23752 to get the MySQL Password (same as devvortex)
11:30 - Using KerBrute to bruteforce valid usernames and then NetExec to spray the MySQL Password to get DWOLFE's password
16:40 - Examining the PCAP on the FileShare then building a Kerberos Hash for ETYPE 18
22:30 - Logging into Joomla then getting a shell through editing a template
30:00 - Looking at the other VHOSTS on the box, discovering a site running on localhost
42:00 - Discovering an old version of LibreOffice, exploiting CVE-2023-2255 to get a shell
51:10 - Showing another way, since TSTARK can edit the registry to allow macros to run then just sending a malicious document
57:40 - Pillaging DPAPI with the RPC flag, since we don't know the password and gained access to an interactive login
1:12:00 - We have the ability to edit GP as HHOGAN, using SharpGPOAbuse to create a local admin

Опубликовано:

29 июн 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 19

@jcbenge08 7 дней назад

I'm constantly amazed when I watch these videos and thinking "HOW DOES HE KNOW TO DO THAT?!?" Great stuff!!!

@Securesyntax 7 дней назад

I'm watching every video of yours, and they are fantastic! I learn something new every time. Keep up the amazing work!

@BrunoBsso 7 дней назад

Excellent as always, impressive. Good job dude!!!!!

@Giugiu7077 6 дней назад

I wish I was half as good as him. You are a pro, keep it up

@Ambassador_Kobi 7 дней назад

A new ippsec video nice!

@h8handles 6 дней назад

Relaxing this Sunday morning watching my favorite hacker before my first OSCP attempt in a couple hours.

@Yayaisbadatchess 5 дней назад

How did it go??

@GokEnsar 7 дней назад

Very good video ippsec. Thank you. Do you think making videos for poc ‘s ?

@mr-robot8452 4 дня назад

Great video! There's another way to pwn the box, but I think it might be not intended. By assigning the SEImpersonatePrivs to the ppotts or even the tstark user using the MySQL UDF payload, you can skip the entire ODT upload/import & DPAPI step. However, the method you used is much more fun and educational!

@xprnmz8263 2 дня назад

mind explaining it better? 🙏🏻

@SOLOxUNS 7 дней назад

You bestt 🎉😂❤

@AUBCodeII 7 дней назад

Hey Ipp, do you go hard in the paint?

@eIicit 7 дней назад

He clearly does

@entertainment_in_blood 6 дней назад

Just Wowww..!

@Marco_Ris 5 дней назад

Hey IppSec. Are you really always telling the same about nmap or do you have a script doing it? xD btw is there a reason why you put the flags -sC and -sV separately? I' doing it with -sCV. Thanks for your videos and take care...

@ippsec 5 дней назад

I don't often run nmap with scripts. No real reason to put -sC and -sV separately other than muscle memory and ease of read. Not all arg parsing libs allow for putting muiltiple args in 1 arg, but all will support it the long way of 1 arg per arg. So it's easier for me to always just use the long way, to avoid keeping track of which programs support what format. It also helps when playing with new tools, as the way you are used to will always just work. I guess my way of thinking is - if all you do is focus on optimizing, you will become excellent at that one thing, but won't become good at many things. I prefer to be good at many things as when I have a problem, I have more skills to lean on.

@Marco_Ris 5 дней назад

@@ippsec thanks for your explanation. I will have it in my mind for the next time

@meshelishaool8808 3 дня назад

Hi app, Thank you for the video I learned a lot, I was hoping that you put any resources you used in the description so we can read it after watching the video. Again thank you for your hard work