diff --git a/dataset.json b/dataset.json index 570870b..2fbdad4 100644 --- a/dataset.json +++ b/dataset.json @@ -1 +1 @@ -[{"machine": "Academy: Learning Process", "academy": "9", "line": "Free HackTheBox Course on getting into the right mindset to learn.\n", "tag": ""}, {"machine": "Academy: Intro to Academy", "academy": "15", "line": "Free HackTheBox Course on using the Academy Platform\n", "tag": ""}, {"machine": "Academy: Hacking Wordpress", "academy": "17", "line": "HackTheBox Course on Hacking Wordpress. This cost 100 cubes, which is ~$10\n", "tag": ""}, {"machine": "Academy: Network Enumeration with Nmap", "academy": "19", "line": "HackTheBox Course on using NMAP to its fullest. This cost 50 cubes, which is ~$5\n", "tag": ""}, {"machine": "Academy: Cracking Passwords with Hashcat", "academy": "20", "line": "HackTheBox Course on using Hashcat to its fullest. This cost 100 cubes, which is ~$10\n", "tag": ""}, {"machine": "Academy: Active Directory LDAP", "academy": "22", "line": "HackTheBox Course on Enumerating Active Directory over LDAP. This cost 1000 cubes, which is ~$100\n", "tag": ""}, {"machine": "Academy: File Inclusion / Directory Traversal", "academy": "23", "line": "Free HackTheBox Course on performing Directory Traversal and File Inclusion attacks\n", "tag": ""}, {"machine": "Academy: Web Requests", "academy": "35", "line": "Free HackTheBox Course about HTTP or Web Requests\n", "tag": ""}, {"machine": "Academy: Secure Coding 101: Javascript", "academy": "38", "line": "HackTheBox Course on Javascript Coding. This cost 1000 cubes, which is ~$100\n", "tag": ""}, {"machine": "Academy: Javascript Deobfuscation", "academy": "41", "line": "Free HackTheBox Course on Deobfuscating Javascript\n", "tag": ""}, {"machine": "Academy: Whitebox Pentesting 101: Command Injection", "academy": "48", "line": "HackTheBox Course on Command Injection Vulnerabilities. This cost 500 cubes, which is ~$50\n", "tag": ""}, {"machine": "Academy: Windows Fundamentals", "academy": "49", "line": "Free HackTheBox Introductory Course on Windows\n", "tag": ""}, {"machine": "Academy: Linux Privilege Escalation", "academy": "51", "line": "HackTheBox Course on Linux Privilege Escalation. This cost 500 cubes, which is ~$50\n", "tag": ""}, {"machine": "Academy: Attacking Web Applications with FFUF", "academy": "54", "line": "Free HackTheBox Course on using FFUF\n", "tag": ""}, {"machine": "Academy: Login Brute Forcing", "academy": "57", "line": "Free HackTheBox course on bruteforcing common logins\n", "tag": ""}, {"machine": "Academy: Active Directory PowerView", "academy": "68", "line": "HackTheBox course on Active Directory Enumeration and Exploitation with PowerView. This cost 1000 cubes, which is $100\n", "tag": ""}, {"machine": "Academy: Active Directory BloodHound", "academy": "69", "line": "HackTheBox Course on using Bloodhound, including writing cypher queries for custom graphs! This cost 500 cubes, which is $50\n", "tag": ""}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction talking about the power of Jinja2"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "", "line": " Quick Jinja2 introduction, showing how Ansible uses templates"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "", "line": " Using Jinja2 Loops with Ansible Variables to build URL's of Firefox Plugins and not put a comma on the last item."}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "", "line": " Showing how we can automate installing extensions in Firefox by editing the /usr/share/firefox-esr/distribution/policies.json"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Copying our test playbook of configuring Firefox into our main playbook as a role"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Showing a really good BurpSuite role, but we won't use this. I'd recommend you learn it"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "", "line": " Short rant on what I initially tried to do but gave up attempting (grabbing certificate out of userPrefs)"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "", "line": " Showing how the Ansible Plugin works, by starting BurpSuite in Headless mode, accepting the license then downloading off of Burps Website"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 30, "seconds": 45}, "tag": "", "line": " Struggling to get a shell script to download the Burp Certificate"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "", "line": " Playbook appears to work, but Burp was running from a previous test which made it work. We fix this at 1:08:15"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "", "line": " Using our VSCode with Github Copilot to have AI Help us make playbooks"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 40, "seconds": 20}, "tag": "", "line": " Telling BurpSuite to only download the Certificate if it doesn't exist already"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "", "line": " Back to automating firefox, having it autoinstall our CA Certificate from BurpSuite"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "", "line": " Editing the font sizes in BurpSuite"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "", "line": " Install Jython and JRuby so we can easily install BurpSuite Plugins"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 64, "seconds": 38}, "tag": "", "line": " Attempting to install our playbook on a fresh copy of Parrot and running into an issue."}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 68, "seconds": 15}, "tag": "", "line": " Fixing our BurpSuite Activation, simplifying the shell command by making it a bash script"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 76, "seconds": 6}, "tag": "", "line": " Adding a pkill Java and increasing the time we wait for burpsuite to run. Then showing everything works!"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Introduction"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "windows medium", "line": " Examining SSL Certificates and seeing \"sequel-DC-CA\", which hints towards there being a Certificate Authority"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows medium", "line": " Using CrackMapExec to enumerate file shares"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows medium", "line": " Accessing the Public Share, downloading a PDF File and finding credentials in it, using CME again and using CME to test smb, winrm, and mssql"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows medium", "line": " Using mssqlclient to login to access MSSQL"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "windows medium", "line": " Using XP_DIRTREE to request a file off an SMB Share in order to intercept the hash of the user running MSSQL, then cracking it"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 18, "seconds": 45}, "tag": "windows medium", "line": " Using Evil-WinRM to login to the box with SQL_SVC account, uploading Certify.exe and not finding a vulnerable certificate"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "windows medium", "line": " Looking at the error logs and discovering a user entered their password as a username so it got logged. Logging in as Ryan.Cooper"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "windows medium", "line": " Running Certify again as Ryan and finding a vulnerable UserAuthentication Certificate"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "windows medium", "line": " Using Certify Scenario #3 to create a UserAuthentication certificate with Administrator as the Alt Name which lets us authenticate as them"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows medium", "line": " Cannot use the certificate for WinRM because there isn't SSL (5986)"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows medium", "line": " Uploading Rubeus and the PFX File to the box, so we can use the PFX to obtain the local administrator NTLM Hash"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "windows medium", "line": " Showing an alternative method with Certipy which lets us run this attack from our attacker box without uploading files to the box"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "windows medium", "line": " Showing an alternate way to root via Silver Tickets and MSSQL, Explaining what a TGS Ticket is and why this attack works"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 41, "seconds": 10}, "tag": "windows medium", "line": " Generating the NTLM Hash from the password because that is what signs/encrypts kerberos tickets"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "windows medium", "line": " Using Ticketer.py to generate a silver ticket which lets us log into MSSQL as Administrator"}, {"machine": "Building Ippsec's Parrot VM - How to Run the Playbook.", "videoId": "eMI7g4huIsc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Github Repo: https://github.com/ippsec/parrot-build"}, {"machine": "Building Ippsec's Parrot VM - How to Run the Playbook.", "videoId": "eMI7g4huIsc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " This is a quick video just to show how to run my Ansible Playbook to build out my Parrot VM. Check out the Building Parrot Playlist to see how this all works, so you can customize things to your liking."}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Sponsor Link: https://snyk.co/ippsec"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Repo Here: https://github.com/IppSec/parrot-build"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction Promoting Snyk"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 1, "seconds": 25}, "tag": "", "line": " Showing why we are using VSCode and not Codium"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Showing Ansible Galaxy, which are community provided roles. Specifically the Visual Studio Code one and creating requirements.yml"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Adding the Visual Studio Code role to our playbook and installing a couple extensions"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Going to the Visual Studio Code Marketplace and showing how we get extension names to add to our playbook, then running our playbook"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Opening VS Code and Signing in to Copilot, then showing it do some predictive typing with python"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "", "line": " Showing Autopilot works with Ansible Playbooks"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 11, "seconds": 10}, "tag": "", "line": " Downloading the web application on TwoMillion, so we can use Snyk to analyze it"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 12, "seconds": 28}, "tag": "", "line": " Installing the Snyk VSCode Plugin"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "", "line": " Opening VS Code and authenticating with Snyk"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "", "line": " Talking about Snyk Open Source Security"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "", "line": " Enabling Snyk Code Scanning to have it scan our code and find vulnerabilities"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "", "line": " Showing Snyk find the RCE Vulnerability and it providing examples on how other applications fixed the vulnerability"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "", "line": " Installing an PHP Extension to enable our IDE to have better PHP Support and easily see where functions are called"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "", "line": " Diving into the RCE Vulnerability and figuring out HTTP Endpoint that is vulnerable to it"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "", "line": " Patching the vulnerability"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "", "line": " Showing the code Quality Piece and it talking about unreachable code"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "", "line": " Playing with Copilot, adding a new HTTP Endpoint to delete a VPN and seeing how much code it will auto suggest"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "", "line": " Closing thoughts, talking about future videos in this series"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " The Github Repo: https://github.com/IppSec/parrot-build"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro downloading the HTB Edition of Parrot and talking about basic VM Things"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Talking about using Ansible to install software after and why we should not use Snapshot's for a long-term solution."}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Parrot has been installed! Fixing up the Terminal real quick and talking about how to set the prompt like I have it"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "", "line": " Installing Ansible with apt"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "", "line": " Creating our first playbook, doing some quick introduction things"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Creating an Ansible Role to configure tmux"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "", "line": " Looking at all the ansible_facts to see the variable where our home is stored"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "", "line": " Using the copy module in ansible to copy files to our users home directory"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 27, "seconds": 55}, "tag": "", "line": " Start creating an ansible role for customizing our terminal"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 30, "seconds": 10}, "tag": "", "line": " Looking at how Mate Terminal creates profiles and exporting our settings so ansible can load it. Lots of using dconf"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "", "line": " Using Ansible to start configuring mate terminal"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 38, "seconds": 27}, "tag": "", "line": " Creating a new fact (variable) and using regex_replace to remove the last character, so we can append to the list."}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "", "line": " Using when, so an ansible task will be skipped if the string 'video' is in profile_list."}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 48, "seconds": 10}, "tag": "", "line": " Creating an Ansible Role to install tools such as Kerbrute"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 49, "seconds": 15}, "tag": "", "line": " This time our role will have multiple task files, so when we have 100 tools we will be able to easily remove tools we don't want"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 51, "seconds": 10}, "tag": "", "line": " Using the ansible shell module to run multiple commands"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "", "line": " Ansible script complete! Rebuilt my VM and am running the script to see if it works"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 57, "seconds": 10}, "tag": "", "line": " Looking at the role that errored, showing when there are no profiles /org/mate/terminal/global does not exist"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "", "line": " Adding another check to create a standard profile_list.value when profile_list is None"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 59, "seconds": 40}, "tag": "", "line": " Re-running our playbook and having our parrot built!"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Introduction"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap, assuming the web app is NodeJS based upon a 404 message"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux easy", "line": " Running Gobuster and discovering Tiny File Manager"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Looking for the source code and finding a default password of admin@123"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux easy", "line": " Navigating to uploads and attempting to upload a php shell to the website"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux easy", "line": " Getting a reverse shell with our php shell"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux easy", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux easy", "line": " Talking about hidepid=2 is set, so we can't see processes for other users"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux easy", "line": " Looking at nginx configuration to see what port 9091 is and discovering a new subdomain (soc-player.soccer.htb)"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux easy", "line": " Navigating to soc-player.soccer.htb and discovering a few more pages"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux easy", "line": " The /check endpoint looks like it is vulnerable to Boolean SQL Injection"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux easy", "line": " Intercepting the websocket in BurpSuite and showing "}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 15, "seconds": 20}, "tag": "linux easy", "line": " Using SQLMap to dump the database, first time I've used SQLMap with websockets"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Attempting to ssh with creds found in the database and logging in as player"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux easy", "line": " Looks like we can run doas, which is like sudo. Looking at the command we can run and seeing dstat"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux easy", "line": " Creating a dstat plugin, then executing it with doas"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 0, "seconds": 18}, "tag": "linux easy", "line": " Start of nmap, scanning all ports with min-rate"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 2, "seconds": 35}, "tag": "linux easy", "line": " Browsing to the web page and taking a trip down memory lane with the HackTheBox v1 page"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Attempting to enumerate usernames"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux easy", "line": " Solving the HackTheBox Invite Code Challenge"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux easy", "line": " Sending the code to JS-Beautify"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux easy", "line": " Sending a curl request to /api/v1/invite/how/to/generate to see how to generate an invite code"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "linux easy", "line": " Creating an account and logging into the platform then identifying what we can do"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux easy", "line": " Discovering hitting /api/v1/ provides a list of API Routes, going over them and identifying any dangerous ones"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux easy", "line": " Attempting a mass assignment vulnerability upon logging in now that we know there is an is_admin flag"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux easy", "line": " Playing with the /api/v1/admin/settings/update route and discovering we can hit this as our user and change our role to admin"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux easy", "line": " Now that we are admin, playing with /api/v1/admin/vpn/generate and finding a command injection vulnerability"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux easy", "line": " Got a shell on the box, finding a password in an environment variable and attempting to crack the user passwords"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux easy", "line": " Re-using the database password to login as admin, discovering mail that hints at using a kernel privesc"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux easy", "line": " Searching for the OverlayFS Kernel Exploit"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux easy", "line": " Finding a proof of concept for CVE-2023-0386, seems sketchy but GCC is on the HTB Machine so i don't feel bad about running it"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 37, "seconds": 27}, "tag": "linux easy", "line": " Running the exploit and getting Root, finding an extra challenge thank_you.json, which is can be done pretty much in CyberChef"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "linux easy", "line": " Looking deeper at the invite code challenge to see if it was vulnerable to Type Juggling (it was back in the day but not anymore)"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "linux easy", "line": " Testing for command injection with a poisoned username"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "linux easy", "line": " Didn't work, looking at the source code and discovering it had sanitized usernames on the non-admin function"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux medium", "line": " Taking a look at the web page"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux medium", "line": " Looking for LFI, then exploring /proc to find where the application is and extracting the source code"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Taking a look at the Python Source Code and discovering port 5000 is the dotnet application and uses websockets"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux medium", "line": " Using wscat to test the websocket"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux medium", "line": " Bruteforcing the /proc/{pid}/cmdline directory in order to see running processes and find the dotnet dll"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 13, "seconds": 45}, "tag": "linux medium", "line": " Reversing Bagel.dll and discovering a deserialization vulnerability in dotnet which allows us to read files"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "linux medium", "line": " Looking at what TypeNameHandling means in NewtonSoft's deserialize"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux medium", "line": " Looking for a gadget to use with our deserialization"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "linux medium", "line": " Building the deserialization payload"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux medium", "line": " Dumping Phil's SSH Key, then logging in"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " The dotnet app, had developers password, switching to that user"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux medium", "line": " Developer can run dotnet with sudo, using the FSI gtfobin to get a shell."}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows insane", "line": " Start of nmap discovering Active Directory (AD)"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "windows insane", "line": " Using wget to mirror the website, then a find command with exec to run exiftool and extract all user names in metadata"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "windows insane", "line": " Using Username Anarchy to build a wordlist of users from our dump and then Kerbrute to enumerate valid ones"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 13, "seconds": 55}, "tag": "windows insane", "line": " Building Kerbrute from source to get the latest feature of auto ASREP Roasting"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "windows insane", "line": " Kerbrute pulled the wrong type of hash, using the downgrade to pull etype 18 of the hash"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "windows insane", "line": " Running Bloodhound with D.Klay, using Kerberos authentication"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "windows insane", "line": " Going over the bloodhound data and finding some attack paths"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 31, "seconds": 13}, "tag": "windows insane", "line": " Manually parsing the Bloodhound with JQ to show descriptions for all users and finding the SVC_SMB password in the Description"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 34, "seconds": 45}, "tag": "windows insane", "line": " EDIT: Don't want to use Blodhound? Showing LdapSearch with Kerberos, and why the FQDN has to be first in the /etc/hosts file"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "windows insane", "line": " End of edit: Using SMBClient with SVC_SMB and Kerberos to download files"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 46, "seconds": 22}, "tag": "windows insane", "line": " Sharing my internet connection from Linux to Windows, so I can run test.exe on Windows"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 53, "seconds": 45}, "tag": "windows insane", "line": " Running test.exe and getting m.lovegod's password from LDAP"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 56, "seconds": 30}, "tag": "windows insane", "line": " Going back to Bloodhound, and now we can perform the attack of adding a member to a group then creating shadow credentials for winrm_user"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "windows insane", "line": " Pulling a version of Impacket that has DACLEDIT and building it"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 61, "seconds": 0}, "tag": "windows insane", "line": " Running DaclEdit to give m.lovegod permission to add users to a group and then net rpc to add him"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 68, "seconds": 20}, "tag": "windows insane", "line": " Running Certipy to add shadow credentials to winrm_user so we can login "}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 72, "seconds": 0}, "tag": "windows insane", "line": " Using WinRM to login to the box with our shadow credential"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 75, "seconds": 30}, "tag": "windows insane", "line": " Start of fumbling around with KRBRelay to privesc"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 78, "seconds": 40}, "tag": "windows insane", "line": " Using RunasCS to change our LoginType which may allow us to run KRBRelay"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 87, "seconds": 40}, "tag": "windows insane", "line": " Pulling the CLSID of TrustedInstaller which works and allows us to add ourselves to the administrator group"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Introduction"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux easy", "line": " Checking out the web page and finding command injection in the URL "}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Space appears to be a bad character with command injection. Normal tricks like brace expansion or IFS don't work."}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux easy", "line": " Trying IFS to be a space but the trailing character makes it difficult"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux easy", "line": " Taking a step back from the RCE, downloading the PDF to examine metadata and discovering it was made with pdfkit 0.8.6, which has public POC's against it"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux easy", "line": " The POC puts a space before the exploit which then removes the space being a bad character in our exploit"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 14, "seconds": 29}, "tag": "linux easy", "line": " Beyond Root/Edit: Using $- to terminate the $IFS, allowing us to bypass the need to prepend the space"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux easy", "line": " End of edit, shell as ruby, discovering credentials in a config file for henry"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 22, "seconds": 53}, "tag": "linux easy", "line": " Henry can run sudo, discover he can execute a ruby script"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux easy", "line": " Looking up a ruby deserialization exploit with YAML"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 27, "seconds": 35}, "tag": "linux easy", "line": " Finding a different payload and getting a root shell"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduciton"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux medium", "line": " Start of nmap, navigating to the page and identifying the framework based upon 404"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Playing around looking at javascript source, not getting anything"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux medium", "line": " Playing around with prd.m.rengering-api.interface.htb... I'm guessing file not found is the webserver, not actual code."}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux medium", "line": " Showing the difficulty of dirbusting API Servers"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux medium", "line": " Showing importance of updating FeroxBuster"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "linux medium", "line": " Playing with the HTML2PDF endpoint and discovering we need to send a POST with HTML as an argument"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux medium", "line": " The PDF Generated has dompdf 1.2.0 in the exif data searching for exploits"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "linux medium", "line": " Researching how CVE-2022-28368 works, then manually exploiting the vulnerabiltiy"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux medium", "line": " The CSS/Font is created, running the exploit and finding where the Font (PHP File) gets uploaded to"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux medium", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 38, "seconds": 15}, "tag": "linux medium", "line": " Uploading pspy to examine how the box cleans itself up"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 40, "seconds": 20}, "tag": "linux medium", "line": " Discovering and exploiting Bash Arithmetic Injection"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Introduction"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows hard", "line": " Start of Nmap "}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows hard", "line": " Playing with the web page, but everything is static doing a VHOST Bruteforce to discover school.flight.htb"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "windows hard", "line": " Discovering the view parameter and suspecting File Disclosure, testing by including index.php and seeing the source code"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "windows hard", "line": " Since this is a Windows, try to include a file off a SMB Share and steal the NTLMv2 Hash of the webserver then crack it"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "windows hard", "line": " Running CrackMapExec (CME) checking shares, doing a Spider_Plus to see the files in users"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "windows hard", "line": " Running CrackMapExec (CME) to create a list of users on the box then doing a password spray to discover a duplicate password"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "windows hard", "line": " Checking the shares with S.Moon and discovering we can write to the Shared Directory"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "windows hard", "line": " Using NTLM_Theft to create a bunch of files that would attempt to steal NTLM Hashes of users when browsing to a directory getting C.Bum's creds with Desktop.ini"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 26, "seconds": 18}, "tag": "windows hard", "line": " C.Bum can write to Web, dropping a reverse shell "}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "windows hard", "line": " Reverse shell returned as svc_apache, discovering inetpub directory that c.bum can write to"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "windows hard", "line": " Using RunasCS.EXE to switch users to cbum"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "windows hard", "line": " Creating an ASPX Reverse shell on the IIS Server and getting a shell as DefaultAppPool"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "windows hard", "line": " Reverse shell returned as DefaultAppPool, showing it is a System Account"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 50, "seconds": 5}, "tag": "windows hard", "line": " Uploading Rubeus and stealing the kerberos ticket of the system account, which because this is a DC we can DCSync"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 52, "seconds": 50}, "tag": "windows hard", "line": " Running DCSync"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Introduction"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap, attempting to login with FTP then going to the website"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux easy", "line": " Running WPScan with enumerate all plugins in aggressive mode"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Taking a look at the site while WPScan runs and finding a plugin (BookingPress-Appointment-Booking) and finding an exploit"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux easy", "line": " Replacing the NONCE in the exploit to get it working"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux easy", "line": " Using SQLMap to dump everything, while we attempt to get only the data we think we are interested in. "}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux easy", "line": " Manually dumping the WP_USERS table with the SQL Injection"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 13, "seconds": 25}, "tag": "linux easy", "line": " Cracking the wordpress hashes to get a user credential"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 16, "seconds": 57}, "tag": "linux easy", "line": " EDIT: Playing with SQLMap to get it to dump this database"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Searching for Wordpress 5.6.2 exploits, discovering an XXE in WAV Files"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux easy", "line": " Using the XXE to exfil files off the webserver"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "linux easy", "line": " Discovering FTP Credentials in the WP Config, logging into the FTP Server and finding SSH Credentials"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux easy", "line": " Logging in as JNelson and seeing PassPie, which is a CLI Password Manager that uses PGP/GPG Keys"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux easy", "line": " Cracking to PGP/GPG Key with John and getting root"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux medium", "line": " Start of gobuster"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux medium", "line": " Discovering an upload form, looking for where things get uploaded"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux medium", "line": " The upload gives us ExifTool output, including the version number to show it is vulnerable to CVE-2022-23935"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 8, "seconds": 11}, "tag": "linux medium", "line": " You should really watch \"The Perl Jam\""}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux medium", "line": " Showing the weird syntax of perl's file open and how | leads to RCE"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "linux medium", "line": " Back to the box, exploiting and getitng a shell"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned, looking at the uploaded files"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 22, "seconds": 35}, "tag": "linux medium", "line": " Running LinPEAS to discover a cron"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " There's an outlook email message with an attachment. Copying it then converting to eml format and extracting the file"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 32, "seconds": 45}, "tag": "linux medium", "line": " The file was an windows event log. Using Chainsaw to search through the logs"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux medium", "line": " Using Chainsaw and JQ to parse the Successful and Failed logins"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 42, "seconds": 25}, "tag": "linux medium", "line": " In the failed logins field, there's a password as a username and logging in as smorton"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 44, "seconds": 35}, "tag": "linux medium", "line": " There's a binary on this box, copying it to us and opening in Ghidra"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "linux medium", "line": " Start of reversing, just showing strings and finding out where the get loaded in the program"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux medium", "line": " Running the binary in GDB and showing how arguments work, then renaming and retyping variables to have decompiled output make more sense"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "linux medium", "line": " Retyping done, renaming a few variables to make things easier to read"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 53, "seconds": 45}, "tag": "linux medium", "line": " Cleaning up the curl_easy_setopt, code by creating an enum in C then using Ghidra to \"Parse C Source\""}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 59, "seconds": 20}, "tag": "linux medium", "line": " Now that the code is cleaned up, it is obvious the program executes perl scripts... Funny thing is the perl binary can execute non-perl scripts"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 61, "seconds": 5}, "tag": "linux medium", "line": " Showing there is also a race condition in the binary because the curl downloads to CWD and even thoe its owned by root we can rename it and take control over the file"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux medium", "line": " Checking out the API Documentation"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux medium", "line": " Interacting with the API Server"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "linux medium", "line": " Showing the file_url, parameter and showing we can access local files"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 6, "seconds": 36}, "tag": "linux medium", "line": " Building a webserver in Flask to make some middleware to exploit this SSRF, allowing us to easily download files from the webserver"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux medium", "line": " Our middleware works! Can download files off the server. "}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux medium", "line": " Downloading the apache2 configuration to find where all the webserver files are hosted"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux medium", "line": " Using gobuster against our middleware to discover any hidden webfiles, have to edit our middleware to return 404 if it didn't return a file"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux medium", "line": " Running gobuster against our code now that it gives 404... Its going slow, switching to a different wordlist and finding a .git repository"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux medium", "line": " Git-Dumper fails because our middleware isn't setting content-type correctly. Have to fix that"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux medium", "line": " Opening the source code from the .git repo up in Visual Studio code and Snyk shows us there is an LFI"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux medium", "line": " Getting Unacceptable URL when trying to exploit this. Removing http:// fixes that showing parse_url in php fails to return the hostname when there is no wrapper"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Getting RCE on a include() statement without poisoning a file on the server with PHP Gadgets"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 26, "seconds": 58}, "tag": "linux medium", "line": " EDIT: Showing there is also a URL Parsing bug on handler.php and we can change the domain that script goes to by inserting an \"@\""}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 31, "seconds": 52}, "tag": "linux medium", "line": " With a shell on the box, discover we can use git with sudo. Inserting a POST-COMMIT hook"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux medium", "line": " Generating a ed25519 ssh key, because the public key is extremely small... It's also more secure than RSA"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 38, "seconds": 10}, "tag": "linux medium", "line": " Cannot make a git commit because we can't write to the directory. But since we can write to .git we can add files outside of the working directory and commit"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 45, "seconds": 15}, "tag": "linux medium", "line": " Shell as SVC, discovering we can write to systemd, creating a malicious service to get root"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction talking a little bit about "}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "", "line": " Using Extension to show a legitimate password reset"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "", "line": " Modifying the host header and showing the website uses that in the sent email"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "", "line": " Talking about mail filters auto-clicking links, which means user interaction isn't always required"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Sending a password reset to one of my personal emails, to show a mail filter auto clicks the link"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "", "line": " Got our click! Checking the IP Address to show it was a bot"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "", "line": " Showing how easy this vulnerability can occur by having OpenAI Build us code!"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "", "line": " Verifying the code was indeed vulnerable"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "", "line": " Asking the AI ways to protect against this type of attack, the best way is to put a whitelist on valid domains used to generate password reset links"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 10, "seconds": 37}, "tag": "", "line": " Talking about the other ways to protect against this attack"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 0, "seconds": 51}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Finding some vulnerable-looking parameters"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "linux medium", "line": " Testing some basic things for LFI, finding a WAF blocking ../. Double encoding it to get passed"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 7, "seconds": 11}, "tag": "linux medium", "line": " Start of writing a script to abuse this LFI and crawl/download all the php source"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux medium", "line": " Making the script recursive, so it will check pages downloaded for new links"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux medium", "line": " Making the script save the files"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux medium", "line": " Opening the code in Visual Studio Code, and showing off Snyk's static code anlysis to highlight a Unserialization vuln"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "linux medium", "line": " Identifying how the site generates activation codes upon registration identifying an insecure use of SRAND(). Generating our own activation code"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux medium", "line": " Exploiting the PHP Unserialization by finding a vulnerable gadget (wakeup) which will save a file"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 27, "seconds": 45}, "tag": "linux medium", "line": " Building a deserialization object to download a file off our server and write it to the web directory"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 32, "seconds": 8}, "tag": "linux medium", "line": " EDIT: Talking about webserver hardening (allow_url_fopen in php) and how it would slow down this attack"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux medium", "line": " EDIT: Poisoning our PHP Session with PHP Code as our username, then building an object to copy that to the server so don't need to use a remote host"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 41, "seconds": 38}, "tag": "linux medium", "line": " Getting a shell on the box, dumping credentials from postgres"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 44, "seconds": 55}, "tag": "linux medium", "line": " Attempting to crack the passwords, failing, checking the source code to identify there is a hidden salt. Then cracking the passwords"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 51, "seconds": 25}, "tag": "linux medium", "line": " Passwords cracked logging in as bill"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 55, "seconds": 10}, "tag": "linux medium", "line": " Using pspy to identify a script runs to renew certificates"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 57, "seconds": 15}, "tag": "linux medium", "line": " Going over the bash script and identifying a command injection vulnerability."}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 61, "seconds": 45}, "tag": "linux medium", "line": " Failing for a bit because I didn't change the certificate time, then changed too much at once which caused me more problems"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 66, "seconds": 4}, "tag": "linux medium", "line": " Finding the CheckEnd parameter, setting our days equal to one but our payload doesn't work"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 68, "seconds": 15}, "tag": "linux medium", "line": " Putting the payload in $(), and getting root to the box"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 70, "seconds": 20}, "tag": "linux medium", "line": " Just making sure we fully understood why our first attempts failed"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 1, "seconds": 11}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Running ffuf to discover the portal virtual host"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 6, "seconds": 40}, "tag": "", "line": " Logging in with admin:admin and discovering a new cookie"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "", "line": " Looking at the Node-Serialize exploit"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "", "line": " Attempting to do the exploit and discovering modsecurity blocks us, then putting some unicode in the payload to evade it"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "", "line": " Whoops forgot to end the payload with (), so thats why we didn't get our shell"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 17, "seconds": 11}, "tag": "", "line": " EDIT Looking at how modsecurity is configured"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 19, "seconds": 33}, "tag": "", "line": " Showing the NGINX Error Log with modsecurity blocking, taking the unique ID going to the modsecurity log to get more information"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "", "line": " Looking at the JSDECODE transform for modsecurity to fix the rule"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "", "line": " Switching ModSecurity to Detection Only mode or Permissive so we don't block but get logs"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 31, "seconds": 42}, "tag": "", "line": " END OF EDIT, putting an SSH Key on the box"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 34, "seconds": 15}, "tag": "", "line": " Attempting to unzip the backup.zip, discovering a password but is using ZipCrypto, doing a plaintext crac with bkcrack to extract it"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "", "line": " Dumping the sssd.ldb database used to join the linux server to the domain. Getting a credential"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "", "line": " Using kinit to get a kerberos ticket, then ksu to switch to root"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "", "line": " Having trouble with tunneling, looking at iptables to see it blocks non-root users from accessing 192.168.0.0"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "", "line": " Looking at the shares to discover a powershell program to reset mobile phone numbers"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "", "line": " Modifying a phone number via ldap and seeing a script will execute what we put in the field"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 71, "seconds": 40}, "tag": "", "line": " Attempting to steal a NTLMv2 Hash, having trouble because NTLM is disabled"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 74, "seconds": 15}, "tag": "", "line": " Forwarding port 445 from the webserver to us, so we can use its DNS Name, but need to enable GatewayPorts in SSHD's config to listen on a non-loopback port"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 80, "seconds": 5}, "tag": "", "line": " Building a list of users with ldapsearch, then password spraying the password we cracked to get access to bob.wood"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "", "line": " Downloading dpapi keys and chrome/edge files then using pypykatz to decrypt saved passwords"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 96, "seconds": 11}, "tag": "", "line": " Got all the files on our box, using pypykatz to decrypt saved passwords"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 105, "seconds": 0}, "tag": "", "line": " Showing the intended way of bypassing applocker which would allow us to run programs to automatically decrypt everything"}, {"machine": "Twitter Live Now", "videoId": "IzmSQyFAR14", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Three days ago, I was wondering how all the \"Tesla Live Now\" scams faked people talking. After spending around $60 on \"Voice.AI\", I could change my voice to sound like Elon. I was googling to find a way to fake the video, and could probably do it with this: https://github.com/iperov/DeepFaceLive. But ended up finding ElonTalks.com (and anyonetalks.com), and the owner of that site was gracious enough to put my audio on top of his video."}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Introduction talking about how this box is about finding CVE's and building an exploit based upon exploit"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux hard", "line": " Running gobuster and showing the importance of using multiple wordlists."}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux hard", "line": " Attempting to register an account, which shows the endpoint /api/register but /api/ returns a 404"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "linux hard", "line": " Showing that raft-small-words wordlist won't discover .git but commons.txt will because commons has .git/HEAD"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 8, "seconds": 25}, "tag": "linux hard", "line": " Running Git-Dumper to extract the source then looking at the code"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux hard", "line": " Showing the vulnerable code and how secure the code appears at first glance without knowing specifics about the library"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux hard", "line": " Googling MySQLJS Sql Injection and showing how you would have found this exploit"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Showing how you could have found it blindly, passing an object into the SQL Query and doing SQL Injection on NodeJS with MySQL"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux hard", "line": " Logging in and finding OpenWebAnalytics version 1.7.3, finding a CVE and writeup for the vulnerability"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Showing the piece missing from the writeup that tells us how we can retrieve the cache file that can be used to reset a password"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "linux hard", "line": " Going over the code, and figuring out how the filename is generated."}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux hard", "line": " FIXED PART, sorry cut out a piece on how I traced the function back to how it generates the filname"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 31, "seconds": 29}, "tag": "linux hard", "line": " Resetting the admin account from the exposed cache file"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 35, "seconds": 39}, "tag": "linux hard", "line": " Exploiting the Mass Assignment Vulnerability to write to a configuration file, to increase log verbosity, file name of log, and then poisoning the log"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 46, "seconds": 9}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 48, "seconds": 39}, "tag": "linux hard", "line": " Downloading a custom password generator that appears to be a compiled python executable."}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 51, "seconds": 24}, "tag": "linux hard", "line": " Running Pyinsxtractor to extract the pyc files out of the exe and then using Docker to match the python version which will allow uncompyle to convert pyc to py files"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 56, "seconds": 19}, "tag": "linux hard", "line": " Starting the docker and copying our password generator into it"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 57, "seconds": 29}, "tag": "linux hard", "line": " Showing the vulnerable password generation function, it is just using millisecond as a seed"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 57, "seconds": 49}, "tag": "linux hard", "line": " Building a script to generate all possible passwords, turns out it fails because Windows and Linux randomization is different"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 60, "seconds": 29}, "tag": "linux hard", "line": " Running pdf2john to generate a hash for the pdf file"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 62, "seconds": 19}, "tag": "linux hard", "line": " Running the script on windows to generate different passwords, then cracking ethans password with john"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 65, "seconds": 39}, "tag": "linux hard", "line": " Looking at SetUID Files, finding PINNS from CRI-O which is a binary related to Kubernetes"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 67, "seconds": 39}, "tag": "linux hard", "line": " There's no man page for the PINNS binary, so looking at the source code to change the kernel parameter for core dumps"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 71, "seconds": 0}, "tag": "linux hard", "line": " Creating an exploit script, poisoning the core dump parameter, and generating a dump to execute our script and getting root"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap, then discovering a laravel app"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux hard", "line": " Laravel app uses Ziggy which exposes a list of all the routes"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux hard", "line": " Finding the /management/dump endpoint but we keep getting page expired (missing some headers)"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "linux hard", "line": " Using ffuf to brute-force the management/dump endpoint"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 15, "seconds": 55}, "tag": "linux hard", "line": " Dumping a list of users and then cracking them"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux hard", "line": " Enumerating virtualhosts, then looking at the roundcube version"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux hard", "line": " Discovering the first 32 characters of the password reset token does not change"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux hard", "line": " Attempting to bruteforce the password reset token for Charlie's password but discovering there's rate limiting in play"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "linux hard", "line": " Spamming the password reset link to generate multiple tokens, which will allow us to guess a token"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 35, "seconds": 14}, "tag": "linux hard", "line": " Edit, explaining the multiple password reset vulnerability more in depth"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 37, "seconds": 18}, "tag": "linux hard", "line": " End of edit, resetting charlie's password"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux hard", "line": " Logging into Gitea as Jean and discovering a browser extension. Installing it to see what it does"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "linux hard", "line": " Explaining the XSS Filter check on the extension"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 58, "seconds": 30}, "tag": "linux hard", "line": " Initial payload to prove we can execute javascript"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 73, "seconds": 45}, "tag": "linux hard", "line": " We have a base64 cradle to bypass the filter, creating a payload to interact with the gitea api to see what repo's the user has access to"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 84, "seconds": 4}, "tag": "linux hard", "line": " Getting information from the backups repo, then downloading the contents"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 89, "seconds": 0}, "tag": "linux hard", "line": " Extracting the tar from the git repo and getting an ssh key, finding passwords in the .git_credentials file"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 93, "seconds": 20}, "tag": "linux hard", "line": " Looking at the Laravel Source Code and discovering there is a command injection"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 98, "seconds": 0}, "tag": "linux hard", "line": " Looking at the email validation request, to show we need to create a valid checksum"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 102, "seconds": 30}, "tag": "linux hard", "line": " Explaining how the secret is generated from the source code, because the secret is at the beginning we can do a hash length extension"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 104, "seconds": 20}, "tag": "linux hard", "line": " Using Hash_Extender to generate a bunch of payloads in order to find the length of the secret"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 109, "seconds": 0}, "tag": "linux hard", "line": " Start of using python to submit the validation check"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 121, "seconds": 50}, "tag": "linux hard", "line": " Finding out the issue I'm running into, stupid formatting issue, having hash_extender output in a different format"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 130, "seconds": 50}, "tag": "linux hard", "line": " Getting a reverse shell on the container"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 137, "seconds": 0}, "tag": "linux hard", "line": " Finding there is a docker.sock file in our container, which enables us to interact with docker on the host"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 139, "seconds": 30}, "tag": "linux hard", "line": " Copying the Docker Executable to the container, which makes it much easier to interact with. Starting a container with the host file system mounted to get root"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 143, "seconds": 35}, "tag": "linux hard", "line": " Extra content, showing SSH can tunnel named pipes (socket files)"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of Nmap"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Enumerating for virtual hosts with ffuf to find the api.mentorquotes.htb page"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux medium", "line": " Talking about FastAPI, attempting to utilize the endpoints but Authentication is required. Create an account"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux medium", "line": " Logging into the endpoint, discovering how to send authentication to the endpoints. Don't really gain anything"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "linux medium", "line": " Using ffuf to search for extra endpoints and discover /admin/ but can't do anything"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Running NMAP again with UDP to discover SNMP"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "linux medium", "line": " EDIT: Showing the minrate with nmap to scan UDP much quicker"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux medium", "line": " Using SNMP Walk"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux medium", "line": " Using SNMP-BRUTE to bruteforce other community strings"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "linux medium", "line": " EDIT: Showing Hydra and OneSixtyOne fail to enumerate the second community string"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 23, "seconds": 5}, "tag": "linux medium", "line": " Using SNMPBruteWalk to dump the SNMP Database, showing how much faster it is than SNMPWalk"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " SNMP Shows running processes and arguments, there was a password passed via STDIN and we can get the password and login as James on FastAPI"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux medium", "line": " Accessing the Admin Endpoint, and figuring out what parameters it expects via error messages"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux medium", "line": " Discovering command injection in the backup endpoint"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 35, "seconds": 19}, "tag": "linux medium", "line": " Shell returned! "}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux medium", "line": " Editing the User Endpoint in FastAPI to dump password hashes. Talking about Pydantic"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 40, "seconds": 45}, "tag": "linux medium", "line": " EDIT: Showing how we could background out reverse shell with nohup so we don't hang the webserver"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 47, "seconds": 15}, "tag": "linux medium", "line": " Cracking the hashes and getting svc's password and then logging into the server via SSH"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "linux medium", "line": " Doing some light forensics looking for files edited on the box shortly after linux was installed"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 56, "seconds": 45}, "tag": "linux medium", "line": " Finding a password in the snmpd password which gets us root"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 61, "seconds": 10}, "tag": "linux medium", "line": " Editing LinPEAS to add an extra regex to pull passwords out of SNMPd configuration"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux medium", "line": " Rebuilding the LinPEAS Shell script and then running LinPEAS to discover we now detect the password in SNMPD"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 66, "seconds": 40}, "tag": "linux medium", "line": " Forwarding PostGres to our server with chisel so we can dump the database"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 72, "seconds": 20}, "tag": "linux medium", "line": " Enumerating PostGres manually to dump users, then showing how to run code on postgres servers"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 76, "seconds": 30}, "tag": "linux medium", "line": " Setting up the FastAPI Environment on our local box, copying files from the docker"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 78, "seconds": 30}, "tag": "linux medium", "line": " Doing some light edits on the FastAPI Code, so we can run it within an IDE and set breakpoints"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 84, "seconds": 14}, "tag": "linux medium", "line": " Start of adding auth to the /user/ endpoint. "}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 90, "seconds": 15}, "tag": "linux medium", "line": " Fixing our /auth/login endpoint to accept our new login request"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 97, "seconds": 20}, "tag": "linux medium", "line": " Getting the browser to accept our bearer token"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 105, "seconds": 30}, "tag": "linux medium", "line": " Fixing up the /user/ endpoint to work with our bearer token"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 110, "seconds": 20}, "tag": "linux medium", "line": " Getting the user decorator to return the User Object which makes it easy for our code to identify our group"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Feedback: https://orrsuc93j02.typeform.com/HTBSEASONS"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Sorry for the bad cam quality. Screwed up recording, then was too lazy to re-record."}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction why you should play NOW"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 1, "seconds": 2}, "tag": "", "line": " Going over the blog, what we mean by Beta Season"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "", "line": " How many points each machine is worth"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "", "line": " Talking about Tiers AKA the completion based rewards"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Talking about the prizes"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Talking about Academy Modules"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Talking about the competitive rewards"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " FAQ"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Connecting to the Seasonal Machine"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "", "line": " How to give feeback."}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 1, "seconds": 3}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux medium", "line": " Talking about Varnish, then looking at the website"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux medium", "line": " Poking at the Forgot Password functionality and showing we can enumerate valid users"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 6, "seconds": 25}, "tag": "linux medium", "line": " Discovering a username in the HTML Source"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "linux medium", "line": " Start talking about Host Header Injection, showing the page will use the Host Header when building redirects"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 9, "seconds": 28}, "tag": "linux medium", "line": " Using host header injection in the password reset, in order to send the user a link that goes to our box"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux medium", "line": " Explaining host header injection password reset in depth"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux medium", "line": " Live Demo showing that Host Header Injection on Password Reset may not require user interaction, mail filters love clicking links."}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "linux medium", "line": " Sending an email to myself, then checked Burpsuite Collaborator and saw some bots clicked our link and sent us the token that was in the email!"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 16, "seconds": 43}, "tag": "linux medium", "line": " Showing what Robert can do in the web application and discovering some odd behavior on the /tickets/ page. Anything after the slash will return tickets and not 404!"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 21, "seconds": 10}, "tag": "linux medium", "line": " Identifying when Varnish decides to cache things by looking at the age header, and discovering whenever /static/ is in the URL it becomes cached and that the page doesn't check authorization before displaying cache"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux medium", "line": " Getting the administrator to click a link on /admin_tickets/static/Junk, which will cache /admin_tickets/ and allow anyone to view the admin_tickets page!"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 26, "seconds": 55}, "tag": "linux medium", "line": " Going in-depth with the Web Cache Deception attack and how Varnish works"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux medium", "line": " Showing the Varnish configuration"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux medium", "line": " Editing the Varnish configuration to add UserAgent as part of the caching logic to show it can have unique hashes per user. Then updating it to use Cookies instead"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux medium", "line": " Explaining the weird behavior with how the flask app does routing and allows the user to put /static/ in the URL and not have it go to the static directory"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 34, "seconds": 45}, "tag": "linux medium", "line": " Checking what Diego can run via sudo and discovering he can execute ml_security which appears to be some machine learning poc to look for XSS"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "linux medium", "line": " Getting the version of TensorFlow and looking for vulnerabilities in the library itself"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux medium", "line": " Exploiting TensorFlow 2.6.3 Save_Model_cli (CVE-2021-41228 and CVE-2022-29216)"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux medium", "line": " Taking a look at the web page, finding users on the site, and using FFUF to VHost Enumeration due to talking about a store"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux medium", "line": " Fingerprinting the websites, dev looks to be PHP and the main page appears to be Vue"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux medium", "line": " Exploring the vue app in Firefox Dev Tools, discovering some routes in the webpack which lead to an API"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux medium", "line": " An JWT error message is displayed when accessing some API Pages, removing the token and bypassing authentication"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "linux medium", "line": " Explaining why the web application skips authentication when a cookie is not present, and showing how similar it was to the OMIGod Vulnerability"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux medium", "line": " Extracting all users from the page and then using curl to save the hashes to a file. Use CrackStation to crack hashes and get a cred"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "linux medium", "line": " Logged in as Christopher.Jones, checking the Online Store Status link which is vulnerable to SSRF"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "linux medium", "line": " Using FFUF to fuzz for all possible ports and using a bash trick to create a wordlist based upon a range of numbers without creating a file"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux medium", "line": " Discovering some API Documentation on a page on port 3002"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 31, "seconds": 10}, "tag": "linux medium", "line": " The API all-leave page uses awk, and we can abuse this binary to perform a file disclosure vulnerability if we can poison user names. "}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux medium", "line": " Using hashcat to crack our JWT "}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "linux medium", "line": " Creating a python script to generate JWT's which allow us to exploit awk and exfil files off the server"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux medium", "line": " Python script completed, leaking some files and discovering a unique file in a users .bashrc"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux medium", "line": " Having trouble exporting the backup file, and modifying our script to write binary files which allow us to download the tar.gz backup"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "linux medium", "line": " Discovering bean's credentials in his xpad directory and logging in"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 56, "seconds": 20}, "tag": "linux medium", "line": " Running a process list on the box shows inotify is watching an interesting file that is only writable by www-data"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 59, "seconds": 40}, "tag": "linux medium", "line": " Looking for system() calls in the PHP app and discovering a sed command. We can exploit this like we did awk to get code execution without any bad characters. Having trouble getting this to work."}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 71, "seconds": 10}, "tag": "linux medium", "line": " Taking it slower, discovering our mistake and getting code execution"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 74, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell as www-data. Modifying the file and trying to find out what happens"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 78, "seconds": 10}, "tag": "linux medium", "line": " Running PSPY, since it will be more thorough than our PS Commands and discover we can inject into the mail command"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 84, "seconds": 30}, "tag": "linux medium", "line": " Got our command execution working and shell returned as root"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 85, "seconds": 30}, "tag": "linux medium", "line": " Getting shell as www-data was unintended, showing the intended way of doing this which involves the leave-request page and symlinks"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 92, "seconds": 0}, "tag": "linux medium", "line": " Cannot poison our JWT and get code execution because of bad characters"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 98, "seconds": 30}, "tag": "linux medium", "line": " There were directories chmod'd to 777 that the application wrote to. We can use symlinks here to point to other files and have the webserver write to another file"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 100, "seconds": 50}, "tag": "linux medium", "line": " Showing why we need to create a new product to place our malicious payload"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 104, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned the intended way, and then showed we definitely needed the ! which is a bad character"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 107, "seconds": 40}, "tag": "linux medium", "line": " Extra content! Showing a more in-depth look at why removing the cookie bypassed auth. By loading the code locally and running it in VS so we can properly debug and step through it"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 109, "seconds": 30}, "tag": "linux medium", "line": " Explaining and showing why the application should have had an authentication function so there was less duplicate code in each function, which makes it easier to patch"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Introduction"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "linux hard", "line": " Identifying this page is built with flask based upon a 404 page"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux hard", "line": " Looking at /api/"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux hard", "line": " Showing a weird bug in python where you cannot run int() on a string that is a float"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux hard", "line": " Showing the source code on why this bypassed the check"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 10, "seconds": 12}, "tag": "linux hard", "line": " End of edit, extracting all the users passwords with curl"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux hard", "line": " Cracking the hashes and getting a password of rubberducky, playing with creating containers"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Getting a reverse shell on the Alpine-Python container"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux hard", "line": " We are a privileged container and can see processes from root, which lets us access the hosts disk and CWD leaks file handles to directories. Grab an SSH Key"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 27, "seconds": 15}, "tag": "linux hard", "line": " Can execute safe_python with sudo as jack_adm but it turns out to be a sandbox, eventually find a use-after-free vuln on google and use that to escape"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "linux hard", "line": " Shell as Jack_adm, we can use sudo with hash_password.py, its a bcrypt hash but we can't crack what we create"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "linux hard", "line": " Explaining the vulnerability, bcrypt has a maximum length we can fill the buffer and prevent the python script from appending something to the password"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "linux hard", "line": " Creating a Hashcat rule file to append a single character to the password"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "linux hard", "line": " Creating a python script to exploit this vuln in bcrypt and leaking the secret key one character at a time"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 53, "seconds": 48}, "tag": "linux hard", "line": " Script to exploit the truncation vuln in bcrypt complete. Using hashcat to crack the password, showing two ways rule file and combinator attack which uses two dictionary files"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "linux hard", "line": " Finished the box but we skipped one step. Going back to show there was a dev subdomain which we need to pivot through a container to access"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 65, "seconds": 50}, "tag": "linux hard", "line": " The dev site has a different /api/healhtcheck page, we can use boolean logic with regex to perform a file disclosure vulnerability one char at a time"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 73, "seconds": 24}, "tag": "linux hard", "line": " Creating a python script to automate the file disclosure vulnerability and exporting files to leak extracting the cookie"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 90, "seconds": 10}, "tag": "linux hard", "line": " Talking about ways to improve the script, and realizing we can just run the script on the docker which makes this process exponentially faster. Good demo on how much a proxy slows things down."}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 100, "seconds": 50}, "tag": "linux hard", "line": " Showing the web source code which starts the container and why background was not pid 1337"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "", "line": " Generating our SSH Key and Base64 Decoding it"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "", "line": " Opening the SSH Key in Bless"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "", "line": " Showing information from the SSH RFC which will tell us what we are parsing"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "", "line": " Start of parsing the SSH Key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Opening an Encrypted Key and showing the slight changes"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Back to the unencrypted SSH Key and showing the private key does contain the private key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "", "line": " Extracting the Exponent and N our of the Public Key portion"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "", "line": " Start of Private Key Information in the Private Key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Extracting the variables from the Private Key Field"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "", "line": " Extracting Q, which is the big prime that we used in Response to rebuild the key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Showing the comment which contains the username and hostname of the person that generated the key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "", "line": " Extracting E/N from the Public Key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Extracting Q from the Private Key again and using RsaCtfTool to generate the key"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 2, "seconds": 17}, "tag": "linux medium", "line": " Discovering this is a ruby Sinatra Web App based upon error message"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "linux medium", "line": " Discovering credentials in javascript"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux medium", "line": " Examining the HTTP Request to resize images and discovering an RCE"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux medium", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 11, "seconds": 12}, "tag": "linux medium", "line": " Discovering we have SETENV with sudo on a script, checking for path injection"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux medium", "line": " Exploiting path injection with the find command"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " Exploiting path injection because the script disables some Bash Built-ins"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux medium", "line": " Explaining bash built-ins"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux insane", "line": " Start of nmap"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "linux insane", "line": " Discovering the /status/ page which gives us some information on how to use the Proxy"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "linux insane", "line": " Start of coding our own proxy"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux insane", "line": " Downloading the source code to the chat application"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "linux insane", "line": " Modifying our proxy to forward all requests to chat.reponse.htb and adding a webserver to it"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux insane", "line": " Web Proxy is up! But we need to replace some URL's to send everything through our proxy"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "linux insane", "line": " Adding POST Request support"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "linux insane", "line": " Post request working! Can login with Guest and talk to Bob over the chat"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "linux insane", "line": " Discovering the login request also sends a LDAP Server, we can point the login request to a ldap we control"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 59, "seconds": 0}, "tag": "linux insane", "line": " Using ChatGPT to Give us the hex to a successful LDAP Bind, so we can login after poisoning the LDAP Server"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux insane", "line": " Logged in with admin!"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 66, "seconds": 15}, "tag": "linux insane", "line": " Building a Cross Site Protocol Forgery payload to connect to the FTP Server, showing it work against us"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 75, "seconds": 40}, "tag": "linux insane", "line": " Sending bob the malicious payload and using FTP on his behalf"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 79, "seconds": 40}, "tag": "linux insane", "line": " Going over scan.sh"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 85, "seconds": 50}, "tag": "linux insane", "line": " Doing some LDAP Requests to see how its all setup"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 94, "seconds": 2}, "tag": "linux insane", "line": " Having the scan.sh scan our box by adding details into the LDAP Database"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 97, "seconds": 10}, "tag": "linux insane", "line": " Setting up an HTTPS Server on port 443, so it can scan it"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 99, "seconds": 0}, "tag": "linux insane", "line": " Using DNSMasq to setup a DNS Server on port 8053, and having IPTables redirect DNS Requests from the target to that port"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 105, "seconds": 0}, "tag": "linux insane", "line": " Starting a SMTPD Server, then creating a malicious certificate so we can exploit the NSE Script and extract an ssh key"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 113, "seconds": 0}, "tag": "linux insane", "line": " Going over the Incident Report, then looking at the PCAP"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 116, "seconds": 15}, "tag": "linux insane", "line": " Starting to parse the meterpreter packets, showing it in wireshark"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 120, "seconds": 50}, "tag": "linux insane", "line": " Using Scapy to extract the meterpreter tcp stream to a file"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 125, "seconds": 30}, "tag": "linux insane", "line": " Starting a python script to parse the meterpreter data"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 130, "seconds": 30}, "tag": "linux insane", "line": " Extracting the TLV for unencrypted packets"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 134, "seconds": 13}, "tag": "linux insane", "line": " Using Bulk_Extractor which extracts the AES Key from the core dump, its able to identify it via Key Expansion"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 139, "seconds": 30}, "tag": "linux insane", "line": " Decrypting the TLV, then adding definitions for TLV Types"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 165, "seconds": 0}, "tag": "linux insane", "line": " Writing the file to disk"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 169, "seconds": 50}, "tag": "linux insane", "line": " Discovering a small portion of the SSH Private key in a screenshot, after decoding it, we see the Q variable in it! Use RsaCTFTool to rebuild the private SSH Key"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Discovering Grafana and seeing it is ~2 years old"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux medium", "line": " Looking for exploits"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux medium", "line": " Manually performing the exploit"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "linux medium", "line": " Looking for interesting files, extracting Grafana config which lets us log in"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 12, "seconds": 55}, "tag": "linux medium", "line": " Extracting the SQLite3 Database in order to get the MySQL Password"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux medium", "line": " Logging into MySQL and getting SSH Creds from the whackywidget database"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux medium", "line": " Looking at the WhackyWidget application and discovering an Consul API Key"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "linux medium", "line": " Looking for the Consul API Documentation"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 23, "seconds": 5}, "tag": "linux medium", "line": " Playing with the API, examining the Metasploit script and building out our curl request"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "linux medium", "line": " Building a JSON file which will create a Consul Script to send us a reverse shell and getting root"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "linux medium", "line": " Showing the Metasploit Script would work if we port forward"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux medium", "line": " Showing another way, we can write to the Consul Config directory and do it manually"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux medium", "line": " Testing the webhook, examining the request the server makes"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux medium", "line": " Trying other URL Wrappers to see how the application behaves"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "linux medium", "line": " Finding the .git sub directory, running git-dumper to extract source code"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "linux medium", "line": " Finding and explaining the LFI Vulnerability"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux medium", "line": " Attempting to use the php filter to extract source code, does not work, turns out there's another website"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Discovering there is a special header requried to access the DEV Website"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " Configuring BurpSuite to add the header for us"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux medium", "line": " Explaining the LFI And why we are going to use a phar file to get code execution"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Attempting to get a shell, when executing our file we get a ERROR 500. Simplify the payload to see it works."}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux medium", "line": " Examining phpinfo to see disabled functions, and discovering system() was blocked"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " Converting the dfunc-bypasser script to PHP, so we can just upload it to the server and have it tell us what is available"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 29, "seconds": 15}, "tag": "linux medium", "line": " Showing off github co-pilot, turns out it didn't exactly give me what I wanted."}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "linux medium", "line": " Uploading our script to check dangerous functions and identifying we can use the proc_open() function"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux medium", "line": " Creating a script to send us a reverse shell, more github copilot finishing our code for us"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "linux medium", "line": " Exploring the developer home directory, finding a setuid python binary that uses input(), exploiting to get developer user"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux medium", "line": " We can run easy_install with sudo, getting root"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "linux medium", "line": " Explaining the Code Execution without dropping a file, by using gadgets with php filters to create text for us"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 1, "seconds": 55}, "tag": "linux easy", "line": " Taking a look at the web page"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Discovering it is NodeJS based upon the error message [MasterRecon]"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux easy", "line": " Performing NoSQL boolean injection (mongodb) to bypass authentication"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux easy", "line": " Working payload for the NoSQL Injection."}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux easy", "line": " Dumping the user database with more NoSQL Injection and using CrackStation to get the password"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux easy", "line": " Using ffuf to find the mattermost.shoppy.htb subdomain"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux easy", "line": " Logging into MatterMost and getting a credential"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux easy", "line": " Log in as the Jaeger user and use strings to get a hardcoded password from the password-manager binary"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "linux easy", "line": " SSH into the box as the Deploy User, discover we can run Docker commands and use that to privesc by starting a new container that mounts the root fs"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux easy", "line": " Exploring the Password-Manager binary in Ghidra"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux medium", "line": " Taking a look at the website"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Testing the webhook to see the app will send us information about a web page"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux medium", "line": " Trying to access port 3000, getting blocked by a filter trying to include 127.0.0.1 and 0x7f000001"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux medium", "line": " Playing with the webhook to see if it will send us the entire page"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "linux medium", "line": " Having our webserver redirect to localhost, to see if this bypasses the filter and getting the web page on port 3000"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "linux medium", "line": " The application on port 3000 is gogs 0.5.5 which is from 2014!"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "linux medium", "line": " Setting up a local instance of GOGS so we can build a payload to exploit this"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux medium", "line": " Playing with a union injection, then looking at the database to see number of columns in the user table"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux medium", "line": " Have a basic Union Injection payload, grabbing multiple fields from the SQLite Database"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux medium", "line": " Checking how the password is encoded by examining gogs source"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "linux medium", "line": " Testing out cracking our hash"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 30, "seconds": 5}, "tag": "linux medium", "line": " Passing our SQL Injection payload through SSRF to attack the target and get a user password"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux medium", "line": " Using Pspy to see a cron job running as root that uses artisan to execute a web function"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux medium", "line": " Exploring the web source to discover the webserver uses file_get_contents on monitored url"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 46, "seconds": 30}, "tag": "linux medium", "line": " Poisoning the MySQL Database to have the monitored URL retrieve and send a file"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "windows easy", "line": " Running CrackMapExec to enumerate open file share and downloading a custom DotNet Executable"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "windows easy", "line": " Showing that we can run DotNet programs on our linux machine (will show how I configured this at the end of the video)"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows easy", "line": " Using Wireshark to examine DNS Requests when running this application"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "windows easy", "line": " Using Wireshark to examine the LDAP Connection and discover credentials being send in cleratext"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows easy", "line": " Using the credentials from the program to run the Python Bloodhound Ingestor"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "windows easy", "line": " Playing around in Bloodhound"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 16, "seconds": 10}, "tag": "windows easy", "line": " Discovering the Shared Support Account has GenericAll against the DC"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "windows easy", "line": " Doing a LDAP Search to dump all information and finding a password stored in the Info field of Active Directory"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "windows easy", "line": " Examining what the Support user can do, showing the importance of looking at Outbound Object Control option in bloodhound"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "windows easy", "line": " Explaining how to abuse GenericAll to the Computer object"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows easy", "line": " Downloading dependencies"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows easy", "line": " Starting the attack, checking that we can join machines to the domain"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "windows easy", "line": " Starting the attack Creating a machine account, had some issues will redo everything later"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "windows easy", "line": " Redoing the attack, copying commands verbatim from Bloodhound "}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "windows easy", "line": " Copying the ticket to our machine and then converting it from KIRBI to CCNAME format and using PSEXEC"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 51, "seconds": 50}, "tag": "windows easy", "line": " Extracting the LDAP Password through static analysis"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "windows easy", "line": " Installing DotNet on a linux machine"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Running nmap"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "windows medium", "line": " Running CrackMapExec to enumerate the share"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "windows medium", "line": " Talking about a common misconception about \"Null SMB Authentication\""}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "windows medium", "line": " Downloading a PDF off the open share"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 8, "seconds": 55}, "tag": "windows medium", "line": " Using SWAKS to send an emailw ith a link to see if anything clicks it"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "windows medium", "line": " Exploring the CVE's mentioned in the PDF to see one of them is Folina"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 11, "seconds": 55}, "tag": "windows medium", "line": " Someone clicked our link! The User Agent Shows WindowsPowerShell/5.1.19041.906, which leaks the patch level of the box"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "windows medium", "line": " Building a Folina Payload"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "windows medium", "line": " Using ConPtyShell as our payload for Folina, so we have a proper PTY with tab auto complete on windows rev shells"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "windows medium", "line": " Reverse Shell obtained, discover we are btables and a little enumeration shows we are in a HyperV Container"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "windows medium", "line": " Running SharpHound"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "windows medium", "line": " Importing the results into Bloodhound and seeing we have AddKeyCredentialLink which is a shadow credentials to a user"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "windows medium", "line": " Using Invoke-Whisker.ps1 to create shadow credentials for a user, then using Evil-WinRM to login"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "windows medium", "line": " Running Invoke-Whisker "}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "windows medium", "line": " Discovering we are in WSUS Administrators Group, checking if other tools highlight this"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "windows medium", "line": " Going into a SharpWSUS blog post that talks about adding a malicious windows update"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 46, "seconds": 45}, "tag": "windows medium", "line": " Compiling SharpWSUS"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "windows medium", "line": " Making sure SharpWSUS Runs, copying PSExec to the box"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "windows medium", "line": " Explaining the SharpWSUS Attack Path"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "windows medium", "line": " In typical ippsec fashion, I have a typo in my payload psexec.nexe lol."}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 55, "seconds": 50}, "tag": "windows medium", "line": " The payload did not work, lets simplify it by removing special characters and just executing netcat"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 59, "seconds": 55}, "tag": "windows medium", "line": " Shell returned as admin!"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 61, "seconds": 10}, "tag": "windows medium", "line": " Beyond Root: Enable RDP then showing the WSUS Administration Panel"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 0, "seconds": 35}, "tag": "", "line": " Agenda"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Whoami"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "", "line": " Hacking is an Art"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " The \"Flow Chart\" Problem most People Make"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "", "line": " Keep is Simple, don't go straight to the reverse shell"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "", "line": " Ask Simple Questions, Start of Fuzzing"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Talking about ffuf and giving some demos"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "", "line": " Reading between the lines"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "", "line": " Importance of asking questions"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 19, "seconds": 11}, "tag": "", "line": " How to ask questions"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 21, "seconds": 2}, "tag": "", "line": " Keeping a positive mindset"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 24, "seconds": 3}, "tag": "", "line": " Eliminate the word fail"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "", "line": " Stop doing the bare minimum"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "", "line": " Practice makes perfect"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "", "line": " It's Holiday CTF Time. Shout outs."}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux hard", "line": " Nmap the box, examining server banners"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "linux hard", "line": " Checking out the website, doesn't seem like anything special "}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux hard", "line": " Using Ffuf to perform a virtual host scan to discover other subdomains and find portal"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux hard", "line": " Discover the Motorcycle Store Portal. Trying to play with a potential LFI but deciding it may be a rabbit hole"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux hard", "line": " Stop of examining rabbit hole."}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux hard", "line": " Registering an account and noticing it goes to an API. Lets test the API Out by fuzzing other functions"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux hard", "line": " Running a GoBuster on the classes directory to find more controllers for the API "}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux hard", "line": " Fuzzing the Users.php file for more functions and discovering Upload"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Using OpenAI to generate an HTML Upload form, so we can see create an HTTP Upload Request"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux hard", "line": " Pasting our upload request and uploading a webshell"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux hard", "line": " Showing a SQL Injection in the Login Function that is vulnerable to Mass Assignment"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux hard", "line": " The intended route: Editing our profile to change our login_type, which is our group. Editing it to be an admin which will reveal the upload form."}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux hard", "line": " Shell on the Docker Container, looking for credentials in the web app"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux hard", "line": " Discovering Truedesk.php which has an apikey, looking online to see how to use this api key"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux hard", "line": " Searching the Truedesk code for more endpoints, finding a stats endpoint which leaks some info about a ticket"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "linux hard", "line": " Finding a voicemail password and instructions of connecting a soft phone. Downloading Zoiper"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 33, "seconds": 25}, "tag": "linux hard", "line": " Running Zoiper and connecting"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "linux hard", "line": " Logging in as hflaccus"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux hard", "line": " Setting up a proxy through SSH so we can connect to the DropCMS"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux hard", "line": " Running TCPDump"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "linux hard", "line": " Going over the wireshark, finding the HTTPS Connection is using an insecure SSL Protocol that doesn't support PFS (port forward secrecy)"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 45, "seconds": 15}, "tag": "linux hard", "line": " Downloading the SSL Certificates and then using wireshark to decrypt the data and getting credentials to login to DropCMS"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux hard", "line": " Uploading a malicious DropCMS Module and getting a shell on this docker container"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux hard", "line": " Shell on the Docker of this container"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux hard", "line": " Finding a script that runs every 45 seconds as root, after looking into this it should allow us to run code as root on the container"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 64, "seconds": 45}, "tag": "linux hard", "line": " Root on this container, we can look for breakouts!"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 67, "seconds": 0}, "tag": "linux hard", "line": " Using the unshare command to exploit a vulnerability which gives us all the capabilities!"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 67, "seconds": 45}, "tag": "linux hard", "line": " Doing a somewhat standard way to execute code with the SYS_ADMIN capability (attacking overlayfs and cgroups) to get root on the host"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 74, "seconds": 15}, "tag": "linux hard", "line": " Showing that we could of skipped playing with TruDesk by using nmap and discovering mongo was open without credentials"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 78, "seconds": 10}, "tag": "linux hard", "line": " Using Mongosh to interact with mongo databases"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 1, "seconds": 58}, "tag": "", "line": " Poking at the web page, examining the request, playing with server headers"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 2, "seconds": 25}, "tag": "", "line": " Discovering an error message, googling it and finding out it is tied to Sping Boot"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "", "line": " Start of FFuf, using a raw request so we can ffuf like we can sqlmap"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "", "line": " Going over the results of FFUF"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Matching all error codes with FFUF which is very important, going over the special characters"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "", "line": " The curly braces return 500 in FFUF, big indication it is going to be SSTI"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Using HackTricks to get a Spring Framework SSTI payload and getting command execution"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 13, "seconds": 5}, "tag": "", "line": " Using curl to download a shell script and then execute it because we are having troubles getting a reverse shell"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Going back to just show the Match Regex feature of FFUF to search for banned characters"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " Searching the file system for files owned by logs, discovering redpanda.log. Using a recursive grep to find out what uses this"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "", "line": " Examining the Credit Score java application and seeing what it does with the RedPanda.log file"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "", "line": " Discovering the Credit Score application gets the Artist variable via ExifData in an image"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "", "line": " With the Artist, the Credit Score application opens an XML File and writes. This is like an Second Order XXE Injection"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Downloading an image, so we can change the exif metadata"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " Using Exiftool to modify the artist"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "", "line": " Building the malicious XML File "}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "", "line": " Putting a malcious entry in the log, waiting for the cron to hit and then checking if we got root key"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "", "line": " Showing why our user had the group of logs. On boot the service was started with sudo and assigned us that group"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Navigating to the page "}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " Discovering the forgot password feature enables people to enumerate valid users"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "", "line": " Finding the default credentials for mojo portal and then logging in as admin"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "", "line": " Uploading an ASPX Webshell but finding out the aspx extension is blacklisted"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "", "line": " Looking at the GitHub issues for MojoPortal"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Copying a file to bypass the bad extension filter of uploaded material and getting our webshell"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Showing the importance of redirecting STDERR to STDOUT on web shells to discover why some commands fail"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "", "line": " Failing to run a Powershell Reverse Shell bypassing AV, only to find out it is in ConstrainedLanguage Mode"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "", "line": " Attempting to upload netcat to find out its blocked via group policy"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Enumerating Applocker with Powershell Get-AppLockerPolicy -Effective -xml"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "", "line": " Looking at the Get-BadPasswords directory, finding an NTLM Hash"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "", "line": " Logging into the box via kerberos because NTLM is Disabled"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "", "line": " Using CrackMapExec's Spider_Plus module to enumerate all the files on the share"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 43, "seconds": 20}, "tag": "", "line": " Enumerating the Windows Firewall to discover only bginfo64 will be able to communicate out"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "", "line": " Creating a DLL to use with DLL Injection to 7zip"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 53, "seconds": 45}, "tag": "", "line": " Running a bunch of icacls commands with our DLL to identify permissions"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "", "line": " We have WriteOwner to BGInfo64.exe, which was allowed through the firewall. We can change the owner and then write our netcat on it!"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 69, "seconds": 0}, "tag": "", "line": " Shell returned as GinaWild, finding an encrypted pfx file in the Recycle Bin"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 75, "seconds": 30}, "tag": "", "line": " Cracking the PFX File with CrackPkcs12 to discover it is a code signing certificate"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 82, "seconds": 30}, "tag": "", "line": " Importing the code-signing certificate so we can sign powershell scripts letting us bypass applocker"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 86, "seconds": 50}, "tag": "", "line": " Telling the Get-BadPasswords program to run, and getting a shell as BPassRunner"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 87, "seconds": 30}, "tag": "", "line": " Identifying how Get-BadPasswords pulls the NTLM Hashes and then getting Administrators hash"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 89, "seconds": 50}, "tag": "", "line": " Using Impacket's GetTGT to get a ticket as administrator"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Taking a look at the website"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " Searching the PrestaShop github to find a way to fingerprint the website, discovering INSTALL.TXT then finding the commit that contains our version"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "", "line": " Discovering checkout.shared.htb"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 8, "seconds": 14}, "tag": "", "line": " Examining how the checkout subdomain gets the contents of the shipping cart (cookies), editing the cookie and seeing what happens"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "", "line": " Testing for SQL Injection within the cookie"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Failing to use SQLMap (Debug it at the end of the video)"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "", "line": " Doing the Union SQL Injection manually to enumerate Information Schema then dump the users table and get the passwords"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 18, "seconds": 45}, "tag": "", "line": " Cracking the password for James_Mason and gaining SSH Access"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Finding files modified between two dates on linux and discovering some interesting files"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Grabbing passwords from the web directory"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "", "line": " Discovering iPython is opened every minute based upon the history file"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "", "line": " Telling LinPeas to look for unique processes and discovering the directory iPython is being ran from"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 31, "seconds": 45}, "tag": "", "line": " Creating a malicious profile to gain code execution when ipython is opened and gaining a shell as dan_smith"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Discovering a golang program that utilizes Redis, copying the binary to our box"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "", "line": " Having Redis connect to netcat and getting the password in clear text"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "", "line": " Enumerating Redis"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "", "line": " Creating a malicious Redis Module, loading it within Redis and getting code execution"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 41, "seconds": 25}, "tag": "", "line": " Getting a reverse shell as root"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "", "line": " Going back and getting SQLMap to run. Enabling Debug so we can see the requests SQLMap makes"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Start of nmap, then going over the website"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Examining all the pages on the blog"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "", "line": " Looking at the report parameter, doing some light testing for SQL Injection before moving on to IDOR"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Using ffuf to bruteforce all reports matching upon a word (phrase) on the page"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "", "line": " Attempting to figure out if the md5sum in the logs URL is random by submitting the hash to crackstation"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Discovering a file upload vulnerability, faking a PDF and uploading a PHP Shell"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 18, "seconds": 25}, "tag": "", "line": " When using a PHP Shell System() commands don't work. Uploading PHPInfo to view disabled functions and seeing System is blocked"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Getting code execution through Popen() which wasn't blacklisted"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 26, "seconds": 55}, "tag": "", "line": " Discovering another webserver is running on localhost, turns out to be Wordpress"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "", "line": " Exploiting the wordpress plugin BrandFolder to get a shell as Lexi"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Lexi has an SSH Key, using SSH to access the server and then setting up a tunnel to access the wordpress site and checking out the PWDMS Plugin"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 40, "seconds": 55}, "tag": "", "line": " Using MySQL to reset a wordpress password, so we can log in"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "", "line": " Gaining access to the box as John"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 46, "seconds": 30}, "tag": "", "line": " Finding a Virtual Box file that has an encrypted VDI"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "", "line": " Using Hashcat to crack the VirtualBox VDI File"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 52, "seconds": 55}, "tag": "", "line": " Installing the VirtualBox extension that would allow us to utilize an encrypted VDI"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 56, "seconds": 45}, "tag": "", "line": " Decrypting the VirtualBox VDI Image with VBoxManage"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 58, "seconds": 45}, "tag": "", "line": " Mounting the VirtualBox VDI Image and discovering the hard drive is encrytped with LUKSv2"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "", "line": " Cracking the LUKS v2 Password"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "", "line": " Mounting the Luks Drive then discovering a bunch of scripts"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 63, "seconds": 55}, "tag": "", "line": " Doing some bash-fu to extract all variables and run them against the ent command to display entropy, then discovering the password somewhat sticks out, which gets root"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 68, "seconds": 50}, "tag": "", "line": " Another fun trick to find passphrases. Creating a regex to path for WORDS_seperated-LIKE-this"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Introduction"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Poking at the DNS Server and discovering its hostname when querying itself"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Using dig to show the reverse lookup aswell, then perform a zone transfer with axfr"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux easy", "line": " Just showing dnsrecon to bruteforce a range of IP's, not really relavent to this but figured I'd show it"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Poking at the website and logging into the website"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux easy", "line": " Finding an LFI that allows us to disclose PHP Source code, can't do much else because it appends .php to our string"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "linux easy", "line": " Using SQLMap with the login to extract files"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux easy", "line": " SQLMap only found time injection, changing the levels and specifying the techniques which allows it to find a quicker method"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux easy", "line": " Having SQLMap extract the nginx configuration and discovering another subdomain"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "linux easy", "line": " Checking out the new domain preprod-marketing.trick.htb, discovering an LFI but this time the extension is in the URL!"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux easy", "line": " Going over the source code of the LFI to show why this was vulnerable the ../ strip was not recursive"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux easy", "line": " Using the LFI to discover the user we are running as, then extracting an SSH Key"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux easy", "line": " Showing another way to weaponize this LFI, poisoning the nginx access log"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 27, "seconds": 15}, "tag": "linux easy", "line": " Showing yet another way to weaponize the LFI with sending email to the user, then accessing it with the LFI"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux easy", "line": " Shell on the box, checking Sudo then using find to see files owned by my user/group and seeing I can write fail2ban rules"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 36, "seconds": 10}, "tag": "linux easy", "line": " Editing iptables-multiport.conf to execute a file instead of banning a user and getting root"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux easy", "line": " Showing an alternate way to discover preprod-marketing, using a creative sub domain bruteforce with ffuf"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "linux easy", "line": " Checking out why we couldn't read the environ file, turns out it was owned by root and only root readable."}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 1, "seconds": 1}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 2, "seconds": 10}, "tag": "linux medium", "line": " Testing login of the webapp, finding SQL Injection to bypass it"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux medium", "line": " Running gobuster with our cookie so it has access to any authenticated page"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux medium", "line": " Examining the course edit functionality and discovering how the page tells us if our update was a success"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux medium", "line": " Explaning the dangerous thing with update injections, we accidentally changed EVERY row."}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "linux medium", "line": " Extracting information from this Update Injection in MySQL by editing a second column"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux medium", "line": " Standard MySQL Injection to extract table information from Information_Schema, then dumping hashes"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "linux medium", "line": " Showing a second login form, which is also SQL Injectable"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux medium", "line": " Examining the Generate PDF Function"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Verifying we can put HTML in the PDF"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "linux medium", "line": " Going to GitHub Issues and finding issues with MPDF to find vulnerabilities in old versions"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Showing we do have SSRF but this doesn't really give us anything"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "linux medium", "line": " Using Annotations to add loca files into the PDF"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 25, "seconds": 25}, "tag": "linux medium", "line": " Dumping source code of the webapp to find the configuration file, then getting the MySQL Password"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux medium", "line": " Testing the MySQL Password with SSH and logging in as gbyolo"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "linux medium", "line": " Exploiting Meta-Git to gain access to the developer user"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux medium", "line": " Shell as Developer and running LinPEAS"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 38, "seconds": 48}, "tag": "linux medium", "line": " Testing CVE-2022-2588 as a privesc on Ubuntu, it works! (unintended route)"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux medium", "line": " Finding GDB has cap_sys_ptrace permissions, which means we can debug processes running as root"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 43, "seconds": 20}, "tag": "linux medium", "line": " Using MSFVENOM to generate shellcode to perform a reverse shell, which we will inject into a process"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux medium", "line": " Creating a python script to format the shellcode in a way we can just paste it into gdb"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 46, "seconds": 25}, "tag": "linux medium", "line": " Explaining the modulo operator (%) which is how we will pad our payload"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux medium", "line": " Building our payload"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "linux medium", "line": " Payload has been built! Lets inject it into a process and get a shell"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux insane", "line": " Start of nmap"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 2, "seconds": 25}, "tag": "linux insane", "line": " Looking at the website, looks like there's different behavior for extensions"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux insane", "line": " Registering and logging into an account"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux insane", "line": " An unintended way to login, IDOR within the Forgot Password logic, can change usernames"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "linux insane", "line": " Uploading a new product, test XSS, File Upload"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux insane", "line": " Using FFUF with a raw http request to test for potential extensions"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "linux insane", "line": " Using SHTML to test for Server Side Inclusion SSI and leaking web.config"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "linux insane", "line": " Going over the web.config, pulling out sensitive things"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "linux insane", "line": " Decrypting the .aspx Forms Ticket and forging a new one that states we are admin"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 36, "seconds": 50}, "tag": "linux insane", "line": " The Admin page allows us to generate PDF's, testing for XSS"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 38, "seconds": 20}, "tag": "linux insane", "line": " Attempting to redirect the save to pdf function with a meta tag"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "linux insane", "line": " Redirecting to localhost:8000 and discovering the swagger api for encrypt/decrypt"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux insane", "line": " Creating a webform to autosubmit data and allow us to decrypt a string."}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux insane", "line": " Creating a YSOSERIAL Gadget with our ViewState and ViewStateUserKey protecting it"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "linux insane", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 64, "seconds": 0}, "tag": "linux insane", "line": " Discovering port 8009 is open, setting up a tunnel via SSH and discovering its a different version of the website"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 67, "seconds": 54}, "tag": "linux insane", "line": " The ViewState is protected by AutoGenerate for the key, we cannot do deserialization here"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 69, "seconds": 20}, "tag": "linux insane", "line": " Checking out the Password Reset feature and we can edit the token to reveal a Padding Oracle error message"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 72, "seconds": 15}, "tag": "linux insane", "line": " Showing the command injection if we can forge tokens"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 74, "seconds": 5}, "tag": "linux insane", "line": " Using padbuster to create a token that will allow us to perform command injection"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 84, "seconds": 0}, "tag": "linux insane", "line": " ALTERNATE PRIVESC: Using JuicyPotatoNG, attempting to run it says privileged process failed to communicate with COM Server. Need to run with -s to find a suitable port"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro brief descriptions of Elastic, Kibana, Fleet Management, Endpoint Security, Windows Logging"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 1, "seconds": 40}, "tag": "", "line": " Logging into our Elastic Box and going to https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-22-04"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Changing the Elastic Repo from 7.x to 8.x, then installing Elastic making sure to grab the default credentials"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Making sure our Elastic Database is online with Curl"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "", "line": " Installing Kibana"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "", "line": " Generating an enrollment token for Kibana, adding it to the config and starting Kibana"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Installing NGINX to put in front of Kibana"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "", "line": " Logging into Kibana and setting up the Fleet Integration so we can manage agents"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Copying the Elastic CA Certificate over the fleet, just to make some of our certificates easier"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "", "line": " Installing fleet but adding the --fleet-server-es-ca and --insecure flags "}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "", "line": " Installing the Fleet Agent on our windows box"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Adding the Endpoint and Cloud Security Integration, which has a lot of good alerts for detecting bad things"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Installing the Default Elastic Security Endpoint Rules, without this the Elastic Agent is not monitoring for malicious events!"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "", "line": " Adding the Windows Integration so our agent collects logs"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "", "line": " Uh-Oh We aren't getting any data from our agents. Our elastic endpoint agent is getting an SSL Error when talking to ElasticSearch"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "", "line": " Editing Kibana to let us edit our default fleet settings, so we can modify the Elastic Config on our agents"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "", "line": " Viewing data from our agents! "}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 35, "seconds": 6}, "tag": "", "line": " Viewing sysmon logs, viewing running processes "}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "", "line": " Viewing sysmon logs for DNS Requests"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "", "line": " Looking at the default Elastic Alerts for our host. Nothing too special since its a new windows box"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 1, "seconds": 18}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux medium", "line": " Identifying a Docker exists based upon the Python Version in NMAP + SSH Version [MasterRecon]"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 4, "seconds": 23}, "tag": "linux medium", "line": " Navigating to the website downloading the source code available, there is a git folder switching branches "}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux medium", "line": " Discovering a vulnerability in the os.path.join command, if we prefix our path with a slash it will overwrite the entire path"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "linux medium", "line": " Attempting to upload a malicious cron, docker isn't running cron so it doesn't work"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 14, "seconds": 37}, "tag": "linux medium", "line": " Adding a new route to the application to execute commands"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux medium", "line": " Able to run commands and get the output"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux medium", "line": " Creating an endpoint to send reverse shells in the webapp"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 21, "seconds": 45}, "tag": "linux medium", "line": " Reverse shell returned"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux medium", "line": " Looking at port 3000 which was previously filtered. Looks like its a Gitea interface but we don't have creds"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "linux medium", "line": " Uploading Chisel and tunneling to access the website"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "linux medium", "line": " Looking at old git commits from the source code and finding credentials"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux medium", "line": " Downloading a SSH Private Key from the Gitea website"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "linux medium", "line": " Using find to search files modified around the time the SSH Key was uploaded to the box in order to see what else happened [Forensics]"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux medium", "line": " Showing how to remove lines from the less view &!"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux medium", "line": " Checking if Git-Sync is executed with the watch command"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "linux medium", "line": " Finding out git executes every minute, setting a pre-commit hook to get root"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "linux medium", "line": " Showing the FSMonitor command in the gitconfig which is another way to execute code, this will run on many other git commands like git status where pre-commit would not"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows medium", "line": " Viewing the website and discovering NTLM is disabled"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "windows medium", "line": " Using Kerbrute to enumerate valid users and then password spray with username"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "windows medium", "line": " Bad analogy comparing Kerberos works with TGT/TGS and Movie Theater Tickets"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "windows medium", "line": " Using Impacket's GetTGT Script to get Ticket Granting Ticket as Ksimpson and exporting KRB5CCNAME so Impacket uses it"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "windows medium", "line": " Using GetUserSPN to Kerberoast the DC with Kerberos Authentication and cracking to get SqlSVC's Password"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 16, "seconds": 40}, "tag": "windows medium", "line": " Both credentials we have cannot access MSSQL"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "windows medium", "line": " Creating a silver ticket to gain access to SQL"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "windows medium", "line": " Using GetPAC to get a Domain SID"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "windows medium", "line": " Showing getting Domain SID with LDAPSearch"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "windows medium", "line": " Creating the Silver Ticket with Impacket's Ticketer"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "windows medium", "line": " Showing Impacket creates the ticket with 10 years instead of 10 hours"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 27, "seconds": 40}, "tag": "windows medium", "line": " We now have MSSQL Access to the box, enabling xp_cmdshell and getting a reverse shell"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows medium", "line": " Using JuicyPotatoNG to escalate privileges because we have SeImpersonate Privilege"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "windows medium", "line": " Running the JuicyPotatoNG Exploit and getting a shell in the unintended way"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "windows medium", "line": " Enumerating the MSSQL Database and finding credentials"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "windows medium", "line": " Using Evil-WinRM to login with Kerberos Auth"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 39, "seconds": 40}, "tag": "windows medium", "line": " Accessing the box as MiscSvc and finding a dotnet Application "}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "windows medium", "line": " Setting up our linux host as a router so our Windows host can communicate to the HTB Network through the linux box"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "windows medium", "line": " Sniffing the traffic from the dotnet application and discovering it talks to port 4411"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "windows medium", "line": " Looking at debug logs and seeing a serialized object"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 52, "seconds": 40}, "tag": "windows medium", "line": " Using YsoSerial.Net to create a malicious base64 object to send us a reverse shell"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "windows medium", "line": " Sending our payload and getting a reverse shell"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "", "line": " Installing Sysmon and the configuration from Neo23x0's Repo"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Explaining the file blocked section"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Viewing the Sysmon log to confirm it is installed and see its EvendID 27"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "", "line": " Creating a Scheduled Task with Event Filter to trigger on Sysmon File Blocked Events"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " Event did fire turns out it is case sensitive"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " Editing the Scheduled Task event by hand to add ValueQueries which allows arguments to be sent from this Event Filter"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Testing the passing of variables by adding them to the message box"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Start of creating some powershell to send this message to Slack"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Have trouble getting arguments into the powershell script because of Base64 Endcoding, change up our script"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "", "line": " Showing a working copy of the powershell script that sends slack messages"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 25, "seconds": 45}, "tag": "", "line": " Deploying our scheduled task through Group Policy"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "", "line": " Editing the scheduled task XML file from sysvol"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux hard", "line": " Taking a look at the website"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux hard", "line": " Showing some differences between Ffuf and Wfuzz"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux hard", "line": " Finding a known exploit against the Exam Reviewer Management System"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Explaining the boolean injection then running SQLMap"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux hard", "line": " Using SQLMap to extract databases, tables, and some data"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux hard", "line": " Discovering the OldManagement site, dumping its database then logging in"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "linux hard", "line": " Exploiting the file upload vulnerability in OldManagement by replacing .htaccess"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 28, "seconds": 20}, "tag": "linux hard", "line": " Explaining various ways a developer may handle the file save"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux hard", "line": " Low privilege shell returned, in a docker find credentials in configuration files. Then SSH into the box"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "linux hard", "line": " Examining port 4873 which is Verdaccio, an NPM Registry. Downloading packages to find hard coded credentials"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 51, "seconds": 20}, "tag": "linux hard", "line": " Going over the app startup script which we can run with Sudo. Ubuntu 18 sudo preserves $HOME variable so we can replace the registry in npmrc with one running on our box"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 55, "seconds": 10}, "tag": "linux hard", "line": " Using docker on our system to pull and run verdaccio"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 57, "seconds": 20}, "tag": "linux hard", "line": " Creating a malicious npm package, then getting a shell on the box"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 64, "seconds": 40}, "tag": "linux hard", "line": " Exploiting RoundCube 1.4.2 with CVE-2020-12640"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 0, "seconds": 15}, "tag": "", "line": " Talking about how the attack works and why NetBIOS/LLMNR should be disabled"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Running Responder on a linux host and then attempting to browse a file share on a Windows Host and grabbing the Hash"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "", "line": " Cracking the hashes our computer provided to show how easy it is to steal passwords on a network"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Showing how we can perform an LLMNR request in PowerShell"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "", "line": " Combining the Powershell LLMNR Request with our Slack WebMessage hook to send notifications to slack"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "", "line": " Testing the powershell code out and seeing it send a message to Slack"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Creating Scheduled Task to run this powershell code every 5 minutes"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "", "line": " Converting the powershell to powershell friendly (UTF-16LE) Base64 "}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "", "line": " Changing our scheduled task to write to EventLogs instead of Slack, which is better networks that have Centralized Logging"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "", "line": " Showing the schedueld task runs every 5 minutes."}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Start of nmap, discovering it is an Active Directory Server and hostnames in SSL Certificates"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows medium", "line": " Running Feroxbuster and then cancelling it from navigating into a few directories"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "windows medium", "line": " Examining the StreamIO Website"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "windows medium", "line": " Finding watch.stream.io/search.php and "}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "windows medium", "line": " Fuzzing the search field with ffuf by sending special characters to identify odd behaviors"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 16, "seconds": 10}, "tag": "windows medium", "line": " Writing what we think the query looks like on the backend, so we can understand why our comment did not work. "}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "windows medium", "line": " Burpsuite Trick, setting the autoscroll on the repeater tab"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows medium", "line": " Testing for Union Injection now that we know the wildcard trick"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 22, "seconds": 15}, "tag": "windows medium", "line": " Using xp_dirtree to make the MSSQL database connect back to us and steal the hash"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 25, "seconds": 15}, "tag": "windows medium", "line": " Extracting information like version, username, database names, etc from the MSSQL Server"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "windows medium", "line": " Extracting the table name, id from the sysobjects table"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 28, "seconds": 45}, "tag": "windows medium", "line": " Using STRING_AGG and CONCAT to extract multiple SQL entries onto a single lane for mass exfil"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "windows medium", "line": " Extracting column names from the tables"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "windows medium", "line": " Using VIM and SED to make our output a bit prettier"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 36, "seconds": 45}, "tag": "windows medium", "line": " Cracking these MD5sum with Hashcat"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 39, "seconds": 55}, "tag": "windows medium", "line": " Using Hydra to perform a password spray with the credentials we cracked"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "windows medium", "line": " Using FFUF to fuzz the parameter name within admin to discover an LFI"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 51, "seconds": 40}, "tag": "windows medium", "line": " Tricking the server into executing code through the admin backdoor, using ConPtyShell to get a reverse shell on windows with a proper TTY"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 59, "seconds": 10}, "tag": "windows medium", "line": " Using SQLCMD on the server with the other database credentials we have to extract information from the Backup Database, cracking it and finding valid creds"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "windows medium", "line": " Running WinPEAS as Nikk37 discovering firefox, then running FirePWD to extract credentials"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 76, "seconds": 30}, "tag": "windows medium", "line": " Running CrackMapExec to spray passwords from Firefox to get JDGodd's password"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 88, "seconds": 20}, "tag": "windows medium", "line": " Running Bloodhound to discover JDGodd has WriteOwner on Core Staff which can read the LAPS Password"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 97, "seconds": 6}, "tag": "windows medium", "line": " Extracting the LAPS Password"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 106, "seconds": 10}, "tag": "windows medium", "line": " Showing you could have SQLMapped the login form"}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Simple concept/video but we will build more upon it in the following weeks. "}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 0, "seconds": 30}, "tag": "", "line": " Signing up and installing the client"}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Changing our channel to Private and Installing the Webhook"}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "", "line": " Creating a PowerShell oneliner to send a message to slack"}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "", "line": " Giving the message a little flair by changing the username and icon"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro, you should be using centralized logging for this. But if not this hackjob will do"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 1, "seconds": 18}, "tag": "", "line": " Talking about the Sensitve Command Token"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Examining how this all works, creates three registry keys for Image File Execution Options and SilentProcessExit"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Talking about the \"So much offense in my defense\" phrase. Really loved it, showing a blog about using this technique as a persistence "}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "", "line": " Showing the token works and what the email looked like"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Ranting more about \"so much offense in my defense\" and why blue teamers should learn red team techniques"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Creating a new token so we can deploy this one via Active Directories Group Policy"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Opening GPMC and creating a registry entry"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "", "line": " Running gpupdate /force to show the group policy created the registry keys"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Attempting to get the arguments of our process but failing. Never get this part working."}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Referenced Blogs:"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux insane", "line": " Start of nmap"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux insane", "line": " Using MSFVenom to upload a reverse shell to identify what the malware sandbox looks like"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux insane", "line": " Examining the source code of the sandbox"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux insane", "line": " Creating a program in C to see the size of an unsigned long"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux insane", "line": " Creating a program to replace the output of the trace program and exfil data via the return register on the webapp"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux insane", "line": " Creating a python program to automate uploading the file and returning the output"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 27, "seconds": 5}, "tag": "linux insane", "line": " Creating a program in C to perform ls, so we can enumerate the jail"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "linux insane", "line": " Changing our ls to enumerate /proc"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 36, "seconds": 25}, "tag": "linux insane", "line": " Adding a readlink() call to our ls program so we can view symlinks"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux insane", "line": " Discovering an open file descriptor in PID 1, using this to escape the jail and read /etc/passwd"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 44, "seconds": 40}, "tag": "linux insane", "line": " Dumping the Django Database"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux insane", "line": " Using hashcat to crack a custom salted MD5 hash/password"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux insane", "line": " Examining how the sandbox is created on the box itself, explaining how we can abuse setuid binaries because we can write to /lib (path injection)"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 53, "seconds": 20}, "tag": "linux insane", "line": " Using ldd to view all the libraries su needs, copying them to a directory"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "linux insane", "line": " Creating a malicious linux library with a constructor to execute code when it is loaded"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 59, "seconds": 18}, "tag": "linux insane", "line": " Changing our readfile poc to execute su and read the output, discovering we need to modify our malicious library slightly"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 62, "seconds": 10}, "tag": "linux insane", "line": " Adding a misc_conv function so our library loads and getting code execution as root"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " **IMPORTANT: The event filter should be 4625 not 4624."}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Going over CanaryTokens"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Scheduled Task Basics"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "", "line": " Switching over to Event Log"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "", "line": " Enabling logging for failures"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "", "line": " Searching Events based upon Event ID via XPATH/XML"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Searching Events based upon data in the Event Log"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Searching a specific field within the event log data"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Adding Boolean Logic to watch multiple events"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Preventing the account from being able to be used by setting login hours to none"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Creating a SPN so the account becomes kerberoastable"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "", "line": " Changing our Search Query to easily find events related to the kerberoasting"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "", "line": " Fixing up how we parsed multiple Event ID's"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "", "line": " Exporting and Importing the task"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Copying the webapp from the server to my local box"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 2, "seconds": 55}, "tag": "", "line": " Intalling the required modules to run the pip modules and running the website locally"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Using SSH Port forwarding to forward MySQL, so we don't have to setup a database"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Changing localhost in the web code to 127.0.0.1 which magically fixes an issue we had connecting to the database"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "", "line": " Getting an administrative login, registering a new user and then updating their role"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "", "line": " Running Visual Studio Code which gives us a nice debugger"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Creating a test payload and seeing why it fails"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "", "line": " Going over what $'' is and why it prevented our command execution if we didn't escape it"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "", "line": " When sending over the single quote, it is html encoded. Editing variables in the debugger to make sure if we bypass this stage we would have command execution"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "", "line": " Intercepting the request in BurpSuite and discovering the HTML Encoding is done client side, by editing the request we can get RCE!"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 0, "seconds": 17}, "tag": "", "line": " Recap, talking about the flask session cookie and showing hashcat won't crack ours"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Looking at Hashcat's source code, finding module 29100 which is flask session and seeing the max length is set to 27"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "", "line": " Checking out the JWT Module (16500) to see what the sizes are set there. Use this module because its similair."}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "", "line": " Downloading the source and compiling"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "", "line": " Testing the new version of hashcat and successfully cracking our Flask Session!"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 6, "seconds": 5}, "tag": "", "line": " Creating an issue/pull request on the Hashcat repo to get our change into the main repo."}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux medium", "line": " Registering an account"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 2, "seconds": 55}, "tag": "linux medium", "line": " Enumerating valid usernames based upon error message"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux medium", "line": " Using ffuf to match regex to enumerate valid usernames"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "linux medium", "line": " Poking at the web applicaiton trying IDOR/SSTI and failing"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux medium", "line": " Looking at the cookie given by the application and discovering it is a Flask Session Cookie"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "linux medium", "line": " Trying to crack the Flask Session with Hashcat. It fails because I think the payload is too long for hashcat. "}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux medium", "line": " Using Flask-Unsign to crack the session"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 18, "seconds": 45}, "tag": "linux medium", "line": " Using flask-unsign to forge a cookie that says we are the Blue User"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Logged into the application as Blue, get the ftp_admin password"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "linux medium", "line": " Unzipping the source code that came from the ftp server and using diff to compare the two versions"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux medium", "line": " Failing to exploit a command injection vulnerability in the export note function"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux medium", "line": " Going deeper in the export note function to discover it uses a node library md-to-pdf which is vulnerable to RCE"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "linux medium", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "linux medium", "line": " Start of the Raptor Exploit, we pulled a bad version so it isn't immediately going to work for us"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 55, "seconds": 20}, "tag": "linux medium", "line": " Running Show Variables like '%plugin%' which will tell us where we should drop the raptor_udf library file"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 60, "seconds": 30}, "tag": "linux medium", "line": " Using a different version of raptor which has a do_system_init function, this one lets us execute code"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux hard", "line": " Taking a look at websites, making note of all login prompts (bolt, rocketchat)"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux hard", "line": " Start of looking at Jamovi, using the Rj Editor to execute code and get a reverse shell"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "linux hard", "line": " Using cat to send files over the network to our box and viewing the bolt-administration document"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "linux hard", "line": " Taking a credential from the document and logging into Bolt CMS"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux hard", "line": " Editing a theme in bolt to give us code execution"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux hard", "line": " Using script to get a full PTY since python isn't on this box"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "linux hard", "line": " Looking for passwords for bolt, finding a sqlite database"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 25, "seconds": 45}, "tag": "linux hard", "line": " Getting the ip address of the box via the hostname command since ifconfig and ip were not on the box"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "linux hard", "line": " Using /proc/net/tcp to get listening ports"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "linux hard", "line": " Using the docker container to SSH into the host computer via its docker IP"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 31, "seconds": 25}, "tag": "linux hard", "line": " Using ps -ef --forest to view running processes, can see inside docker containers to find mongo"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux hard", "line": " Using bash to perform a portscan based upon the exit codes of echo'ing data to a network socket"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux hard", "line": " Setting up chisel so we can talk to the mongo port"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux hard", "line": " Using MongoDB Shell to log into mongo and change the user we created to become an administrator on RocketChat"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 44, "seconds": 25}, "tag": "linux hard", "line": " Using Web Hook Integration in RocketChat to get RCE as an authenticated admin"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 49, "seconds": 15}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux hard", "line": " Manually identifying our Docker Capabilities with /proc/self/status"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "linux hard", "line": " Using cat to download files from the network and downloading the shocker exploit which should exploit this capability"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "linux hard", "line": " Was using the wrong shocker exploit to exploit cap_dac_read_search. Downloading the one to write files and putting our passwd file on the box"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "linux easy", "line": " Enumerating the file server"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Cracking the zip file with John"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux easy", "line": " Cracking the pfx file (PKCS12) with John"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 10, "seconds": 27}, "tag": "linux easy", "line": " Extracting the certificate and key from the pfx file"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 11, "seconds": 24}, "tag": "linux easy", "line": " Using evil-winrm to login with the certificate"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "linux easy", "line": " Checking the PSReadline file and getting another credential"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 16, "seconds": 5}, "tag": "linux easy", "line": " Logging in with svc_deploy, failing to run bloodhound "}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux easy", "line": " Running net user discovering we are in LAPS Group"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux easy", "line": " Running get-adcomputer to get the LAPS Password"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux easy", "line": " Showing a python script to extract LAPS Passwords"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "", "line": " Talking about what the page parameter does and why its normally vulnerable to LFI"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "", "line": " Running gobuster to get a list of files on the webserver while we poke at the LFI"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "", "line": " Finding an LFI in combination with an EAR (Execute After Read) Vulnerability. Then examining the source code of index.php to see the vulnerability"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " There was an sanitize string function that wasn't recursive, explaining how we could exploit this."}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Discovering beta.html which is a license upload, grabbing the source code and vulnerable application"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Grabbing netstat like information, running processes, and memory maps with our LFI Vulnerability"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "", "line": " Playing with the activate_license executable and finding a buffer overflow"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "", "line": " Using GDB to examine the crash, need to use set follow-fork-mode child to follow the fork"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 22, "seconds": 55}, "tag": "", "line": " Crashing the program with a pattern and finding the offset to RSP"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 23, "seconds": 55}, "tag": "", "line": " Start of creating our exploit script"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "", "line": " Extracting where activate_license and libc exists within memory using the /proc/pid/maps file"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 22, "seconds": 55}, "tag": "", "line": " Using objdump to dump the location of system() within the libc version running on the target"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 27, "seconds": 57}, "tag": "", "line": " Using ropper to search for gadgets, pop rdi - pop rdx - and one to move values from rdx to rdi"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "", "line": " Using readelf to look for a writable space within memory for us to write our malicious command to"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "", "line": " Building the rop chain to write our command to memory, then call system"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 37, "seconds": 43}, "tag": "", "line": " Reverse shell returned running linpeas a"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "", "line": " Failing to run CVE-2022-0847, not sure why"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "", "line": " Discovering a timer that backs up the website as the dev user and its vulnerable to a symlink attack. Grabbing the home directory of dev which has an ssh key"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 46, "seconds": 20}, "tag": "", "line": " Examining the ememu directory in dev which is a C Program"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "", "line": " Talking about Binfms and how we will be able to create an interpreter for extensions that executes code as root"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "", "line": " Talking about the cap_dac_override permission"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "", "line": " Exploiting our ability to write to the binfmt_misc/register to get root"}, {"machine": "HackTheBox - Late", "videoId": "3s_eVc6KyM8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Time stamps will be added tonight"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap, going over some standard cookies and knowing the web technology behind it"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux medium", "line": " Checking what the main webpage is, discovering an APK File"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux medium", "line": " Analysing the APK file with JADX-GUI"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux medium", "line": " Searching for strings, finding some tokens"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux medium", "line": " Looking at the Gitea API to discover how to use our token"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 14, "seconds": 15}, "tag": "linux medium", "line": " Looking at the Lets Chat API to discover how to use our token and dumping a list of rooms"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux medium", "line": " Using the Lets Chat API to dump messages from a room and discovering credentials"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "linux medium", "line": " Logging into the Catchet webserver finding the version and discovering known vulnerabilities"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "linux medium", "line": " Using a CVE-2021-39174 POC to dump the Catchet Configuration and get a password (SSTI)"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux medium", "line": " Logging into the box as will"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "linux medium", "line": " Discovering a verify.sh script that has a command injection when verifying APK Files"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux medium", "line": " Using apktool to decompile the APK so we can change the name and repackage it"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "linux medium", "line": " Having trouble repacking our APK file, need to update APKTool. Then getting root"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "linux medium", "line": " Showing another way to pop the Catchet server, by updating the Cache configuration to point to our REDIS instance and phpggc to create a deserialization gadget"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows hard", "line": " Start of nmap, the Server Header changes based upon DNS"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows hard", "line": " Navigating to the website, discovering the \"New Starter Form\" which has some key information like a welcome password and username convention"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "windows hard", "line": " Password spraying the Powershell Web Access (PSWA), discovering a valid credential but wrong host, word document had another host which is valid for edavies"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "windows hard", "line": " Playing around in the PSWA"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows hard", "line": " Looking at hidden files, discovering c:\\utils\\desktop.ini which states its a directory that is excluded by AV"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows hard", "line": " Making the mistake of running WinPEAS inside the PSWA"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "windows hard", "line": " Setting up ConPtyShell to get a proper PTY reverse shell on windows"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "windows hard", "line": " Making some light modifications to ConPtyShell in order to evade antivirus"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "windows hard", "line": " Getting the ConPtyShell and showing the colors/tab autocomplete"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows hard", "line": " Running WinPEAS to show another user is logged on (and the AV Exclusions)"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 21, "seconds": 55}, "tag": "windows hard", "line": " Switching to Metasploit, because it makes it easier to migrate into an interactive process, which allows us access to view the desktop of the logged in user"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "windows hard", "line": " Using Screenshot and Screenshare inside of meterpreter to record the screen and get a password that was typed onto a terminal (imonks)"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows hard", "line": " Creating a credential object with imonks, so we can Invoke-Command on the domain controller"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows hard", "line": " When specifying the correct configurationname our enter-pssession fails because we can't run measure-object. Running Get-Command and Get-Alias to view what commands we can run"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "windows hard", "line": " Discovering wm.ps1, which we can modify to get a shell as jmorgan on our desktop"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "windows hard", "line": " Creating a powershell one-liner to replace a string in a file with cat and set-content"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 44, "seconds": 40}, "tag": "windows hard", "line": " Screwed up our fail because of a random line break. Playing around with it until we can fix it."}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "windows hard", "line": " Shell returned as JMorgan, dumping the SAM/SYSTEM files and cracking local passwords on the workstation"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 58, "seconds": 30}, "tag": "windows hard", "line": " Looking at other Domain Users, attempting to password spray the users we don't have in order to see if there's password re-use between local desktop and domain"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "windows hard", "line": " We are awallace on the Domain Controller, getting a reverse shell"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "windows hard", "line": " Discovering c:\\Program Files\\KeepMeOn, which is executing .bat files every 5 minutes. Putting our powershell one liner in there and getting a shell as lhopkins"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 71, "seconds": 25}, "tag": "windows hard", "line": " Shell as lhopkins, but still not domain administrator running bloodhound"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 81, "seconds": 40}, "tag": "windows hard", "line": " Going over the Bloodhound Data"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 83, "seconds": 40}, "tag": "windows hard", "line": " Adding edavies to the Site_Admin group"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 92, "seconds": 50}, "tag": "windows hard", "line": " Adding imonks to the Site_admin group, then andding ippsec to domain admins"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of nmap"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Downloading the APK"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Running apktool to decode the APK, examining files, don't get much info"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Finding a certificate in the application that gives up the host name"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Trying out another APK Decompiler, Bytecode Viewer"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Start of setting up Genymotion"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Setting up the phone, accidentally choosing an ancient version which won't work"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Dragging the app to install it to the phone, get an error have to manually look at log file"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "", "line": " Setting up a newer phone so we can install the apk"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Installing the APK"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 16, "seconds": 40}, "tag": "", "line": " Configuring our phone to go through BurpSuite"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "", "line": " Changing burpsuite to listen on all hosts"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Showing the app is now going through burpsuite, adding the hostname to our host file"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "", "line": " Finding command injection in the communication between app and server, reverse shell fails"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "", "line": " Putting an SSH Key on the box "}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 28, "seconds": 20}, "tag": "", "line": " Got a shell on the box digging through to figure out the SSH Server, finding something interesting but don't dig in"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "", "line": " Discovering the rules.v6 file for iptables likely isn't changed, discovering this is a way around the firewall block."}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Running LinPEAS but curling it over ipv6, http.server didn't listen, switching to netcat"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "", "line": " Running CVE-2021-3156, sudo baron samedit exploit"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 43, "seconds": 20}, "tag": "", "line": " Using IPv6 with our bash reverse shell"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction, talking about why I think APT-29 successfully phishing is funny"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "", "line": " Unit42's blog post talking about how the phishing document worked"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "", "line": " Going to google to show APT29 doing the lnk file in a zip since atleast 2016, Mandiant post."}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "", "line": " Talking about why phishers put executables or things to click on in zip/iso/compressed folders"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "", "line": " Talking about why they may use DLL Side Loading to execute the shellcode"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 6, "seconds": 25}, "tag": "", "line": " Showing what the user see's when they open the iso file"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 7, "seconds": 48}, "tag": "", "line": " Talking about why we are starting with shellcode instead of a weaponized document and why red teams like shellcode"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Using MSFVenom to generate a malicious executable with custom shellcode from BRc4"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Opening the executable with x64dbg, so we can extract a program from memory. This is great for when the shellcode is obfuscated through like shikata ga nai"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "", "line": " Setting a breakpoint on LdrLoadDll, showing the memory map is empty"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "", "line": " Running the program, examining memory on LdrLoadDll breakpoint. Showing a weird Execute-Read Permission, which initially was Read-write (screwed up initially explaining it)"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "", "line": " The E_MAGIC (MZ Header) is nulled out, talking about why the brute ratel may do that"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "", "line": " Dumping the memory to a file, copying it to linux where i have ida"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Using hexedit to set the first two bits to MZ, so ida recognizes it as an executable"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "", "line": " Talking about ordinal loading"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 18, "seconds": 5}, "tag": "", "line": " Showing the applicaiton uses ror13 hashes to call functions to avoid strings. Using google to find what the hash goes to"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "", "line": " The coffee string is weird, going into it"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 21, "seconds": 10}, "tag": "", "line": " Looking at a function that looks like it sends strings to the teamserver"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "", "line": " Showing similarities of the coff loader from trusted sec"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "", "line": " Converting another ror13 hash in badger to a function"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 25, "seconds": 25}, "tag": "", "line": " Having ida show all strings"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Looking at the AMSI Patch thing"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 26, "seconds": 35}, "tag": "", "line": " Stumbling across a static encryption key"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "", "line": " Looking at a likely PSExec functionality, maybe an IOC? Service name: ServicesActive"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "", "line": " Looking at the EnableDebug command and explaining why i think all these strings may be in the binary right now, they are likely gone now."}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux medium", "line": " Taking a look at the website"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux medium", "line": " Running gobuster against store.djewelry.htb and discovering a vendor directory that has phpunit"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "linux medium", "line": " Exploiting phpunit to get a shell on the box"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux medium", "line": " Shell recieved on the box as www-data"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux medium", "line": " Looking for files owned by www-data on the box by using find to discover /var/backups/info"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux medium", "line": " Running strings against the /var/backups/info file and discovering a hex string that is a shell script. Using CyberChef to decode it and gain access to steven"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " ssh in as steven, talking about the duplicate users as steven and steven1 have the said uid/gid"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " Talking about timestamps, my favorite way to find tools left behind by hackers"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux medium", "line": " Using find -type f -printf \"%T %p\\n\"to show the full time stamp for files"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 30, "seconds": 45}, "tag": "linux medium", "line": " Using find to find files that were created 00:00:00, which is an indication of time stomping. Discovering a backdoored copy of sshd"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux medium", "line": " Running the backdoored binary in Ghidra and discovering a backdoor in the login function"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "linux medium", "line": " Extracting the backdoor password and using CyberChef to decode it"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "linux medium", "line": " We skipped a step, finding and examining a backdoored apache module"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "linux medium", "line": " The easy way of doing strings and decoding the bsae64 to discover what the backdoor did"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 45, "seconds": 15}, "tag": "linux medium", "line": " Having trouble analyzing this with Ghidra"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux medium", "line": " Switching to Cutter which handles this binary better"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 51, "seconds": 40}, "tag": "linux medium", "line": " Going back to Ghidra and seeing what we missed"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 2, "seconds": 22}, "tag": "linux hard", "line": " Taking a look at the SSL Certificates and website to find blog/forum"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 4, "seconds": 57}, "tag": "linux hard", "line": " Running WPScan, explaining why i like aggressive scanning"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux hard", "line": " Finding public vulnerability in Asgaros Forms (Blind Time Based SQLi)"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "linux hard", "line": " Running SQLMap to confirm the injection"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux hard", "line": " Examining the Wordpress Database structure, so we can run SQLMap to dump very specific things"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux hard", "line": " Cracking wordpress credentials to find out we can't use any because of MFA"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 30, "seconds": 10}, "tag": "linux hard", "line": " Using our SQL Injection to dump a list of activated plugins in wordpress"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux hard", "line": " Finding an exploit in the Download From Files plugin, converting it to ignore SSL Validation Errors"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "linux hard", "line": " Uploading a malicious phtml (php) file to get a shell on the box"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux hard", "line": " Examining how MFA is enabled on SSH/SU by looking at PAM files"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " Discovering the 10.11.12.13 network can bypass MFA, which our host is on."}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux hard", "line": " Using find to show files created between two dates"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "linux hard", "line": " Discovering backups are created in /backups and explaining why we cannot view other users processes (hidepid)"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "linux hard", "line": " Looking in the */local/bin directories to discover an obfuscated shell script (sh.x)"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "linux hard", "line": " Running the script and then examining the /proc/pid directory to find the shell script unobfuscated in the cmdline"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 52, "seconds": 50}, "tag": "linux hard", "line": " Explaining wildcard injection"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux hard", "line": " Exploiting the wildcard injection in rsync"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "linux hard", "line": " Showing how we could of used the SQL Injection to leak all the secrets in the MFA Plugin and generate our own codes"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 59, "seconds": 10}, "tag": "linux hard", "line": " Looking at the MiniOrange MFA Source Code, the uninstall.php shows a lot of good information"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 63, "seconds": 45}, "tag": "linux hard", "line": " Showing how to do a \"pretty print\" or format output better in a MySQL Command (using \\G instead of ;)"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 66, "seconds": 45}, "tag": "linux hard", "line": " Failing to generate a QR Code that we can use google authenticator to login with"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 72, "seconds": 44}, "tag": "linux hard", "line": " Going back to the source code to find another way to generate MFA Codes"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 75, "seconds": 45}, "tag": "linux hard", "line": " Fixing our generator script to decrypt the secret which we can paste to oauthtool and get a MFA Code"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux easy", "line": " Checking out what version of Centos is running"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Running Feroxbuster and GoBuster"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "linux easy", "line": " Noticing a X-Backend-SErver header that leaks the virtual host Office.Paper"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux easy", "line": " Showing my favorite nmap script Banner-Plus "}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux easy", "line": " Office.Paper is wordpress, running wp-scan"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux easy", "line": " Discovering a vulnerability that lets us read posts that are in drafts, finding a Rocket Chat Server"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "linux easy", "line": " Discovering a Rocker Chat Bot finding an LFI and getting a password which we can use to ssh"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux easy", "line": " Looking at the ps output of the server to see who the bot runs as"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 20, "seconds": 55}, "tag": "linux easy", "line": " Finding out it is vulnerable to CVE-2021-3560 Polkit Privilege Escalation"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 22, "seconds": 8}, "tag": "linux easy", "line": " Running the polkit exploit and creating a secnigma user"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux medium", "line": " Running a VHOST enumeration scan"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux medium", "line": " Discovering the Metaview application which is an image upload"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux medium", "line": " Attempting to exploit the file upload, uploading non images. "}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux medium", "line": " Editing the exif metadata to put PHP tags in the image, still failing to get code execution but find XSS"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux medium", "line": " Looking for public exploits against exiftool"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux medium", "line": " Creating a malicious image with CVE-2021-22204 against ExifTool, DjVu exploit"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned, examining the application"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux medium", "line": " Discovering Convert_images directory, using grep to find out if anything uses it and finding a script"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux medium", "line": " Finding the convert_images script uses an old copy of mogrify which uses image magic and has a vulnerability"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux medium", "line": " Exploiting CVE-2020-29599 in mogrify/image magic"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux medium", "line": " Our user can run neofetch with sudo, and XDG_CONFIG_HOME is preserved. Exploiting it by putting a malicious config"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Running feroxbuster and discovering image.php"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 5, "seconds": 5}, "tag": "", "line": " Fuzzing image.php for parameters and discovering an LFI"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "", "line": " Enumerating the WAF to find blacklisted strings and then using a php filter to extract source"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Examing the login.php source code and discovering a timing attack"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Demonstrating attempting to login with valid users takes a longer time so we can bruteforce users"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "", "line": " Creating a python script to enumerate users"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Logging in with aaron:arron (guessed the password)"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Extracting upload.php and admin_auth_check.php to see how we can upload files"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "", "line": " Attempting a mass assignment vulnerability on profile_update.php and discovering we can change our roles"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "", "line": " Discovering a timing attack to discover filenames uploaded, which can be chained with our LFI to execute code"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "", "line": " Using the CLI PHP Interpreter to generate potential filenames"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "", "line": " Uploading a webshell and then generating the filename based upon time"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "", "line": " Executing commands on the box, discovering we can't do reverse shells"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "", "line": " Using my Forward Shell Python script to gain an interactive shell on the box"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 50, "seconds": 40}, "tag": "", "line": " Discovering a backup directory that has the web source but also the git repo"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 51, "seconds": 20}, "tag": "", "line": " SSH in as aaron and discovering he can run the netutils binary with sudo, which uses Axel to download files"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "", "line": " Tricking axel to write to authorized_keys via symlinks"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 56, "seconds": 40}, "tag": "", "line": " Demonstrating we didn't need that sleep(1) for the initial timing attack where we can enumerate valid users to work"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "linux hard", "line": " Start of nmap, discovering a webserver and filtered port"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux hard", "line": " Discovering a hostname in the 404 not found message in the mailto section"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 5, "seconds": 25}, "tag": "linux hard", "line": " Gobuster VHOST Discoery finds the subdomain db.admirer-gallery.htb which is adminer. Playing with the application and raw SQL Commands"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 7, "seconds": 25}, "tag": "linux hard", "line": " Trying to write files with INTO OUTFILE, also testing the secure file priv default directory for MySQL which is the most reliable"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux hard", "line": " Going to google and finding this version of adminer is vulnerable to a SSRF, but having trouble with this because the login for adminer is different"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "linux hard", "line": " Intercepting the login request, finding a hardcoded password that doesn't really help us"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Installing adminer in a docker container, so we can play with the application locally which helps us understand the SSRF Exploit"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux hard", "line": " Finding a python3 http server redirect example to use for our SSRF"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux hard", "line": " Performing the SSRF Vulnerability failing to extract local files"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "linux hard", "line": " The CSRF is annoying, configuring burpsuite to replace variables in our post automatically so we don't need to manually intercept."}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux hard", "line": " Having the SSRF access localhost:4242 (the filtered port from nmap), we see the OpenTSDB application, finding an exploit"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "linux hard", "line": " Exploit fails, it complains about an invalid metric. Googling to find OpenTSDB API Documentation and finding an endpoint to list metrics"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux hard", "line": " Updating the exploit to use the http.stats.web.hits metric and getting RCE"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux hard", "line": " Finding database credentials in server.php, which also are jennifers credentials. "}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Enumerating Apache configuration files, discovering one webserver runs as devel"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 39, "seconds": 20}, "tag": "linux hard", "line": " Discovering a PHP Object Injection vulnerability in a OpenCats which is a webserver running on localhost, jennifer can login. We can't write to the web directory thoe"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux hard", "line": " Discovering devel can write to /usr/local/etc/ and fail2ban is installed, which has an RCE with whois"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux hard", "line": " Running strace on whois to discover it looks at /usr/local/etc/whois.conf"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Using phpgcc to test our file write to see what the file looks like"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "linux hard", "line": " Looking at an example whois configuration file"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 49, "seconds": 20}, "tag": "linux hard", "line": " Explaining our payload and doing some weird regex termination to get this to work"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "linux hard", "line": " Looking at the whois source code to see it only reads the first 512 bytes of the configuration file"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "linux hard", "line": " Creating the whois configuration file, which starts with ]* to terminate the regex, then puts 500 spaces to get rid of the appended data by the exploit"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "linux hard", "line": " Creating our payload for the fail2ban whois exploit and getting root"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux easy", "line": " Using nmap to scan NMAP"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux easy", "line": " Doing a SNMPWalk talking about SNMP Mibs and how to install them, then using snmpbulkwalk to speed up the scan"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux easy", "line": " Finding all the unique fields in our SNMPWalk with grep, sort, and uniq. Which helps find fields of value"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " SNMP Allowed us to view running processes on a box, a password was in the argument so we can ssh in"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux easy", "line": " SSH into the box and looking at the webserver files and configs"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 20, "seconds": 35}, "tag": "linux easy", "line": " Looking at Apache's config seeing there's a different site available to localhost, doing a SSH Tunnel to access it"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux easy", "line": " Finding an unauthenticated pandora fms exploit via google, playing with the injection manually"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 27, "seconds": 45}, "tag": "linux easy", "line": " Using SQLMap to automatically dump the database of pandora"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 36, "seconds": 45}, "tag": "linux easy", "line": " Testing sessions, should have used wfuzz or something to test all of these quickly"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux easy", "line": " Using the union injection to login as admin by placing a php serialized object that it expects"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux easy", "line": " With admin access to Pandora FMS we can upload a shell and get code execution"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 43, "seconds": 33}, "tag": "linux easy", "line": " Going over LinPEAS Results"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "linux easy", "line": " Finding a custom SetUID File called Pandora_Backup"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux easy", "line": " Running strings against the binary shows the tar command without an absolute path, so it is likely vulnerable to command injection, going into Ghidra to confirm"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 50, "seconds": 45}, "tag": "linux easy", "line": " Showing the path traversal"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "linux easy", "line": " The exploit didn't work because something isn't letting us do a SetUID. Digging into it"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 56, "seconds": 30}, "tag": "linux easy", "line": " Using SSH to log into the box and then running the exploit and seeing it works"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 59, "seconds": 25}, "tag": "linux easy", "line": " Showing the intended way to exploit Pandora, just finding a valid session cookie, and then a cmd injection vulnerability in ajax.php"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "linux insane", "line": " Start of nmap, checking websites seeing old copyrights"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "linux insane", "line": " Discovering the HTTP Redirect on /login is pretty big, so its likely an EAR Vulnerability"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux insane", "line": " Discovering a LFI that enables us to read source code, chaining it with the proc directory and using wfuzz to discover additional python files"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "linux insane", "line": " While our wfuzz runs testing against a login endpoint to discover an XSS in another webapp"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux insane", "line": " Going over the Python Source code"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 18, "seconds": 35}, "tag": "linux insane", "line": " Discovering Hibernate Query Injection (HQL) on the login page on port 8080"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux insane", "line": " Going over HQL (Hibernate) Injection Using boolean injection to login but need the browser fingerprint of the user"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux insane", "line": " Using our XSS to execute the fingerprint function and sending it to our server"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux insane", "line": " Logging into the application with our custom fingerprint and boolean injection, getting a JWT with a Serialized Base64 Encoded Java Object"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "linux insane", "line": " Examining the Backups Directory and finding Java Sourcecode to the app on port 8080"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux insane", "line": " Going over the javacode we have to discover we can probably craft a deserialization payload to gain code execution"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 51, "seconds": 20}, "tag": "linux insane", "line": " Opening up Eclipse and building our java project which we'll use to create a deserialization gadget"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 72, "seconds": 40}, "tag": "linux insane", "line": " We can now compile our java project, lets creating the first serialized object which tells the server we are an admin"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 76, "seconds": 20}, "tag": "linux insane", "line": " Creating the second part of the Java Payload which puts the malicious code into our username"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 84, "seconds": 40}, "tag": "linux insane", "line": " Our exploit didn't work right awy, going over it again and finding some mistakes"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 91, "seconds": 48}, "tag": "linux insane", "line": " Got our reverse shell, discovering a binary cmatch which lets is exfil files one byte at a time"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 96, "seconds": 40}, "tag": "linux insane", "line": " Creating a python script to use cmatch to bruteforce the file one byte at a time"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 109, "seconds": 30}, "tag": "linux insane", "line": " Downloading the Java App that runs on port 8080 to see the database credentials, which can decrypt the SSH Key retrieved from cmatch"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 118, "seconds": 50}, "tag": "linux insane", "line": " Discovering a flask backup that is a new version of the Webapp on port 80 that has improved authentication"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 119, "seconds": 50}, "tag": "linux insane", "line": " Explaining the flaw of this webapp, it puts the secret after user controlled data, which enables us to bruteforce this one byte at a time"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 121, "seconds": 50}, "tag": "linux insane", "line": " Poorly explaining the bruteforcing the secret of AES ECB one byte at a time"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 126, "seconds": 10}, "tag": "linux insane", "line": " Using the XSS from earlier to steal cookies, which gives us an unprivileged user on the dev app"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 129, "seconds": 8}, "tag": "linux insane", "line": " Using curl on the /profile endpoint to set a new username and show we can have the server give us a new cookie which lets us bruteforce the secret"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 136, "seconds": 20}, "tag": "linux insane", "line": " Creating a python script to bruteforce the secret the server appends to our username before encrypting"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 151, "seconds": 35}, "tag": "linux insane", "line": " Running our script to bruteforce the data"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 153, "seconds": 50}, "tag": "linux insane", "line": " Creating a new username with the secret, which will trick the server into thinking we are an admin"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 157, "seconds": 20}, "tag": "linux insane", "line": " Now that we are logged in, the server runs as root so we can just get the root ssh key"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 159, "seconds": 0}, "tag": "linux insane", "line": " Going over the HQL a little more to show we could have extracted the fingerprint"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro "}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "linux medium", "line": " Registering and logging in and examining what a regular user can do"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Playing with the file upload capability"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux medium", "line": " Discovering there is a JWT in our HTTP Request, examining it to see it is RS256 and has a claim"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux medium", "line": " Explaining how we are going to exploit the Claim Misuse vulnerability in this JWT"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux medium", "line": " Creating a JWT Header that will have a modified URL for the claim, website says its an invalid key but doesn't reach out to us"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux medium", "line": " Using the redirect functionality on the web page to allow us to place the websites domain in our JKU Claim "}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "linux medium", "line": " Modifying the JWK File to place our own RSA Key and generating one with ssh-keygen and openssl"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux medium", "line": " Showing us pulling N and E out of the RSA Key"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux medium", "line": " Converting the SSH Public key into a Certificate"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 24, "seconds": 24}, "tag": "linux medium", "line": " Updating the JWT to change our name to admin and finding a LFI Vulnerability"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 27, "seconds": 27}, "tag": "linux medium", "line": " Attempting to use WFUZZ to bypass the filter"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux medium", "line": " Giving up fuzzing wtih wfuzz"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "linux medium", "line": " Explaining why I'm going to try testing for unicode normalization and what it is, grabbing a payload from HackTricks"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux medium", "line": " Exploring /proc/self/ and hunting for the location of the webapp"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 39, "seconds": 2}, "tag": "linux medium", "line": " Finding the python application by using the /proc/self/cwd directory, then grabbing db.yaml and getting SSH Credentials"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "linux medium", "line": " Discovering a TREPORT Binary, which is a compiled python file"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 43, "seconds": 45}, "tag": "linux medium", "line": " Discovering the TREPORT Binary uses curl, which is weird"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "linux medium", "line": " Discovering the TREPORT Binary will allow us to use the file wrapper if we bypass the filter"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 46, "seconds": 50}, "tag": "linux medium", "line": " Bypassing the space filter in the TREPORT Binary using brace expansion in bash and having curl write the flag to /tmp"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux medium", "line": " Downloading a SSH Key and allowing us to login as root"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux medium", "line": " Examining the Web Application to show the Unicode Normalization Vulnerability"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 56, "seconds": 30}, "tag": "linux medium", "line": " Looking at the user table, to discover admin doesn't exist"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 57, "seconds": 58}, "tag": "linux medium", "line": " Finding out the login form was supposed to display errors but didn't because of a lacking some Jinja2 Templating Code"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 61, "seconds": 20}, "tag": "linux medium", "line": " Flailing around fixing the template to display error messages"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 0, "seconds": 49}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 2, "seconds": 17}, "tag": "linux medium", "line": " Talking about why dirbusting an API is different. Bruteforce methods instead of extensions and 404 doesn't terminate recursion"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux medium", "line": " Installing the latest version of FeroxBuster"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "linux medium", "line": " Running FeroxBuster with Force Recursion and multiple HTTP methods to discover user endpoints"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux medium", "line": " Downloading all users, creating a single json file, then using JQ to enable us to filter users"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 10, "seconds": 8}, "tag": "linux medium", "line": " Registering an account via the Signup endpoint. Analyzing errors to identify how it wants data"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 11, "seconds": 55}, "tag": "linux medium", "line": " Logging into the application in order to get a bearer token"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 13, "seconds": 8}, "tag": "linux medium", "line": " Using BurpSuite to add the Bearer Token to our HTTP Request and accessing /docs/"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "linux medium", "line": " Playing with the edit endpoint in the docs page"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 16, "seconds": 38}, "tag": "linux medium", "line": " Testing for Mass Assignment, by editing our profile but adding the is_superuser parameter"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 19, "seconds": 15}, "tag": "linux medium", "line": " Using the file endpoint to extract files from the application"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "linux medium", "line": " Creating a bash script to make extracting files easier for us"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "linux medium", "line": " Using the LFI to examine the /proc/ directory to get cmdline of pid and ppid, along with environment variables"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 26, "seconds": 35}, "tag": "linux medium", "line": " Examining the LFI Source Code to identify how the application works and JWT is created"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux medium", "line": " Trying to write files, discovering we need to edit our JWT"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 32, "seconds": 45}, "tag": "linux medium", "line": " Creating a bash script that will update the webserver code to include another endpoint to send a reverse shell"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "linux medium", "line": " Reverse shell returned, reviewing the logs to identify a password was entered as a username"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux medium", "line": " Trying to use Sudo and getting to PAM-Wordle"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 45, "seconds": 5}, "tag": "linux medium", "line": " Analyzing timestamps on the filesystem with find to identify a PAM Module that was manually placed on the file system (not put there by APT)"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 48, "seconds": 25}, "tag": "linux medium", "line": " Running strings on the PAM Module, discovering the wordlist used for wordle is in a user-readable directory"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux medium", "line": " Using the wordlist to cheat wordle and root the box"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "linux medium", "line": " Examining the source code of the box to identify why it is vulnerable to the Mass Assignment"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro talking about why we want to parse Bloodhound Data with JQ to create lists"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 0, "seconds": 43}, "tag": "", "line": " Just examining the data in Bloodhound"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 1, "seconds": 28}, "tag": "", "line": " Writing a Cipher Query to show all enabled users in Bloodhound"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 2, "seconds": 35}, "tag": "", "line": " Showing Bloodhound Debug Mode which will show Cipher Queries when you run them"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 3, "seconds": 28}, "tag": "", "line": " Start of looking at Bloodhound Data"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "", "line": " Digging through the JSON Structure with JQ to get to the Properties of a User"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Showing all the names, if we wanted to remove the quotes, we could use the -r flag for raw"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Using the Select Query in JQ to show only enabled/disabled users"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "", "line": " Outputting multiple fields in JQ so we can show usernames + descriptions"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Using JQ to filter out descriptions with null to only show AD Accounts with a description"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "", "line": " Talking about LastLogon and LastLogonTimeStamp"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "", "line": " Converting integers to string in JQ so we can output them"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Outputting all accounts where a PwdLastSet is Greater than the users last logon"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "", "line": " Using JQ to filter out empty array's which lets use find all accounts that are kerberoastable"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "", "line": " Using JQ to parse the computers and showing operating systems"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "", "line": " Filtering out Operating Systems which may help us find end of life OS's"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Using JQ to show each computers last logon which will let us view all active computers"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 0, "seconds": 53}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "linux hard", "line": " Using Kerbrute to identify valid users "}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 9, "seconds": 40}, "tag": "linux hard", "line": " Finding credentials for Hope.Sharp in an image on the website"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "linux hard", "line": " Showing Kerbrute paswordspray silently fails when time is out of sync"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Having troubles running the Python Bloodhound Ingestor, a digestmod error"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux hard", "line": " Giving up fixing my environment, creating a python virtual environment to run this script"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux hard", "line": " Uploading data to bloodhound, discovering a kerberoastable (web_svc) account, running GetUserSPN and Cracking the hash"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux hard", "line": " Parsing the raw Bloodhound Data with JQ and dumping all the valid usernames"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux hard", "line": " Using JQ select to show only the users that are enabled, its sql like syntax"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux hard", "line": " Running a password spray with kerbrute to find edgar.jacobs has the same credentials as Web_SVC"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 33, "seconds": 25}, "tag": "linux hard", "line": " Using CrackMapExec (CME) with the spider_plus module to dump all file names, then using JQ to parse the results with map_values(keys)"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Using SMBClient to download files, getting an excel document that has a protected row, modifying the document to remove the password and getting more passwords"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux hard", "line": " Using CME to run a large password spray guessing a single specific password for each user with the no bruteforce flag"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 41, "seconds": 25}, "tag": "linux hard", "line": " Back to Bloodhound, discovering our user can ReadGMSAPassword of an account that can reset password of an administrator"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "linux hard", "line": " Dumping files as Sierra.Frye with CME, discovering certificates, downloading them and then failing to crack them with John"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 49, "seconds": 10}, "tag": "linux hard", "line": " Using CrackPkcs12 to crack the PFX certificate, then loading it into our browser and accessing a Powershell WebConsole"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 57, "seconds": 20}, "tag": "linux hard", "line": " Gaining a powershell webconsole, flailing around a littlebit trying to read the GMSA Password"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 59, "seconds": 43}, "tag": "linux hard", "line": " Using Get-ADServiceAccount on to read information about the GMSA Account and get the password"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 63, "seconds": 0}, "tag": "linux hard", "line": " Running commands as the GMSA User with Powershell and Invoke-Command to reset Tristan.Davies Password... We could of psexec'd after this but I decided to do it the hard way. "}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 68, "seconds": 0}, "tag": "linux hard", "line": " Getting a Nishang Reverse Shell, thought this would be easy but there's quite a bit of AV Evasion we have to do "}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 74, "seconds": 40}, "tag": "linux hard", "line": " Getting rid of some of the reverse shell output allows nishang to bypass AV"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 80, "seconds": 25}, "tag": "linux hard", "line": " Using John to Crack the PFX File, I forgot to use pfx2john prior."}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 2, "seconds": 10}, "tag": "linux easy", "line": " Starting WPSCAN"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux easy", "line": " There's no index.php in wp-content/plugins/, which lets us find a vulnerable plugin (eBook Download 1.1)"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux easy", "line": " Playing with the eBook Download LFI"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux easy", "line": " Doing a full nmap portscan"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux easy", "line": " Using the LFI to extract the process names with curling /proc and doing some cut/sed magic"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux easy", "line": " Downloading the cmdline for the first 1000 PID's"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux easy", "line": " Using find to show us files greater than a couple bytes to show us every valid PID"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "linux easy", "line": " Examining the final output, discovering screen running and gdb"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " Using metasploit to exploit GDB"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "linux easy", "line": " Reverse shell returned, playing with screen to connect to the session"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux easy", "line": " Attaching to the root session, then digging into why this worked"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 31, "seconds": 40}, "tag": "linux easy", "line": " Digging into wpscan to see how to make it find this"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux insane", "line": " Start of nmap"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux insane", "line": " Discovering backup.toby.htb and discovering GOGS"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux insane", "line": " Discovering a backup project in toby-admin, which is wordpress"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 9, "seconds": 38}, "tag": "linux insane", "line": " Downloading and running php malicious file scanner and finding a backdoor in the web code"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "linux insane", "line": " Finding the backdoor in comment.php and finding out its packed a bunch of times. Using a loop to get it back to the original code."}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux insane", "line": " Analyzing the depacked malware, to see it will run a function on a specially crafted comment"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 22, "seconds": 40}, "tag": "linux insane", "line": " Placing the comment which should trigger the backdoor, then analyzing what happens"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux insane", "line": " Wireshark shows the box starts a request on port 20053, listening and discovering it sends us data encryped with our secret"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 28, "seconds": 20}, "tag": "linux insane", "line": " Changing the secret to be 00, so it doesn't xor anything making it a bit easier for us to analyze"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 29, "seconds": 25}, "tag": "linux insane", "line": " Sending it a command by XOR'ing it with the key the server sends back to us"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux insane", "line": " Creating a python script to automate this"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 40, "seconds": 22}, "tag": "linux insane", "line": " Reverse shell returned python isn't there so using script to get our regular TTY"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 42, "seconds": 15}, "tag": "linux insane", "line": " Looking at /proc to see network information since ifconfig and ip are not on the box"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "linux insane", "line": " Running chisel to setup a proxy back to us"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "linux insane", "line": " Connecting to the MySQL Database to crack wordpress accounts"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 61, "seconds": 10}, "tag": "linux insane", "line": " Logging into the GOGS instance as toby-admin, downloading personal-webapp source code"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux insane", "line": " Making the webapp talk initiate a MySQL Connection back to us"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 66, "seconds": 20}, "tag": "linux insane", "line": " Editing our mysql instance to allow a host, but first we have to reset our mysql root password"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 70, "seconds": 0}, "tag": "linux insane", "line": " Extracting the SALT + Password from wireshark of MySQL Trying to log into us, figuring out how to convert it so we can crack"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 76, "seconds": 38}, "tag": "linux insane", "line": " Converting the SALTS to hex, which is what hashcat needs, then trying to crack the mysql password but failing"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 78, "seconds": 35}, "tag": "linux insane", "line": " Discovering the password used the password generator which is using the epoch time as a seed for random"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 79, "seconds": 30}, "tag": "linux insane", "line": " Copying the PWGenerator code to create a new wordlist of all potential passwords"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 85, "seconds": 49}, "tag": "linux insane", "line": " MySQL Password has been cracked, this provides us ssh access to the MySQL Docker container"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 88, "seconds": 17}, "tag": "linux insane", "line": " Running pspy on the MySQL Container discover an SSH key gets temporarily written"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 90, "seconds": 36}, "tag": "linux insane", "line": " Writing a loop that runs cat against a file until it exists, then stops to get the SSH Key, which gets us on the host"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 93, "seconds": 20}, "tag": "linux insane", "line": " Decrypting the SQLite Database we had found earlier"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 99, "seconds": 50}, "tag": "linux insane", "line": " Hunting for a backdoor on the system by looking at full timestamps, since package managers chop simplify the time, which may make backdoors stick out"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 105, "seconds": 0}, "tag": "linux insane", "line": " Discovering the a pam library and /etc/.bd file"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 107, "seconds": 0}, "tag": "linux insane", "line": " Analyzing the pam library in ghidra to discover it allows a BD password to login, but also allows people to bruteforce the backdoor password 1 character at a time"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 113, "seconds": 20}, "tag": "linux insane", "line": " Explaining how we are going to bruteforce this password"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 116, "seconds": 30}, "tag": "linux insane", "line": " Creating a shell script to bruteforce the password"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 120, "seconds": 45}, "tag": "linux insane", "line": " Bruteforcing the password and getting root"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro talking about crowdsec and its multiplayer firewall"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "", "line": " Showing my setup, 3 web servers, 2 attack servers"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Installing Crowdsec"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Going over the command line interface, CSCLI showing decisions"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "", "line": " Showing descisions -a to go over every CrowdSec ban list"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "", "line": " Attacking the webserver, showing it detect the SSH Brute Force"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 8, "seconds": 25}, "tag": "", "line": " Installing the CrowdSec Bouncer, then showing the attack box is now blocked"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "", "line": " Using iptables and ipset to show how CrowdSec Blocks things (with iptables)"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "", "line": " Looking at Collections and Scenarios to see how CrowdSec works "}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Looking at the CrowdSec documentation to understand the inner workings"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 15, "seconds": 13}, "tag": "", "line": " Showing Crowdsec would block us for using GoBuster"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "", "line": " Installing the dashboard to see the fancy graphical reporting from CrowdSec"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "", "line": " Logged into the Dashboard"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 21, "seconds": 25}, "tag": "", "line": " Deleting descisions from CrowdSec to allow IP's to connect again"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "", "line": " Setting up a local crowdsec cluster, so agents talk to eachother"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "", "line": " Setting up the bouncers to all share signatures"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "", "line": " Looking at the bouncer logs, to see why it was broken. Updating the ApiURL, then our local cluster is setup and working"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "", "line": " Showing the cluster is working by having all hosts block simultaniously"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 45, "seconds": 45}, "tag": "", "line": " Showing a gobuster would cause the host to blocked everywhere"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "", "line": " Using the Dashboards SQL Web Client to extract information"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "", "line": " Explaining how our honey pot is going to work"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 52, "seconds": 56}, "tag": "", "line": " Configuring WEB-02 to forward SSH to another host instead of blocking it"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 57, "seconds": 15}, "tag": "", "line": " The final iptables commands to forward traffic"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 58, "seconds": 50}, "tag": "", "line": " Installing Cowrie, the SSH Honey pot"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 66, "seconds": 35}, "tag": "", "line": " The final demo, Getting blocked from WEB-01, then attempting to SSH to WEB-02 and immediately going to the honeypot"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 0, "seconds": 53}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux medium", "line": " Examining the webpage, just finding json. Running gobuster to discover /docs and /api"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux medium", "line": " Examining the user and admin endpoint, showing /user/ has a 404 but we can go into it"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux medium", "line": " Talking about why API Discovery differs from normal web, instead of extensions we fuzz methods"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux medium", "line": " Using wfuzz to fuzz endpoints in /user/ with POST Requests to discover /login and /signup"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux medium", "line": " Fuzzing the signup endpoint, reading error messages to identify the fields it wants"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "linux medium", "line": " Showing that curl behaves differently. Lets troubleshoot this by sending our curl and burpsuite to wireshark and seeing why its behaving differently"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 14, "seconds": 24}, "tag": "linux medium", "line": " Attempting to login to the API with the credential we created, discovering we need a urlencoded request"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux medium", "line": " Logging in and getting a JWT Token, accessing /docs/ with it which is swagger documentation"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "linux medium", "line": " Authenticating in the swagger, so we can use the web interface to access private functions"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 19, "seconds": 58}, "tag": "linux medium", "line": " Changing administrators password with the UpdatePass endpoint, which is an IDOR like vulnerability"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux medium", "line": " Logging in with admin, then accessing the admin functionality"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Exploring the /proc/self directory with the LFI and finding where the source code to this app lives"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " Extracting the JWT Secret Key from app/core/config.py, and adding the debug parameter, which enables us to access the /access endpoint"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "linux medium", "line": " Showing we cannot use slashes or pluses on this endpoint"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 28, "seconds": 40}, "tag": "linux medium", "line": " Getting a reverse shell"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 29, "seconds": 29}, "tag": "linux medium", "line": " Discovering the root password in an authentication log, because someone entered a password in a username field"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "linux medium", "line": " Just looking at the code briefly. Should have prepared more to do this. Will probably do a separate video showing FastAPI."}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "linux hard", "line": " Taking a look at the website"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux hard", "line": " Examining the AUTH Cookie and talking about why its unique"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "linux hard", "line": " Running FeroxBuster, talking about why I started using it"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux hard", "line": " Examining the length of the cookie with various usernames to discover the cookie length changes"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Discovering the block size"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux hard", "line": " Modifying the cookie and getting an Invalid Padding error message. Which indicates it may be vulnerable to Padding Oracle"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux hard", "line": " Running padbuster to perform the Padding Oracle attack and decrypt the cookie. Then creating a new cookie changing our username"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux hard", "line": " Changing our cookie to the forged one and logging into the application as Administrator"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 21, "seconds": 5}, "tag": "linux hard", "line": " Finding an SQL Injection in the Logs endpoint, using SQLMap to dump everything"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 29, "seconds": 15}, "tag": "linux hard", "line": " Going over the SQLMap history files to view previously dumped data, so we don't have to make more requests to the server"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux hard", "line": " Cannot crack the MD5's in the database, downloading the CMS Made Simple source and doing some quick code review to find out all MD5's have a static salt"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux hard", "line": " Cracking the salted MD5 password of the editor user with hashcat"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux hard", "line": " Going to the devbuild-job.overflow.htb and discover there's an upload resume"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux hard", "line": " Uploading a jpeg results in the server giving us the ExifTool version, finding CVE-2021-22204 which is an exploit against ExifTool to run commands. Getting shell"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "linux hard", "line": " Reverse shell returned, getting developers password and using SSH to login as them"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 56, "seconds": 35}, "tag": "linux hard", "line": " Using find to list files owned by developer to find files owned by developer"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 59, "seconds": 20}, "tag": "linux hard", "line": " Hunting for files owned by tester and discovering commontask.sh, we can exploit this because we have write access over /etc/hosts"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 62, "seconds": 55}, "tag": "linux hard", "line": " Shell as tester"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 64, "seconds": 25}, "tag": "linux hard", "line": " Talking about extended attributes, using getfacl to show them"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "linux hard", "line": " Discovering a SetUID File, every time running it there is the same PIN Code it is prompting us for. Copy it to our local box and seeing if the pincode is the same"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 68, "seconds": 0}, "tag": "linux hard", "line": " Analyzing the binary in Ghidra, to discover there is no srand(), so the seed is always 1 for rand()"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 71, "seconds": 30}, "tag": "linux hard", "line": " Discovering the pin code by setting a break point on the check in gdb"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "linux hard", "line": " Discovering the buffer overflow within the decompiled source, then using pattern_create to find where we overwrite EIP"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 76, "seconds": 30}, "tag": "linux hard", "line": " Looking at functions to set EIP to via ROP. Finding the Encrypt Function"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 81, "seconds": 0}, "tag": "linux hard", "line": " Discovering a timing attack in the encrypt function which lets us read any file"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 84, "seconds": 30}, "tag": "linux hard", "line": " Trying to perform the timing attack replacing a file with a symlink"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "linux hard", "line": " Apparently we cannot just use /tmp/ for this exploit, we need to be in a directory. Performing the attack and getting root"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro, the stream is here: https://www.twitch.tv/videos/1445106911"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Start of the video, showing what is new about this technique"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 2, "seconds": 17}, "tag": "", "line": " Running through the example, showing we can change the filename in ps to anything we want"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "", "line": " Showing what this looks like in the ps output"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "", "line": " Explaining what I don't like about the example used on the website"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 4, "seconds": 55}, "tag": "", "line": " Explaining what process substitution is, which is a really good way to pass arguments to bash scripts when piping with curl"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "", "line": " Testing process substitution with ddexec locally"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "", "line": " Showing how to execute this with DirtyPipe"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "", "line": " Successful execution of DitryPipe"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "", "line": " Showing a dirtypipe that changes the root password, changing the default password it uses"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "", "line": " Showing we changed the password, and then trolling myself because this box has PAM_WORDLE installed"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Finding a DirtyPipe exploit that modifies a SetUID"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Cheating at our game of Hacker Wordle, to make sure we actually changed the root password earlier."}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 0, "seconds": 47}, "tag": "", "line": " Discovering a weird binary running in /tmp/ but it doesn't exist on disk"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 1, "seconds": 55}, "tag": "", "line": " Start of explaining dd copying things out of memory"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Reading maps to identify where the file is, showing how to covnert hex to decimal in bash"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " File extracted from memory"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "", "line": " Copying the heap from memory and discovering it is mettle/meterpreter based upon strings"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 6, "seconds": 55}, "tag": "", "line": " Showing we don't need to use DD to extract the file, can just use the \"exe\" file in proc/pid/"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "", "line": " Opening the elf in Ghidra and examining its decompiled output"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Showing what the file looks like in Cutter, which has a different decompile view"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "", "line": " Reading the Metasploit source code to identify what it looked like, to confirm what our findings from reversing"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Using MSFVenom to generate our own stager in order to confirm this is indeed what we saw on the box and that we extracted it correctly"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "", "line": " Using GDB against the stager to just practice reversing"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux medium", "line": " Running NMAP"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "linux medium", "line": " The footer talks about BMC, explaining why I jumped to IPMI when reading this"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux medium", "line": " Running a Virtual Host (VHOST) Scan with Wfuzz to try and find a domain that points to an ILO"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux medium", "line": " Talking about IPMI"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux medium", "line": " Running Metasploit to dump the IPMI Hash and then crack it with hashcat"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "linux medium", "line": " Running IPMITool to explore the interface, there isn't anything really here"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux medium", "line": " Logging into Zabbix with the credentials and then fumbling around creating a malicious check"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux medium", "line": " Discovering what we were doing wrong, we didn't want to put quotes in the system.run command"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 29, "seconds": 25}, "tag": "linux medium", "line": " Zabbix kills our shell pretty quickly, just running a second command really fast in order to keep a process alive"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux medium", "line": " Attempting to get into the Zabbix database, need to switch to the ipmi-svc user"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 34, "seconds": 57}, "tag": "linux medium", "line": " Showing a cool MySQL command \\G to display results in a table form, useful when dumping a lot of columns"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 36, "seconds": 5}, "tag": "linux medium", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux medium", "line": " No real exploit paths found, checking for exploits in the MYSQL Server and finding CVE-2021-27928 (WSREP)"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 41, "seconds": 10}, "tag": "linux medium", "line": " Performing the MySQL WSREP Exploit and getting root"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 1, "seconds": 35}, "tag": "linux hard", "line": " Enumerating the web page, finding a way to validate potential users"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux hard", "line": " Examining the data the website stores in our browser"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux hard", "line": " Attempting type juggling, finding out its not vulnerable"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux hard", "line": " Before we WFUZZ, just playing with PHP to see how it handles numbers. "}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux hard", "line": " Running WFUZZ with the range payload to bruteforce all possible pin code, find out we get blocked."}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux hard", "line": " Searching for ways to bypass rate limits, testing out the X-FORWARDED-FOR header"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "linux hard", "line": " Using WFUZZ with two wordlists in the zip mode, so we can fuzz with pin codes and change the ip address to bypass the ratelimit (FUZ2Z)"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux hard", "line": " Logged into the application, discovering the secret parameter which prevents us from tampering with the request"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 19, "seconds": 45}, "tag": "linux hard", "line": " Doing type juggling to bypass the tamper detection and finding SQL Injection"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "linux hard", "line": " Extracting information out of the database with union injections with group_concat and concat"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "linux hard", "line": " Nothing interesting in the database, dropping a webshell but first we have to view the nginx config to find where the website is"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "linux hard", "line": " Using the INTO OUTFILE command to write a shell to /srv/altered/public/"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 33, "seconds": 55}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "linux hard", "line": " Explaining some basics around dirty pipe and why people use /etc/passwd"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "linux hard", "line": " Using the DirtyPipe exploit that resets root's password to aaron"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "linux hard", "line": " In order to use the \"su\" command, we need to beat wordle with a custom dictionary... Failing to play wordle"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "linux hard", "line": " Using a DirtyPipe exploit to overwrite a SetUID Binary, which bypasses our wordle game"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux hard", "line": " Extra: Revisiting wordle, but now we have the dictionary it uses, so we can cheat and win the game"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "linux hard", "line": " Extra: Fumbling around in the source code, learning some things but failing to enforce authentication on the GetProfile Endpoint."}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " PowerSiem: https://github.com/IppSec/PowerSiem"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Creating PowerSiem: https://www.twitch.tv/videos/1438252177"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Sysmon Configuration File: https://github.com/Neo23x0/sysmon-config"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 36}, "tag": "", "line": " Talking about PowerSIEM"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 1, "seconds": 40}, "tag": "", "line": " Installing Sysmon with Florian Roth's default config"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Showing what PowerSIEM does by running it and opening a command prompt, browser, etc"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "", "line": " Explaining the PowerSIEM Script, how it works, and all the current sysmon events"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "", "line": " Setting breakpoints in Powershell ISE"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 8, "seconds": 48}, "tag": "", "line": " Adding data to the Registry Set event"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 11, "seconds": 58}, "tag": "", "line": " Showing just running a SysInternals tool creates a registry key for accepting the EULA"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 13, "seconds": 45}, "tag": "", "line": " Running Impackets PSEXEC, to find out Defender stopps it. Running Sysinternals Version and showing defender allows it."}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "", "line": " Using PowerSIEM to show how the Sysinternals PSEXEC works."}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "", "line": " Disabling AV, Running impacket's version again to show how it differs"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 17, "seconds": 35}, "tag": "", "line": " Creating a Cobalt Strike Beacon and showing some alerts"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 18, "seconds": 25}, "tag": "", "line": " Hiding network connection alerts in PowerSIEM by just commenting out the Write Alert line"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "", "line": " Running a shell command in CobaltStrike and showing what it looks like in PowerSIEM"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Running Mimikatz and talking about its sacrificial process, pipes, and mimikatz accessing LSASS"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 24, "seconds": 5}, "tag": "", "line": " Showing not everything will be logged"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Into"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "linux easy", "line": " Start of nmap talking about seeing two ports having the same HTTP Banner"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Checking out the webpage to discover source code and some docs"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Always RTFM, Playing with the API to Register a user, login, and check out privilege level."}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux easy", "line": " Renaming our burp repeater tab by just double clicking on the number"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux easy", "line": " Trying to login with a name instead of email"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux easy", "line": " Testing our login token to find out it uses JWT's in a non-standard way"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "linux easy", "line": " Analyzing the source code to see the token is used in a header called \"auth-token\""}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "linux easy", "line": " Looking at git commit history to see there is a hard coded secret in an older commit and forging a token"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux easy", "line": " Changing our tokens user, going back to the source code and seeing \"theadmin\" is a hardcoded administrative user"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux easy", "line": " Talking about the importance of rotating secrets in a web application"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux easy", "line": " Analyzing the private.js which shows a logs endpoint that is vulnerable to RCE"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux easy", "line": " Testing command injection and getting a reverse shell"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux easy", "line": " Noticing we are a user on the box, seeing our shell is /bin/bash, dropping a SSH Key for a second way into the box"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux easy", "line": " Checking NGINX Configuration to see if there is any difference between the two websites (port 80 and 3000), there isnt."}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux easy", "line": " Running LinPEAS, discovering a custom SetUID Binary called count"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux easy", "line": " Running the custom count binary against /etc/shadow, discovering it can read files as root, but not write files as root"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 31, "seconds": 57}, "tag": "linux easy", "line": " Examining the source code, to discover it allows for dump files to be created"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "linux easy", "line": " Failing to kill the linux process with the correct signal"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux easy", "line": " Pulling up the man page to kill and listing all signals, then killing the process with a Segfault (11)"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux easy", "line": " Using apport-unpack to extract the crash report into readable files"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 37, "seconds": 23}, "tag": "linux easy", "line": " Examining the coredump to discover the file read is there! Then doing the same thing with an SSH Key to get root on the box"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux easy", "line": " Showing how file descriptors (/proc/pid/fd) work and failing to pull the ssh key, because the key isn't readable by us."}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux easy", "line": " Failing to dump the the heap memory with DD as a regular user"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 44, "seconds": 10}, "tag": "linux easy", "line": " Back the examining the fd's in proc, showing if we had permission to read the file, that we could bypass the directory permission by cat'ing the file handle"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux easy", "line": " Dumping the heap of the process as the root user to show we can extract the file from the processes memory"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Join Intigriti here: https://go.intigriti.com/ippsec"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro "}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "", "line": " Enumerating the application utilizes Laravel based upon a default cookie name."}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Jumping into a PHP Interpreter to show off the Type confusion bug."}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Trying the same thing in Python, Javascript, Ruby, and showing that they aren't vulnerable in this way."}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Talking about the importance of the Laravel API Middleware"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " Converting the GET request to have JSON Data"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "", "line": " Changing the JSON Data to pass a boolean for password"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "", "line": " Bypassing login with type confusion"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "", "line": " Sponsor highlight Intigriti"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 12, "seconds": 48}, "tag": "", "line": " End of sponsor highlight"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "", "line": " Looking at the Laravel Code to find where the route is for the custom login function"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Showing the vulnerable function"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 0, "seconds": 25}, "tag": "", "line": " Why DLL Hijack is my favorite persistence, talk about a few others"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 2, "seconds": 3}, "tag": "", "line": " Going over the source code to our sample applications to talk about DLL Hijacking"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "", "line": " Compiling our executable and dll then transfering it to our windows box"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "", "line": " Using Process Monitor to show standard DLL Hijacking (when a DLL Does not exist)"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "", "line": " Showing the order windows tries to load the DLL (Directory of binary then PATH)"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Talking about a somewhat common mistake when people make edits to the PATH (ex: Java/Python/etc)"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Placing the DLL test.exe is looking for and achieving code execution"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "", "line": " Showing if we can write in c:\\Windows, we can hijack most dll's explorer.exe loads from system32."}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Messing up using Process Monitor for a bit, sorry should have prepped a bit more"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Showing why explorer is unique, then putting CSCAPI.DLL into c:\\Windows\\... This would get ran anytime a user logs into the system"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 17, "seconds": 55}, "tag": "", "line": " DLL Hijacking OneDrive for user level persistence"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "", "line": " Wrapping up, talking about some videos where I talk more about creating DLL's which can help with this"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux insane", "line": " Start of Nmap"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux insane", "line": " Start of gobuster to enumerate VHOST and Files"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux insane", "line": " Showing how I like to find the needles in a haystack when it comes to parsing lots of data."}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 9, "seconds": 40}, "tag": "linux insane", "line": " Using google reverse image search to try to identify what a logo means"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux insane", "line": " Hunting for XSS, putting unique URL's in all fields (check for a callback later)"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 13, "seconds": 45}, "tag": "linux insane", "line": " Going over the Docker Compose file we had downloaded"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "linux insane", "line": " Discover our XSS Attack worked, looking for LocalStack CVE's and discovering one in the dashboard"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux insane", "line": " Start of exploiting the XSS"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux insane", "line": " Creating a CSRF to force the victim to navigate to pages and send us the date, read his email to discover an S3 Domain"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux insane", "line": " Start of looking at creating an AWS Lambda application"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "linux insane", "line": " Using aws cli to create a lambda function"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux insane", "line": " Creating a malicious lambda, then using XSS to send the user to the LocalStack dashboard and trigger our code"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "linux insane", "line": " Reverse shell returned on the docker container. Use PSPY to identify what localstack does when invoking lambda functions and finding an 0day"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "linux insane", "line": " Testing out our 0day, creating a malicious lambda and injecting when localstack creates a docker to run the code"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 51, "seconds": 50}, "tag": "linux insane", "line": " Got root on the localstack container, abusing our ability to create docker containers to escalate to root on the host system"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux medium", "line": " Start of nmap, getting distribution by googling SSH/HTTP Server headers"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux medium", "line": " Checking out the web page and discovering it is a Laravel PHP Application based upon the cookie "}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "linux medium", "line": " Talking a little bit about Laravel Internals, and why our web request is going to the API Middleware is useful"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux medium", "line": " Showing that Laravel accepts data in the BODY even if it is a GET Request"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 8, "seconds": 25}, "tag": "linux medium", "line": " Changing our content type to JSON which will allow us to send JSON to the Laravel API"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 9, "seconds": 42}, "tag": "linux medium", "line": " Setting the password to the boolean true and bypassing login, explaining why === is important"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "linux medium", "line": " Logging into the application and discovering a zip file that is encrypted with ZipCrypto"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "linux medium", "line": " Showing where I got the inspiration for creating this challenge! An actual leaker made this mistake."}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux medium", "line": " Decrypting the zip with a known plaintext attack with bkcrack"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "linux medium", "line": " Logging into the box with the SSH Key"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux medium", "line": " Looking at the Laravel Source Code to find where the login function is and getting the root password for the box"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux medium", "line": " Showing the vulnerable function of the applicaiton, and that using three equal signs instead of two would fix it."}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro "}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux medium", "line": " Poking at the SSH Chat Application"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux medium", "line": " Running a VHOST Scan and discovering pets.devzat.htb"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux medium", "line": " Discovering pets.devzat.htb doesn't have a 404 and is a golang webserver"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "linux medium", "line": " Fuzzing the user input on pets"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "linux medium", "line": " Webapp ignores when a semicolon is at the end of user input, indication to command injection [MasterRecon]"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "linux medium", "line": " Using Gobuster to discover the .git directory and working around the issue of the box having no 404 errors. Use git-dumper to extract."}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Doing some light source code analysis on the Go Binary"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 23, "seconds": 15}, "tag": "linux medium", "line": " Showing it is also an LFI Vulnerability, just incase command injection was patched"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned, examining the git log of the files, don't see anything interesting"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux medium", "line": " Discovering from localhost we can login to chat as anyone, but messages are hidden on Reverse Shells. Switch to SSH and read the messages."}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux medium", "line": " Looking for an InfluxDB vulnerability via exploit-db, changelog, and synk"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 39, "seconds": 40}, "tag": "linux medium", "line": " Going to git, and pulling up the issue created for this issue so we can understand how to exploit it"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux medium", "line": " Using JWT.IO to create a token with a blank signature"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "linux medium", "line": " Testing our authentication bypass with curl, then creating a bash script to make it a bit easier for us to run queries."}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux medium", "line": " Using the HTTP API of InfluxDB to show databses, tables, and dump data to get catherines password"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 53, "seconds": 20}, "tag": "linux medium", "line": " Using the find command to find files owned by catherine, to find a backup of the dev source code"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "linux medium", "line": " Finding all the files that differ between two directories via find, md5sum, and grep"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 59, "seconds": 0}, "tag": "linux medium", "line": " Discovering the hard coded password required for the FILE command in the new devzat application"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 60, "seconds": 40}, "tag": "linux medium", "line": " Grabbing roots SSH Key via an LFI in the FILE Command"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 2, "seconds": 25}, "tag": "linux hard", "line": " Identifying it is a windows box via ping and looking at its TTL, and running Gobuster with a lowercase wordlist since windows is not case sensitive."}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux hard", "line": " Looking at HashPass to see it just generates static passwords based upon Name/Website/Master Password "}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux hard", "line": " Identifying a JSESSIONID cookie given when accessing /maintenance/ which enables a weird path traversal vuln [MasterRecon]"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "linux hard", "line": " Identifying the Nuxeo application and searching for the web vulnerability"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 15, "seconds": 55}, "tag": "linux hard", "line": " Testing for SSTI in an error message, normal SSTI doesn't work since it is java. Going to payloadallthethings to get a valid payload"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux hard", "line": " Testing an java EL SSTI Payload to get code execution. Don't get output but can validate we run code via ping"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 21, "seconds": 25}, "tag": "linux hard", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 24, "seconds": 25}, "tag": "linux hard", "line": " Looking at listening ports, running a powershell snippet to get process name and the port they listen on"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 29, "seconds": 15}, "tag": "linux hard", "line": " Looking for an exploit with Unified Remote. Using Chisel to forward the port it listens on to us."}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux hard", "line": " Going over the Unified Remote Exploit script, changing where it writes files to and using msfvenom to generate a malicious exe for us"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux hard", "line": " What i say here is wrong... I did not notice I got a shell back when writing to C:\\Windows\\Temp... lol."}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 39, "seconds": 9}, "tag": "linux hard", "line": " Converting the Unified Remote script to Python3 with some vim macro magic"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " Running WinPEAS and discovering a Firefox credential"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "linux hard", "line": " Using HashPash with the creds WinPEAS displayed to get the development users password. Using chisel to forward WinRM to us and accessing the box as development"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux hard", "line": " Start of RE of the MyFirstApp Binary. Opening Ghidra"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "linux hard", "line": " Searching for Strings to find where Username: is in the program and looking at code around it to see how authentication works"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 60, "seconds": 40}, "tag": "linux hard", "line": " Looking at Encrypt1() and discovering it is just Rot47"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux hard", "line": " Looking at Encrypt2() and discovering it is just AtBash"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 72, "seconds": 45}, "tag": "linux hard", "line": " Logging into the application and discovering what is available to us after auth"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 76, "seconds": 10}, "tag": "linux hard", "line": " Discovering a buffer overflow in the code parameter, then opening it in x32dbg and seeing we overwrite EIP"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 82, "seconds": 55}, "tag": "linux hard", "line": " EIP Overwrote, looking at ESP we only have 10 bytes of space here. Talking about JMP Backwards to get to a spot where we have more space"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 85, "seconds": 0}, "tag": "linux hard", "line": " Start of pwntools script, using x32dbg to show us a JMP ESP "}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "linux hard", "line": " Using msf-metasm_shell to generate shellcode for us"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 92, "seconds": 5}, "tag": "linux hard", "line": " Disabling DEP for our process on our windows box"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 95, "seconds": 10}, "tag": "linux hard", "line": " Showing we can use the JMP ESP, to execute our JMP -70 to get back to the start of our userinput. Its still not large enough for a revshell need to use Socket Reuse to increase buffer size"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 98, "seconds": 20}, "tag": "linux hard", "line": " Setting a breakpoint on a recv() call and looking at the stack.. We will have to mirror this."}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 102, "seconds": 40}, "tag": "linux hard", "line": " Getting the location of the Socket Handle which is ESP+0x48, then writing shell code to save that"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 105, "seconds": 50}, "tag": "linux hard", "line": " When trying to add 48, we get a null byte which is bad. Using an add/sub call to add 48 without null bytes"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 111, "seconds": 20}, "tag": "linux hard", "line": " Moving ESP to the other side of EIP so we don't have to worry about overwriting EIP and buffer overflowing the program again"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 115, "seconds": 30}, "tag": "linux hard", "line": " Getting 0 on the stack by just xor ebx, ebx - Then pushing the size of data we want"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 120, "seconds": 35}, "tag": "linux hard", "line": " Pointing the memory address recv saves data to within our junk data, as this is where the program returns to after the call"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 123, "seconds": 35}, "tag": "linux hard", "line": " Using Ghidra to get the memory address of the RECV() function, so we can call it"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 129, "seconds": 45}, "tag": "linux hard", "line": " Using MSFVenom to generate the shellcode for a reverse shell and testing out the exploit"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 133, "seconds": 50}, "tag": "linux hard", "line": " Showing by setting EXITFUNC=THREAD we don't kill the program when we exit our shell"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 135, "seconds": 50}, "tag": "linux hard", "line": " Updating our script to point at the hancliffe machine and getting our shell"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 1, "seconds": 55}, "tag": "windows easy", "line": " Quickly testing SMB, then using CME to get a hostname of the box"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "windows easy", "line": " Testing out the website, discovering admin:admin logs us in. Running gobuster with HTTP Auth "}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 4, "seconds": 55}, "tag": "windows easy", "line": " The website allows us to write to a file share. Going over SCF Files and how we can use them to steal NTLMv2 Hashes by having an external icon"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "windows easy", "line": " Using hashcat to crack the NTLMv2 Hash"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows easy", "line": " Using CME with these credentials to discover we can WinRM to the box"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "windows easy", "line": " Downloading WinPEAS and using our Evil-WinRM shell to execute it"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "windows easy", "line": " Going over the WinPEAS Output and discovering a Ricoh printer driver"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "windows easy", "line": " Going over the Ricoh printer driver exploit"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "windows easy", "line": " Switching to Metasploit, showing an issue with the WinRM Module in MSF"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 26, "seconds": 25}, "tag": "windows easy", "line": " Using MSFVenom to create an executable then having WinRM send us the meterpreter shell"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "windows easy", "line": " Having trouble getting the exploit to run... Switching to a 32 bit payload... then migrating to a interactive process"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 32, "seconds": 5}, "tag": "windows easy", "line": " Using Meterpreter to migrate to an interactive process then suddenly the exploit works"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "windows easy", "line": " Using the powershell PrintNightmare to privesc"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "windows easy", "line": " Showing the two WinRM MSF Scripts operate completely differently."}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "linux medium", "line": " Examining the SSL Certificate to find alternative names"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Discovering PassBolt, but looks like we need an email to login to passbolt"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "linux medium", "line": " Checking the bolt.htb and finding a link to download a custom docker image"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Extracting the docker image and viewing the docker layers"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux medium", "line": " Showing off \"Dive\" which is a tool to navigate docker images"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux medium", "line": " Showing my initial process at analyzing this with a little bash-fu"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "linux medium", "line": " Creating a bash loop to print every file"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux medium", "line": " Viewing config.py, and history files by decompressing the layers they are in"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux medium", "line": " Viewing information in the SQL Lite Database and grabbing a password hash"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux medium", "line": " Logging into the web app"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux medium", "line": " Extracting all of the layers so we can view the source code"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux medium", "line": " ash_history is now empty, which shows there were multiple versions of this file"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " Viewing different versions of routes.py in the docker layers"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux medium", "line": " Exrtacting the invite code from an old version of routes.py, then registering an account on demo.bolt.htb, which also allows for access to mail.bolt.htb"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "linux medium", "line": " Checking the mail and finding out the SSTI Worked"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 34, "seconds": 10}, "tag": "linux medium", "line": " Finding an SSTI Jinja2 Payload on PayloadAllTheThings that we can use for RCE, then getting a reverse shell"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "linux medium", "line": " Grabbing passwords from all the web applications"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux medium", "line": " The PassBolt application doesn't have password hashes for users, but has a PGP Encrypted Secret"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux medium", "line": " Using CME (CrackMapExec) to spray ssh with a list of usernames and passwords and finding Eddie's password which we can use SSH With"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 47, "seconds": 10}, "tag": "linux medium", "line": " Extracting information out of Eddie's Google Chrome and finding data a PGP Private Key"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 50, "seconds": 15}, "tag": "linux medium", "line": " Trying to import the PGP Key from chrome with GPG but it is encrypted"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux medium", "line": " Using John The Ripper GPG2John to crack the PGP Key"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 52, "seconds": 45}, "tag": "linux medium", "line": " Importanting the private key, then decrypting the message to get root's password"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux hard", "line": " Start of nmap, adding earlyaccess.htb to the hostfile"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux hard", "line": " Registering an account to see what features are enabled to regular users"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux hard", "line": " Discovering bad characters of username are only checked upon registration, not changing it from the profile page"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux hard", "line": " Testing the Contact Forms for XSS by sending a message to ourself"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux hard", "line": " Using document.location javascript to steal cookies"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 17, "seconds": 5}, "tag": "linux hard", "line": " Taking the administrators cookie and discovering some new hosts/functionality/key validation script"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 20, "seconds": 7}, "tag": "linux hard", "line": " Going over the key validaiton script"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 23, "seconds": 55}, "tag": "linux hard", "line": " Breaking the first part of the Key which is a simple Bit Shift and XOR to get KEY01"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 30, "seconds": 5}, "tag": "linux hard", "line": " Breaking the second part of the key which calculating every permutation of when two strings equal eachother"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "linux hard", "line": " Showing the lazy way to do the second part, since we never actually need to know every combination"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "linux hard", "line": " Breaking the third part of the key, which has a rotating magic. Discovering the keyspace for magic is only 60"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "linux hard", "line": " Coding the third part to display valid keys for all 60 combinations"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "linux hard", "line": " Breaking G4, which is just a simple XOR"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Talking about how the CheckSum works and how it is similair to the Luhn Check"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "linux hard", "line": " Putting everything togather and building a key generator to give us 60 keys"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 58, "seconds": 50}, "tag": "linux hard", "line": " Allowing our script to attempt to register keys on our behalf"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 71, "seconds": 30}, "tag": "linux hard", "line": " Debugging issues in our script"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 78, "seconds": 40}, "tag": "linux hard", "line": " The issue of our script, we copied the checksum incorrectly"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 82, "seconds": 50}, "tag": "linux hard", "line": " Logging in to play the game and talking about forging scores"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 84, "seconds": 20}, "tag": "linux hard", "line": " Playing with Second Order SQL Injection with our username and scoreboard"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 86, "seconds": 8}, "tag": "linux hard", "line": " Extracting table information from information_schema with our union sql injection "}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 91, "seconds": 50}, "tag": "linux hard", "line": " Extracting hashes from the database than cracking to get the administrators password"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 96, "seconds": 10}, "tag": "linux hard", "line": " Logging into developer admin panel"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 99, "seconds": 0}, "tag": "linux hard", "line": " Fuzzing file.php to discover hidden parameters to find filepath which can be used to extract source code via lfi and php filters"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 102, "seconds": 30}, "tag": "linux hard", "line": " Reading the source code of hash.php to discover we can execute code if we pass a debug parameter"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 105, "seconds": 45}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 108, "seconds": 0}, "tag": "linux hard", "line": " Switching to www-adm user which has the .wgetrc file and can access the api"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 109, "seconds": 10}, "tag": "linux hard", "line": " Downloading a static compile of nmap so we can find the api host"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 113, "seconds": 0}, "tag": "linux hard", "line": " Using python to print the ip address of the box"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 115, "seconds": 40}, "tag": "linux hard", "line": " Parsing the check_db output to get database credentials, which can be used to SSH into the box"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 120, "seconds": 0}, "tag": "linux hard", "line": " Going over linpeas output"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 126, "seconds": 0}, "tag": "linux hard", "line": " Reading the mail to drew, to discover the gameserver will reboot upon crashing. Using static nmap to find the gameserver"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 128, "seconds": 45}, "tag": "linux hard", "line": " Setting up the SSH Port Forward so we can access the gameserver"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 130, "seconds": 20}, "tag": "linux hard", "line": " Creating a script that will execute upon the gameserver restarting to gain root on the docker"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 136, "seconds": 50}, "tag": "linux hard", "line": " Crashing the gameserver by setting the rounds to -1, and getting the root password to docker which is game-adm's password"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 140, "seconds": 25}, "tag": "linux hard", "line": " Abusing the capabilities set on arp to read files on the box"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 1, "seconds": 7}, "tag": "linux hard", "line": " Running nmap, discovering wordpress"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 1, "seconds": 40}, "tag": "linux hard", "line": " Manually looking at the wordpress site, finding a post that has some dynamic content on it... This is weird"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux hard", "line": " Attempting to poison the browser table with php/ssti/etc user agents"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Starting wpscan with enumerating all plugins"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux hard", "line": " WPScan found a backup of the configuration file"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux hard", "line": " Changing the year on the password of the configuration file and discovering MFA"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Talking about the \"Discover Backup\" argument of gobuster, which does find another wp-config.php backup file"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 13, "seconds": 53}, "tag": "linux hard", "line": " Explaining what the XMLRPC Interface to wordpress"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux hard", "line": " Showing the system.listMethods function on the XMLRPC to list all the methods"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux hard", "line": " Switching over to the Python Wordpress XMLRPC Library to play with this interface, creating an object to login"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 21, "seconds": 35}, "tag": "linux hard", "line": " Showing how to dump users, then examine properties of a user"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "linux hard", "line": " Attempting to use this library to upload files, discover we can only upload images"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux hard", "line": " Dumping the posts, and discovering the table we found earlier was using the php-everywhere plugin on a post. Using the XMLRPC Interface to edit the post to host malicious PHP"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux hard", "line": " Creating a PHP File that will write another PHP Shell and lock it down to an IP Address"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "linux hard", "line": " Had an issue with my webshell, running it locally to discover what the issue was and re-uploading"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 42, "seconds": 45}, "tag": "linux hard", "line": " Got RCE! However, reverse shells aren't working enumerating the firewall"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 45, "seconds": 15}, "tag": "linux hard", "line": " Explaining why I am going to use my Forward Shell"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 46, "seconds": 45}, "tag": "linux hard", "line": " Grabbing my Forward Shell Skeleton code, modifying it and getting RCE"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux hard", "line": " Forward shell works! That took next to no time and I explained a lot of it"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 53, "seconds": 20}, "tag": "linux hard", "line": " The date on pkexec is old, it's probably vulnerable. Compiling a POC and uploading it through the XMLRPC, then running it to get root"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "linux hard", "line": " Another PwnKit method, if I didn't have a Forward Shell having pwnkit chmod /root/ to 777 would allow us to read the flag"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 63, "seconds": 10}, "tag": "linux hard", "line": " Going over the WPScan enumerate all plugins to show how beneficial this output would have been"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux easy", "line": " Start of nmap, examining the page discovering its all static with no user input"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux easy", "line": " Examining the source code of the website"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux easy", "line": " Running the javascript through a beutifier so we can easily read this, and finding another web endpoint"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 8, "seconds": 57}, "tag": "linux easy", "line": " Going to api-prod.horizontall.htb, running gobuster and examining the endpoints"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux easy", "line": " Navigating to /admin brings us to a STRAPI login, searching for exploits and finding an RCE"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "linux easy", "line": " Lightly reading the exploit script, we will go more in depth at the end of this video"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux easy", "line": " Reverse shell returned, looking for how the webapp talks to the database"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux easy", "line": " Explaining why this nginx server uses proxy_pass and has a node app listening on port 1337"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "linux easy", "line": " Dropping an SSH Key and using SSH to access this box, no privilege escalation yet just wanted a better shell"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux easy", "line": " Having a lot of trouble with getting data out of the MySQL Database, not exactly sure what went wrong here."}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "linux easy", "line": " Going over the LinPEAS Output and discovering port 8000 running laravel"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "linux easy", "line": " Going over why we cant see processes from other users"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "linux easy", "line": " Using SSH to tunnel port 8000 to our box, allowing us to access laravel, finding out laravel is in debug mode"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 37, "seconds": 52}, "tag": "linux easy", "line": " Finding an exploit and executing code as laravel."}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 41, "seconds": 8}, "tag": "linux easy", "line": " First script didn't work, looking to see if there are others. This one didn't require absolute paths, which allows it to work! Getting root"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux easy", "line": " Looks like there's some bad characters with our reverse shell, switching to a web cradle and getting root"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux easy", "line": " Explaining why this box isn't the box I wanted to show off FeroxBuster (Recursive Searching on API wouldn't work)"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "linux easy", "line": " Looking at the STRAPI Exploit and showing how the patch worked"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 56, "seconds": 50}, "tag": "linux easy", "line": " Comparing PHP Exploits"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows insane", "line": " Start of nmap, getting hostname and "}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows insane", "line": " Discovering the Server Header changes for virtualhost, probably navigating to a different box/container/etc [MasterRecon]"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "windows insane", "line": " Getting a good SSTI Fuzz String then identifying this string causes an error on the webserver. Removing parts of the string until we see the type of SSTI"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "windows insane", "line": " Playing with ASP Code in this SSTI or ASP Code Injection... Not sure what the vulnerability is"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "windows insane", "line": " Getting a VBScript One Liner to execute code and then getting a reverse shell"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "windows insane", "line": " Discovering a x509 certificate, decoding it with openssl, and discovering a second hostname"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows insane", "line": " Downloading and running chisel to setup a reverse socks proxy so we can attempt to pivot through this container"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 31, "seconds": 54}, "tag": "windows insane", "line": " Running nmap through the chisel socks proxy with proxychains"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "windows insane", "line": " Setting FoxyProxy to only send specific domains through our proxy"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "windows insane", "line": " Discovering the softwareportal.windcorp.htb attempts to install software on machines, set it to our machine and wireshark to see how 3it connects back to us"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "windows insane", "line": " Using responder to intercept the WinRM Connection and then use hashcat to crack the credentials"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 42, "seconds": 40}, "tag": "windows insane", "line": " Using CrackMapExec with our cracked credentials discovering we can access a file share that has Jamovi Files"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "windows insane", "line": " Installing Jamovi then finding out the XSS and proving RCE with Calc. Setting it to execute javascripts off of our webserver"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 53, "seconds": 20}, "tag": "windows insane", "line": " Creating a web cradle to execute a reverse shell, in typical ippsec fashion have a typo that we will fix later"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 56, "seconds": 20}, "tag": "windows insane", "line": " Fixed up the web cradle, reverse shell returned. Some light enumeration and talking about honey pots that have logon hours set to never"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "windows insane", "line": " Start of certificate exploit, downloading tools certify, rubeus, ADCS, PowerView"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 64, "seconds": 45}, "tag": "windows insane", "line": " Running Certify to find vulnerable certificates, we can edit the certificate template which enables us to enroll a smart card"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 68, "seconds": 0}, "tag": "windows insane", "line": " Running Get-SmartCardCertificate and then checking certificate store to see we didn't have anything. Showing we need to change the script because a weird thing with UPN's on this box"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 70, "seconds": 50}, "tag": "windows insane", "line": " Running Get-SmartCardCertificate again with our fix, then getting the certificate thumbprint and using Rubeus to get the credential"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "windows insane", "line": " Enabling RDP on the box so we can visually see the certificate"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 79, "seconds": 10}, "tag": "windows insane", "line": " Opening up MMC to see the certificate"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 83, "seconds": 20}, "tag": "windows insane", "line": " Doing the Certificate Exploit again but stepping through it all manually using Linux instead of Windows when possible"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 84, "seconds": 20}, "tag": "windows insane", "line": " Showing the vulnerable certificate template before modifying and what the certificate usage is"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 86, "seconds": 30}, "tag": "windows insane", "line": " Showing the certificate template after using Set-ADObject to modify the template"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 87, "seconds": 25}, "tag": "windows insane", "line": " Generating a Certificate Request"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 89, "seconds": 40}, "tag": "windows insane", "line": " Using CertReq to sign the certificate we generated"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 91, "seconds": 30}, "tag": "windows insane", "line": " Showing my Kerberos Configuration"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 92, "seconds": 50}, "tag": "windows insane", "line": " Using CertUtil to output the CA Certificate"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 93, "seconds": 50}, "tag": "windows insane", "line": " Setting up our port forwards so we can communicate with Kerberos"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 97, "seconds": 45}, "tag": "windows insane", "line": " Running kinit to login with our X509 Smart Card Certificate, get error show how to debug KINIT with trace"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 99, "seconds": 40}, "tag": "windows insane", "line": " Changing our time to match the DC and then running KINIT again and getting a session"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 100, "seconds": 50}, "tag": "windows insane", "line": " Using Evil-WinRM to get a shell with our kerberos certificate"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Running nmap finding a filtered port with some open ones"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Running GoBuster to always have something running in the background"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux medium", "line": " Playing with the Upload Form"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux medium", "line": " Playing with the Upload from URL to see what library connects back to us (SSRF)"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux medium", "line": " The Upload From URL has a blacklisted address, playing with it to discover what is blacklisted"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "linux medium", "line": " Bypassing the URL Blacklist in the SSRF by changing the case of words"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "linux medium", "line": " Running a virtualhost bruteforce within gobuster to discover vhost"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "linux medium", "line": " Bypassing the URL Blacklist in the SSRF by creating a webserver that will send a redirect"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux medium", "line": " Using the SSRF to download admin.forge.htb and discovering ftp creds and another SSRF"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux medium", "line": " Using the SSRF to use FTP "}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "linux medium", "line": " Encoding the IP Address as hex to bypass a blacklist"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 22, "seconds": 10}, "tag": "linux medium", "line": " When specifying a directory in the FTP with SSRF need a trailing slash explaining why"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "linux medium", "line": " Downloading id_rsa and then logging into the machine"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "linux medium", "line": " The user can sudo run a python script, which stands up a debugger on a random port"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 26, "seconds": 13}, "tag": "linux medium", "line": " Doing a nested tmux so we can run the python script and then use netcat to connect"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux medium", "line": " Getting root"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 30, "seconds": 55}, "tag": "linux medium", "line": " Explaining how to harden the blacklist to prevent the easy bypassing"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux medium", "line": " Looking at how admin.forge.htb added FTP Support"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 36, "seconds": 50}, "tag": "linux medium", "line": " Thinking there's an RCE but there isn't, shlex is a good filter"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "linux medium", "line": " Getting frusterated, lets break this down and see whats stopping our RCE"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 45, "seconds": 40}, "tag": "linux medium", "line": " Playing with Shlex to discover it is what prevents the RCE"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux hard", "line": " Examining the web page, noticing every URL with admin gets redirected to a django login"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux hard", "line": " Creating an account and looking at the page to discover CTF Challenges"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux hard", "line": " CHALLENGE 1: Phished List, a protected excel spreadsheet. Remove protection to see hidden cells"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux hard", "line": " Submitting a writeup, discovering an old version of Firefox talks to us"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux hard", "line": " Checking for Tab Nabbing vulnerability and explaining it"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux hard", "line": " Creating a phishing page by mirroring the page with wget and then using PHP to log submitted credentials"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux hard", "line": " Phishing worked, got the admin's password. Login to Django to see another website (Sentry)"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux hard", "line": " Creating an error message in Sentry to get an error message, which contains a secret key used to encrypt the cookie"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 36, "seconds": 10}, "tag": "linux hard", "line": " Grabbing a django deserialization payload then installing django on python2 to use the payload"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "linux hard", "line": " Changing the payload in the exploit to a reverse shell, avoiding any bad characters for URL and getting a reverse shell"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux hard", "line": " Setting up the reverse shell in a way that works with ZSH, just need to do stty raw -echo; fg on one line"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 46, "seconds": 13}, "tag": "linux hard", "line": " Logging into Sentry Postgres Databae then enumerating tables and dumping the users table and cracking karl's password"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 52, "seconds": 25}, "tag": "linux hard", "line": " Discovering Karl can execute the authenticator binary with sudo, strings shows it is a rust binary. Copy it back to our box"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 56, "seconds": 55}, "tag": "linux hard", "line": " Examing the binary in Ghidra"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 58, "seconds": 55}, "tag": "linux hard", "line": " Discovering a call to Crypto::AES::CTR, using the rust docs to figure out what our variables are"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 61, "seconds": 22}, "tag": "linux hard", "line": " Showing that AES-CTR does not have defined block sizes"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 65, "seconds": 0}, "tag": "linux hard", "line": " Using GDB to help our analysis, showing how to setup break points around what our decompiler shows"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 70, "seconds": 36}, "tag": "linux hard", "line": " Examining memory to confirm our static analysis was correct"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 71, "seconds": 15}, "tag": "linux hard", "line": " Grabbing the encrypted blob the program is comparing against to get the password and getting root"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 75, "seconds": 40}, "tag": "linux hard", "line": " CHALLENGE 2: PSE, an dotnet binary that runs a uses PS2EXE to run powershell to encrypt a string"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 81, "seconds": 20}, "tag": "linux hard", "line": " CHALLENGE 3: Get Lucky, a small binary that rolls a dice. We exploit it mainly in GDB but after recording, probably could have done LD_PRELOAD, im not sure"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 94, "seconds": 50}, "tag": "linux hard", "line": " CHALLENGE 4: RevMe.exe, just open the binary in DNSpy and grab the flag, also show doing this with strings if we change the encoding"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 97, "seconds": 10}, "tag": "linux hard", "line": " CHALLENGE 5: Authentication, another Rust binary. Just have to find the correct spot to set a break point and see the password in memory"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 104, "seconds": 40}, "tag": "linux hard", "line": " CHALLENGE 6: PwnMe, a simple challenge that we can use GDB to find the password"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 109, "seconds": 30}, "tag": "linux hard", "line": " CHALLENGE 7: Easy Encryption, a simple XOR Challenge where we can use known plaintext (or bruteforce) to recover the key"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 113, "seconds": 29}, "tag": "linux hard", "line": " CHALLENGE 8: Triple Wamy, another XOR Challenge where we have to just do the XOR's backwards to get the flag"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux easy", "line": " Running GoBuster, discovering the redirects have filesizes"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Showing the Execute After Read vulnerability (EAR) by using BurpSuite to hit / and discovering the page"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Using grep to show us only what we want (oP)"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Using BurpSuite to intercept the response to the request so we can disable the redirect (EAR). Then using the webform to create an account (IDOR)"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux easy", "line": " Examining the website source, using grep to look for places with user input"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux easy", "line": " Testing the logs.php page for shell injection, then getting a reverse shell"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "linux easy", "line": " Going into the webconfig to get database creds, then dump and crack creds"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux easy", "line": " Testing local users with the passwords from the database to get m4lwhere's creds"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 20, "seconds": 25}, "tag": "linux easy", "line": " Checking sudo to see something is weird, the env_reset/secure_path is not there. (this is configured in /etc/sudoers)"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 22, "seconds": 10}, "tag": "linux easy", "line": " Explaining Path Injection, then taking advantage of a script in sudo not using absolute paths"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux easy", "line": " Going back to explain things, weird behavior of the webserver always hanging. Maybe it was trying to send me a webshell? idk"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "linux easy", "line": " Fuzzing parameters of accounts.php to create accounts. But first discovering how important the Content-Type header is!"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux easy", "line": " Using WFUZZ to fuzz the confirmation parameter"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "linux easy", "line": " Explaining how the EAR Vulnerability happened in the code and how to fix it"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " Box will be uploaded to HackTheBox by January 5th."}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Looking at the login, failing normal SQL Injection"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "linux easy", "line": " Start of talking about NoSQL/Mongo Injection"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux easy", "line": " Using the NE operator to create the NoSQL Injection where password is not equal to admin and bypassing login"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux easy", "line": " Showing the REGEX operator and talking about other ones to leak data"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 8, "seconds": 34}, "tag": "linux easy", "line": " Creating a python application to bruteforce passwords from the NoSQL Database one character at a time"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux easy", "line": " Script done, running it going over the code"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "linux easy", "line": " Examining the UPLOAD functionality of the site "}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "linux easy", "line": " Testing for XXE"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux easy", "line": " Replacing our XXE POC to include a file. Then making the application error to get path of webapp, so we can extract source code"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 32, "seconds": 10}, "tag": "linux easy", "line": " Discoving the application utilizes Node-Serialize which is extremely vulnerable to unserialization/deserialization attacks"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux easy", "line": " Proving we have RCE after URL Encoding our entire payload and using double quotes instead of single"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux easy", "line": " Creating a reverse shell one liner that has minimal bad characters and getting a reverse shell"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "linux easy", "line": " Reverse shell returned, we already have the password for SUDO!"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 44, "seconds": 10}, "tag": "linux easy", "line": " ALTERNATE WAY TO GET PASSWORD: Mongodump"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux easy", "line": " Showing application is vulnerable to IDOR's"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Discovering an Apache Tomcat Errror message despite the webserver being Apache"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "linux medium", "line": " Looking at Orange Tsai's 2018 Blackhat talk on Path Normalization "}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 3, "seconds": 55}, "tag": "linux medium", "line": " Explaining the attack and how to bypass apache blocking access to /manager by using /..;/ or ;name=Stuff"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux medium", "line": " Attempting to deploy a WAR File to see that path is blocked by the max upload size being 1 byte"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 6, "seconds": 55}, "tag": "linux medium", "line": " Testing for log4j in Tomcat, discovering a callback"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux medium", "line": " Finding a twitter post that combines JNDI-Injection-Exploit-Kit and Ysoserial to do deserialization attacks with Log4shell/log4j"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux medium", "line": " Explaining whats different about ysoserial modified and why it lets us do reverse shells"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "linux medium", "line": " Running YsoSerial-Modified to generate a CommonsCollections5 payload"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux medium", "line": " Running JNDI Injeection Exploit Kit to setup the LDAP Server"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux medium", "line": " Running the exploit and getting a reverse shell, then looking at port 21 since it was filtered earlier"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux medium", "line": " FTP is running as root and written in Java. Testing for Log4j!"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux medium", "line": " Using JD-GUI to examine the FTP Server source to discover credentials are stored in environment variables!"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux medium", "line": " Explaining why we are going to use Wireshark to view these environment variable leaks"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux medium", "line": " Creating a log4j payload that sends us the ftp_user environment variable, then ftp_password"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 24, "seconds": 25}, "tag": "linux medium", "line": " Using log4j to extract the java class path which may be helpful in creating serialized payloads"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux medium", "line": " Using log4j to extract the java version"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " Using log4j to extract OS Information"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux hard", "line": " Noticing there is weird behavior on /vpn, it doesn't direct to the folder /vpn/ probably reverse proxy [MasterRecon]"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux hard", "line": " Corrupted GZIP, using zcat to view it and fixgz to repair"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux hard", "line": " Building a Python Script to generate TOTP for MFA (the NTPDate failed because i didn't use -q. Nmap would have worked with -sV)"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux hard", "line": " Talking about things I would be monitoring for on Login Forms [Detection]"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux hard", "line": " Talking about a common issue when layering VPN's (MTU). Won't fix it right now, since I want to display the weird behavior later"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "linux hard", "line": " VPN Connection established, looking at routes. Adding additional routes that don't exist"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux hard", "line": " Going over the NMAP ran from the second VPN"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 30, "seconds": 40}, "tag": "linux hard", "line": " Fully understanding the weird behavior from /vpn earlier on. It is indeed a reverse proxy. [MasterRecon]"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux hard", "line": " Exploiting the fact that XDEBUG is enabled on info.php"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "linux hard", "line": " Running Chisel to create a pivot rhrough web to access mysql "}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " The Multiple VPN MTU Issue explained, demonstrating i can't send big packets because of chunking"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux hard", "line": " Finishing with setting up the chisel tunnel"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 51, "seconds": 45}, "tag": "linux hard", "line": " Switching up chisel to look at PKI."}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 53, "seconds": 34}, "tag": "linux hard", "line": " Running PHuiP-FPizdaM to exploit PHP-FPM/7.1"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 57, "seconds": 23}, "tag": "linux hard", "line": " Changing up our Chisel so we can send a reverse shell through the web box"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 61, "seconds": 45}, "tag": "linux hard", "line": " Looking at the ersatool source code to find a printf/format string vulnerability"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 64, "seconds": 15}, "tag": "linux hard", "line": " Verifying we have the format string vuln and some really basic talk about it"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 67, "seconds": 30}, "tag": "linux hard", "line": " Exploring the memory around our leaked address to defeat ASLR and edit the variable we want"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 70, "seconds": 30}, "tag": "linux hard", "line": " Start of a pwntools script to exploit format string"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 75, "seconds": 48}, "tag": "linux hard", "line": " Pwntools successful leak and calculating offset to the string we want to manipulate... cleaning up the script a little"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 79, "seconds": 5}, "tag": "linux hard", "line": " Explaining how we are going to write to an address and why the null byte is a small problem"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 87, "seconds": 15}, "tag": "linux hard", "line": " Overwriting the ERSA_DIR variable"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 93, "seconds": 55}, "tag": "linux hard", "line": " Tons of funny failing trying to verify this exploit worked"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 98, "seconds": 0}, "tag": "linux hard", "line": " Updating and explaining our chisel tunnel since we are proxying a lot of traffic bidirectionally through this web box"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 105, "seconds": 30}, "tag": "linux hard", "line": " Using cat to transfer a file over /dev/tcp, the trick is to base64 encode"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 110, "seconds": 50}, "tag": "linux hard", "line": " Using socat to have a binary (ersatool) listen on a TCP Port, so we can use pwntools to exploit it"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 112, "seconds": 45}, "tag": "linux hard", "line": " Updating pwntools to use a TCP Socket"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 115, "seconds": 50}, "tag": "linux hard", "line": " We can't execute out of /dev/shm, updating script to use /tmp"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 131, "seconds": 0}, "tag": "linux hard", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Into"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 0, "seconds": 49}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "linux medium", "line": " Discovering admin login page, running SQLMap and discovering it is SQL Injectable"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux medium", "line": " Testing for SQL Injections in the username and password, discovering injection in the username"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux medium", "line": " The adminsitrative interface lets us upload images, failing to upload a PHP Shell"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux medium", "line": " Using the SQL Union Injection to extract source code via Load_file, then creating a python script to automate it"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 17, "seconds": 35}, "tag": "linux medium", "line": " Creating a Regular Expression in Python to grab only the data we want and be multiline"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "linux medium", "line": " Downloading a good LFI Wordlist and then using it with our python script to find interesting files"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "linux medium", "line": " Finding the apache configuration which gives us where the web application lives"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "linux medium", "line": " Updating our LOAD_FILE command to utilize TO_BASE64 in order to get around the web application doing HTML Entity Encoding"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux medium", "line": " Discoving an hardcoded password in the python flask web application"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 35, "seconds": 5}, "tag": "linux medium", "line": " Discovering command injection in how the web application handles URL's"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "linux medium", "line": " Simplifying our reverse shell by using a base64 cradle"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 40, "seconds": 4}, "tag": "linux medium", "line": " Having troubles uploading the image, create the image manually on our box, so the image upload form creates the request for us. Then getting a shell"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux medium", "line": " Discovering another database password within the second web application, cracking a password then switching to the Kyle user"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux medium", "line": " Using find to find files owned by a group"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 51, "seconds": 45}, "tag": "linux medium", "line": " Examaning the Postfix config to see it executes the Disclaimer script as John and is editable by our gorup. Edit the file, then sent an email to get shell as John."}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux medium", "line": " Showing John doesn't get all the groups assigned to him from the Postfix shell. SSH allows this group to be assigned to him"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 57, "seconds": 24}, "tag": "linux medium", "line": " Write access to apt.conf.d, creating a pre-invoke script which is a persistence technique to run code whenever apt is ran"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 61, "seconds": 4}, "tag": "linux medium", "line": " Showing the intended route of this box by editing a python script over SMB"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux medium", "line": " Using the Image Upload form as a SSRF in order to access the second web application listening on localhost"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux hard", "line": " Discovering the webserver is apache, despite nmap saying it is nginx"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux hard", "line": " Every request with /admin gets a 401, indication that nginx location may not end with /"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux hard", "line": " Doing the nginx lfi to grab apache server-stats and leak the /admin_staging/ directory"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux hard", "line": " Running gobuster in /admin_staging/ to discover more php scripts"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "linux hard", "line": " Testing index.php for lfi with a php filter"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux hard", "line": " Looking at the source and seeing it is using include() which allows for RCE if we can get it pointed at php code"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "linux hard", "line": " Playing with the LFI, eventually finding info.php which tells us open_basedir is set to /var/ which prevents the LFI from going out of that directory"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 16, "seconds": 35}, "tag": "linux hard", "line": " Using wfuzz with an LFI wordlist to search for files we can chain with this LFI, discovering ftp logs"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux hard", "line": " Poisoning the FTP log with a php reverse shell then using the LFI to trigger it"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "linux hard", "line": " Looking at the /opt/pokeapi directory to find a LDAP credentials"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 25, "seconds": 45}, "tag": "linux hard", "line": " Using ldapsearch to dump information out of the linux ldap server to get pwnmeow's credentials"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 28, "seconds": 25}, "tag": "linux hard", "line": " Using ftp with pwnmeow's credentials, then running linpeas"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 32, "seconds": 35}, "tag": "linux hard", "line": " Examining the CSVUpdate cron and finding a code injection vulnerability in the perl script"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "linux hard", "line": " Going over why perl will execute a variable starting or ending with | with an open() command"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux hard", "line": " Creating a revers shell file that begins with | "}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux hard", "line": " Uploading our malicious file via FTP and getting root"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 1, "seconds": 2}, "tag": "windows medium", "line": " Start of nmap, discover Active Directory and a web server"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "windows medium", "line": " Doing some common checks against a Domain Controller"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "windows medium", "line": " Discovering PDF's with filenames based upon the date"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 5, "seconds": 25}, "tag": "windows medium", "line": " Building a customized wordlist based upon the date with the date command"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "windows medium", "line": " Downloading the PDF's with wget and then examining metadata"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "windows medium", "line": " Using Kerbrute to validate the usernames in the metadata are correct"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "windows medium", "line": " Using pdftotext to convert all the PDF's into text files, so we can grep through text"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "windows medium", "line": " Finding the password NewIntelligenceCorpUser987, then using KerBrute to perfrom a passwordspray"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "windows medium", "line": " Running CrackMapExec Spider_Plus while we do some other CME things"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "windows medium", "line": " Running Python Bloodhound with the credentials we got from the password spray"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "windows medium", "line": " Using JQ to parse the data from CME's spider_plus module to discover a powershell script"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "windows medium", "line": " Importing the bloodhound results and then searching for attack paths"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows medium", "line": " Discovering we probably need to get access to the SVC_INT GMSA (Group Managed Service Account)"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "windows medium", "line": " Going back over the powershell script we downloaded, and then creating a DNS Record with krbrelayx's dnstool"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 28, "seconds": 57}, "tag": "windows medium", "line": " Using dnstool to create an A Record on an Active Directory Server"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "windows medium", "line": " Using the MSF Capture http_ntlm module to capture an NTLMv2 Hash of people that access our webserver (Responder also would work but was broke on my box)"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 36, "seconds": 35}, "tag": "windows medium", "line": " Using John to crack the ntlmv2 hash and gaining access to the Ted Graves account"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 42, "seconds": 19}, "tag": "windows medium", "line": " Using gMSA Dumper to extract the svc_int hash"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 43, "seconds": 43}, "tag": "windows medium", "line": " Using impacket's getST to generate a SilverTicket which we can use for impersonating an administrator"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "windows medium", "line": " Using NTPDate to syncronize the time to our domain controller"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "windows medium", "line": " Using our ticket with psexec to gain access to the server"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro the best box to practice SQL Union Injections but I may be bias"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux medium", "line": " Start of nmap discovering nginx with PHP"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "linux medium", "line": " Doing recon on the website"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux medium", "line": " Starting recon in the background GoBuster/SQLMap"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux medium", "line": " Manually examining the player submission page"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "linux medium", "line": " Manualling testing for SQL Injection, why its important to test with a query that returns data"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux medium", "line": " Testing for union injection, then pulling up MySQL Documentation and looking at the Information_Schema database"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux medium", "line": " Testing out the Union Injection by extracting a single database name"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux medium", "line": " Showing that we can return more than one row with the GROUP_CONCAT function"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux medium", "line": " Changing up the union to extract table and column information"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux medium", "line": " Prettying up the output by setting some delimiters with GROUP_CONCAT, then extracting data from the tables"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux medium", "line": " Submitting the flag and discovering our IP Address can now ssh into the box"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "linux medium", "line": " Using the LOAD_FILE command to extract files from the server, discovering credentials in the config.php file"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Using SSH to access the server and then looking at how the webserver allowed our IP Address access to the server"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "linux medium", "line": " Adding the X-FORWARDED-FOR header to our request to firewall.php and discovering command injection"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "linux medium", "line": " Changing our command injection from sleep to a reverse shell"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "linux medium", "line": " The www-data user can use sudo to run any command, using sudo to run a shell"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux medium", "line": " Going over my filter to break SQLMap"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Running nmap, doing all ports and min-rate"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Poking at the website to discover a static site"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux easy", "line": " Starting up a gobuster to do some recon in the background"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux easy", "line": " Discovering log_submit, and finding out it is vulnerable to XXE (XML Entity Injection)"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux easy", "line": " Verified it is vulnerable to XXE, attempting to extract a file"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux easy", "line": " Chaining a PHP Filter to convert files to base64, which lets us avoid bad characters and leak source"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux easy", "line": " Start of coding out a program to automate this LFI"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 17, "seconds": 45}, "tag": "linux easy", "line": " XXE LFI POC Done, improving it by adding the cmd module"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux easy", "line": " Reading source code of pages, getting nothing"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 21, "seconds": 35}, "tag": "linux easy", "line": " Finding db.php from out gobuster, leaking the source and getting a password"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 22, "seconds": 5}, "tag": "linux easy", "line": " Grabbing /etc/passwd in order to build a userlist to password spray"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "linux easy", "line": " Using CrackMapExec (cme) to perform a password spray over SSH and discovering creds"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 23, "seconds": 35}, "tag": "linux easy", "line": " With shell on the box we can do sudo against a python file, doing some manual code analysis"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "linux easy", "line": " Switching to VSCode to debug our exploit script"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux easy", "line": " Exploit file works, copy it to our target and run it to get a root shell"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 39, "seconds": 44}, "tag": "linux easy", "line": " Taking a step back and Verifying the bad characters in our XXE"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Begin of nmap "}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "linux medium", "line": " Browsing to the website and doing some light fuzzing"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "linux medium", "line": " Adding the uri_hex (url encoder) to our wfuzz to fuzz special characters"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux medium", "line": " Taking a look at port 8080, discovering gitbucket and registering an account"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "linux medium", "line": " Exploring the infra repository on gitbucket, going over its Ansible Scripts"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux medium", "line": " Taking a look at the Seal Market Repository and discovering NGINX has mutal auth configured"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Discovering tomcat credentials in a previous commit"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "linux medium", "line": " Going over an Orange Tsai SSRF Talk from 2018, showing the Tomcat SSRF when behind NGINX"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux medium", "line": " Testing the SSRF Exploit to discover we can hit protected pages"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux medium", "line": " Logging into tomcat, then showing another SSRF"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "linux medium", "line": " Using MSFVenom to generate a malicious war file to exploit tomcat"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned, uploading pspy to discover a cron running a playbook"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux medium", "line": " Going over the playbook to show how we can exploit this playbook to copy an ssh private key with a symlink"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux medium", "line": " Creating the symlink to extract the SSH Key"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux medium", "line": " SSH in with Luis, discovering we can run ansible with sudo, then creating a malicious playbook to run a reverse shell"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows insane", "line": " Start of nmap, downloading files over FTP"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 5, "seconds": 25}, "tag": "windows insane", "line": " The contents of all the PDF's don't really help. Using exiftool to extract authors."}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows insane", "line": " Using Kerbrute to bruteforce valid users and getting ASREP Hash. It is ETYPE 18, which hashcat doesn't support. Use downgrade to generate ETYPE 23 and crack the hash"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "windows insane", "line": " Going into what ETPE Means"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 16, "seconds": 40}, "tag": "windows insane", "line": " Using CrackMapExec to dump a list of file shares, then using Spider_Plus plugin to dump files"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "windows insane", "line": " Doing some JQ Magic navigate the Spider_Plus data"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "windows insane", "line": " Converting the Outlook Message Files (MSG) to plaintext with msgconvert"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "windows insane", "line": " Running Restart-Oracle.exe with Process Monitor to find out the process is writing to a TEMP Directory"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "windows insane", "line": " Removing delete permissions on the Windows Temp Directory, so the Restart-Oracle program can't delete the files out of temp, finding based64 and getting another EXE"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "windows insane", "line": " Running the extracted executable with Process Monitor to discover it loads dotnet"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "windows insane", "line": " METHOD 1: Opening the extracted executable in x64debug, setting it to break upon EXIT then examining its memory to find the dotnet executable"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 38, "seconds": 48}, "tag": "windows insane", "line": " METHOD 1: Opening the dotnet in DNSPY to discover the password"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 40, "seconds": 25}, "tag": "windows insane", "line": " METHOD 2: Using API MONITOR to examine the API Calls the program makes and finding the password (Sorry for audio glitches here, chrome did weird things)"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 47, "seconds": 41}, "tag": "windows insane", "line": " Fixing the permissions on our TEMP Directory with icacls so our user can delete files again"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 49, "seconds": 45}, "tag": "windows insane", "line": " Using CrackMapExec to dump a list of all users because the Oracle credentials we got from reversing did not work."}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "windows insane", "line": " Discovering the MSSQL User and changing oracles password scheme to fit MSSQL"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 55, "seconds": 25}, "tag": "windows insane", "line": " Downloading Alamot's MSSQL_Shell and getting a shell on the box (unintended way, do more with this at the end)"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 58, "seconds": 40}, "tag": "windows insane", "line": " Downloading and running MSSQL Proxy, which will let us create a SOCKS Proxy through the MSSQL Service"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 72, "seconds": 10}, "tag": "windows insane", "line": " Setting proxychains up to utilize MSSQL Proxy and using Evil-WinRM to get a shell on the box, then downloading and cracking a Keypass Database"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 80, "seconds": 40}, "tag": "windows insane", "line": " Using SSH to get into the box, the trick here is telling our SSH Client to not use public key authentication"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 82, "seconds": 15}, "tag": "windows insane", "line": " Running Bloodhound.py to get Bloodhound data from Active Directory"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 87, "seconds": 20}, "tag": "windows insane", "line": " Examining bloodhound data to discover our user can reset passwords on several users, and showing Dr.Zaiuss can reset Superfume... Resetting each password to get to Superfume then downloading another exe out of developers"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 97, "seconds": 50}, "tag": "windows insane", "line": " Using DNSpy to edit the compiled dotnet program to print the password after it decrypts it"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 99, "seconds": 50}, "tag": "windows insane", "line": " Back to bloodhound with the new credential! Discovering Jari can reset Gibdeon who can add groups to LAPS"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 106, "seconds": 0}, "tag": "windows insane", "line": " Loading PowerView up in Evil-WinRM and Bypassing AMSI, then resetting Gibdeon's pw and adding him to groups"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 113, "seconds": 30}, "tag": "windows insane", "line": " Attempting to get the LAPS Password with Get-ADComputer and failing"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 115, "seconds": 20}, "tag": "windows insane", "line": " Using a Python Program to dump LAPS Password, then using PSExec to log into the box as administrador!"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 120, "seconds": 15}, "tag": "windows insane", "line": " Unintended method! Unconstrained delegation with the SQL User. Upload rubeus, use tgtdeleg "}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 127, "seconds": 20}, "tag": "windows insane", "line": " Copying the ticket and using TicketConverter to conver the ticket from KIRBI to CCACHE then setting KRB5CCNAME to the ticket and having impacket use the ticket"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 130, "seconds": 32}, "tag": "windows insane", "line": " Impacket doesn't work because of clock skew, it doesn't tell us the error, showing CrackMapExec will display the error"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 131, "seconds": 10}, "tag": "windows insane", "line": " Using NTPDate to sync our time to the AD Server, then running secretsdump"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "linux easy", "line": " Weird SSH Banner saying its Banana Studio, google tells us this is Android"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Doing a script scan against all open ports, and googling what each open port is"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "linux easy", "line": " Port 59777, brings us to ES File Explorer which has an exploit out"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 5, "seconds": 16}, "tag": "linux easy", "line": " Running the ES File Explorer exploit with getDeviceInfo to confirm it works"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux easy", "line": " Listing files, pictures, and eventually downloading a picture"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux easy", "line": " Opening the picture reveals some credentials, can ssh into the box with them"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux easy", "line": " Installing ADB, so we can do adb connect to port 5555"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux easy", "line": " Setting up an SSH Port forward so we can access port 5555"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux easy", "line": " Extra Content: Playing with the exploit script to understand what it does"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro Hacking a Command and Control Server"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 1, "seconds": 7}, "tag": "linux hard", "line": " Running nmap and discovering two different SSH Instances, guessing one is Docker"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux hard", "line": " Looking at robots.txt which includes a link to the implant, looking at the error message and discovering its a cpp binary"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux hard", "line": " Using Wireshark to discover it makes a DNS Request to Spooktrol.htb, then walking through the C2's handshake"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "linux hard", "line": " Using BurpSuite and socat to proxy the connection of our binary"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux hard", "line": " Using BurpSuites find and replace to edit the Task that is getting to our C2"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Opening up the binary in Ghidra"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 14, "seconds": 15}, "tag": "linux hard", "line": " Looking at the decompiled output for the main function, which calls Spooky. Setting a break point on the XOR Function and discovering the first flag"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux hard", "line": " Discovering the Case Statement and analyzing Task number 1 (Exec)"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux hard", "line": " Stepping through each other task to discover what each function does"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux hard", "line": " The Perform Upload function builds a curl command"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "linux hard", "line": " Breaking after the curl string is assembled to show the full command it runs (Using BurpSuite to get to this part of the code)"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux hard", "line": " Accessing Task 3 a different way, breaking at the switch statement and editing the JMP."}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 32, "seconds": 45}, "tag": "linux hard", "line": " Editing the filename in the PUT Command to perform directory traversal and upload an SSH Key"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux hard", "line": " Logging into the C2, and inspecting the database to discover another beacon is running, which is on the Host Operating System"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux hard", "line": " Inserting a task into the database to ask the rogue beacon to execute a reverse shell for us"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 39, "seconds": 25}, "tag": "linux hard", "line": " Extra Content: Exploiting the box with no reverse engineering! Using an LFI to dump the source code to the application"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "linux hard", "line": " The server.py file has been leaked, grabbing all the other python scripts"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 43, "seconds": 20}, "tag": "linux hard", "line": " The application is now running on our box! Can identify the file upload functionality and how to exploit it."}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 51, "seconds": 45}, "tag": "linux hard", "line": " Extra Content: Going over the CPP code which shows how the implant works."}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux hard", "line": " Adding spider.htb to our host file so we can access the domain name"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux hard", "line": " Playing with the registration of the website and examining the cookie"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux hard", "line": " Putting a bunch of bad characters for our username and discovering odd behaviors"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 10, "seconds": 5}, "tag": "linux hard", "line": " Dumping the configuration via SSTI, can't do a complex SSTI due to username limit"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux hard", "line": " We have the cookie secret, using Flask-Unsign to create malicious cookies and discover SQL Injection"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "linux hard", "line": " Sending our SQL Injection Payload to the server and confirming it is SQL Injectable"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 18, "seconds": 5}, "tag": "linux hard", "line": " Using the Eval Parameter of SQLMap to have SQLMap Sign the payloads it sends and dump the database"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "linux hard", "line": " Getting Chiv's password from SQLMap then logging into the web application"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux hard", "line": " Testing SSTI on the admin panel that we got to from Chiv and discovering a WAF (Web Application Firewall)"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "linux hard", "line": " Using wfuzz to enumerate the bad characters which trigger the WAF"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux hard", "line": " Playing with wfuzz encoders to URLEncode everything from our wordlist"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "linux hard", "line": " Obfuscating our SSTI Payload so the bad characters are not present and getting a reverse shell"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 41, "seconds": 10}, "tag": "linux hard", "line": " Using SSH to setup a port forward which allows us to hit 127.0.0.1:8080 on the remote host"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "linux hard", "line": " Examining the authentication cookie and discovering a XML within the cookie"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux hard", "line": " Testing for XML Entity Injection"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "linux hard", "line": " Using Payload All The Things to help us craft an XML Entity Injection payload to read files"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "linux hard", "line": " Grabbing the SSH Private Key via XML Entity Injection and logging in as root"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap discovering the distribution of Ubuntu based upon SSH Headers"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux medium", "line": " Looking at the WebPage and discovering credentials"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux medium", "line": " Checking No-IP's documentation for updating Dynamic DNS Names"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux medium", "line": " Using Curl to create a dynamic DNS Name"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux medium", "line": " Testing for Command Injection"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "linux medium", "line": " Enumerating the bad character and explaining why we could not use periods"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "linux medium", "line": " Converting the IP Address to a format that won't have periods (Hex)"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Reverse Shell returned, checking out the web source"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "linux medium", "line": " Discovering hosts from *.infra.dyna.htb can ssh into the box if there is a private key and finding the private key in the support directory"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "linux medium", "line": " Using SSH-Keygen to get the SSH Keys fingerprints to make sure private and public key match"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux medium", "line": " Attempting to create the DNS Record with the DNS Key that was in the web source"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 36, "seconds": 35}, "tag": "linux medium", "line": " Finding a second DNS Key, which can update Infra's subdomains"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "linux medium", "line": " SSH in as bindmgr and discover we can execute a bash script with sudo, exploiting a wild card argument"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 45, "seconds": 35}, "tag": "linux medium", "line": " Testing the cron without doing anything malicious"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 47, "seconds": 55}, "tag": "linux medium", "line": " Creating the file --preserve=mode, which the cp command will treat as an argument letting us drop a SetUID Binary and have it owned by root"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 3, "seconds": 5}, "tag": "linux hard", "line": " Looking at the webste, getting a VirtualHost and then navigating to the page and confirming Wordpress"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux hard", "line": " The wp-content/plugins directory doesn't have an index, don't even need to use wpscan"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux hard", "line": " Testing the LFI with the plugin"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "linux hard", "line": " Using wpscan to enumerate wordpress users"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux hard", "line": " Explaining the /proc/ directory and why we can use this to enumerate running processes "}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 13, "seconds": 44}, "tag": "linux hard", "line": " Creating a curl script to enumerate all running processes on the box"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux hard", "line": " Pulling apache's configuration to discover another virtual host"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux hard", "line": " Trying the wordpress credentials in cacti for password re-use and then exploiting Cacti with a CVE to get a shell"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux hard", "line": " Manually enumerating the SQL Databases, using /G to select large amounts of data in a human readable format"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "linux hard", "line": " Discovering the .backup directory in Marcus's home but we can't list contents. Grepping directories for .backup to see if any files are referenced"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 34, "seconds": 25}, "tag": "linux hard", "line": " SSH with the Marcus user and a quick refresher on SSH Port Forwarding"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Using gobuster to discover Apache OfBiz was running on 8443"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux hard", "line": " Using ysoserial to exploit Apache OfBiz via java deserialization"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 47, "seconds": 50}, "tag": "linux hard", "line": " Shell returned on the container! We are root doing some light enumeration to discover cap_sys_module"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "linux hard", "line": " Compiling the LKM to get a reverse shell"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "linux hard", "line": " Inserting the kernel module and getting root on the box"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "", "line": " Showing malleable c2 configs"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 6, "seconds": 55}, "tag": "", "line": " Creating a Hello World in C++ then creating a 2000 byte variable"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 10, "seconds": 25}, "tag": "", "line": " Adding JSON Support to our program"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "", "line": " Creating a Struct and function to initialize the config"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 17, "seconds": 55}, "tag": "", "line": " Having our main function parse the config"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "", "line": " Not sure what happened to my config.h, retyping it"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "", "line": " JSON Parsing done"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Creating a Python Program to replace the embedded config"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " XOR'ing our config in python so we avoid strings"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "", "line": " XOR'ing in our agent to read the \"encrypted\" config"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 34, "seconds": 34}, "tag": "", "line": " Opening it up in Ghidra and doing some extremely light reversing"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "", "line": " Showing what happens if we strip the binary"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux easy", "line": " Start of nmap and doing some recon against FTP"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux easy", "line": " Having trouble finding a release date, using WGET and examining metadata to see how old a page is"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "linux easy", "line": " Examining the web applicaiton"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux easy", "line": " Testing and finding the IDOR Vulnerability"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux easy", "line": " Examining the PCAP Downloaded through the IDOR Vulnerability to find FTP Creds"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 12, "seconds": 12}, "tag": "linux easy", "line": " SSHing into the box with the credentials from FTP"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "linux easy", "line": " Running LINPEAS, examining the source code of the webapp while it runs"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux easy", "line": " Going over the LINPEAS output finding python has the ability to setuid"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "linux easy", "line": " Using the os libary to setuid to root"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Showing off zeek which would help analyze larger pcaps"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "linux easy", "line": " Changing the Zeek FTP Configuration to show passwords."}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro going over the attack chain, SSRF to Protocol Smuggling to OMIGod"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 1, "seconds": 17}, "tag": "linux hard", "line": " Using nmap and then checking out the website and adding the DNS Names to our host file"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux hard", "line": " Running GoBuster to discover the /docs directory, which is swagger documentation"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Reading the documentation and explaining JARM Signatures"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux hard", "line": " Explaining the front-end which just makes accessing the backend pretty"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux hard", "line": " Using Shodan to search JARM Hashes, which would be useful if you're looking for specific attack servers or collisions"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 11, "seconds": 55}, "tag": "linux hard", "line": " Dumping all the JARMS by abusing sequential ID's with a for loop and curl"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 14, "seconds": 4}, "tag": "linux hard", "line": " Whoops... Copied the wrong JARM, this was not cobalt strike lol."}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux hard", "line": " Running ncat with ssl, and checking if it is malicious... It's not malicious because the metadata was not there"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux hard", "line": " Using metasploit to show it would detect it as malicious"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 18, "seconds": 40}, "tag": "linux hard", "line": " Using IPTables to change the port on every 11th request with iptables -I PREROUTING -t NAT -p tcp --dport 443 -d 192.168.1.230 -m statistic --mode nth --every 11 --packet 10 -j REDIRECT --to-port 8443"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "linux hard", "line": " Showing Gopher connecting to our ncat "}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 23, "seconds": 25}, "tag": "linux hard", "line": " Finding a way to enumerate ports listening on localhost and discovering 5985 and 5986 are open"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 26, "seconds": 5}, "tag": "linux hard", "line": " Using wfuzz to bruteforce all ports (1-65535)"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "linux hard", "line": " Downloading the OMIGod Exploit to grab the payload which we will use later"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux hard", "line": " Using openssl to generate private certificates for our python webserver."}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 33, "seconds": 25}, "tag": "linux hard", "line": " Creating a python webserver that listens on https"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "linux hard", "line": " Testing adding a Gopher HTTP Redirect on our custom python webserver "}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "linux hard", "line": " Explaining that Gopher adds two bytes to the end of the Smuggled Request"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "linux hard", "line": " Using burpsuite to build the payload for us and convert it all to URL Encoding"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux hard", "line": " Updating our payload to have the correct URL for our gopher request "}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux hard", "line": " Showing how to reset the iptables counter"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 46, "seconds": 40}, "tag": "linux hard", "line": " Showing how to do this exploit with Metasploit by coding a listener"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 52, "seconds": 40}, "tag": "linux hard", "line": " Debugging the MSF Module we created"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 56, "seconds": 10}, "tag": "linux hard", "line": " Our MSF Module is done, running our listener and viewing all its headers"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 60, "seconds": 50}, "tag": "linux hard", "line": " Pasting our MSF Url into burpsuite and getting a reverse shell"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro the important thing about this box is recon"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 1, "seconds": 28}, "tag": "linux medium", "line": " Start of nmap discovering an nginx server header"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux medium", "line": " The SSL Certificate leaks an important hostname"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux medium", "line": " Running an SNMPWalk which has a bunch of important information, notably the HTML Directory"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "linux medium", "line": " Discovering the SeedDms51x Directory, trying to enumerate version (Failing)"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux medium", "line": " Creating a python script to help with bruteforcing"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux medium", "line": " Script done, looking at SNMP to get other usernames"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux medium", "line": " Brutefocing michelle's password to get in and seeing the SeedDMS Version"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux medium", "line": " The SeedDMS Patch used htaccess, server is nginx so its still vulnerable. Uploading a shell"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux medium", "line": " Grabbing the MySQL Password from SeedDMS Config and trying it against other services. Gain access to cockpit which gives access to michelle user"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "linux medium", "line": " The SNMP is executing a program every time snmp is ran, we can trick SNMP to execute our code to get root"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 56, "seconds": 20}, "tag": "linux medium", "line": " Start of Explaining SELinux"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 3600, "seconds": 40}, "tag": "linux medium", "line": " SELinux Using audit2why to show us why reverse shells were blocked from reverse shells"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 4080, "seconds": 50}, "tag": "linux medium", "line": " SELinux Checking why SNMP could not read /root/root.txt"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 81, "seconds": 11}, "tag": "linux medium", "line": " Explaining more about the SNMP vectors of this box"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro, how to install and configure auditd"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "", "line": " Installing Auditd"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Downloading a good baseline ruleset from github "}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "", "line": " Going over the baseline file to understand how logging works"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " What the -p flag does with files. Logging read/write/execute/attribute change events"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "", "line": " If you want CWD in your logs, uncomment this line"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "", "line": " Logging priv_esc events"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "", "line": " Excluding system accounts from log captures"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "", "line": " Fun detections to find recon and suspicious activity"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "", "line": " Logging when users fail to access files in special directories"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 24, "seconds": 16}, "tag": "", "line": " Running the omigod exploit and getting a reverse shell echo/base64"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 25, "seconds": 5}, "tag": "", "line": " Running ausearch to detect what we had done by searching for commands ran by root"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "", "line": " Using some bashfu to show only commands ran by a ppid"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "", "line": " Looking for the suspicious activity"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 30, "seconds": 40}, "tag": "", "line": " Analyzing a detection rule for this and understanding the importance of not excluding CWD from logs"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 34, "seconds": 15}, "tag": "", "line": " Checking if mkfifo is detected... yep"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "", "line": " Installing Laurel to convert Auditd's multiline format to singleline JSON"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "", "line": " Installing Rust then compiling Laurel"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "", "line": " Removing End Of Event from Auditd config to see if that fixes the Laurel bug (IT DOES!)"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 46, "seconds": 56}, "tag": "", "line": " Viewing our Auditd logs in JSON Format! SIEMS will love this!"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "", "line": " Going over aureport to show some things"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 50, "seconds": 30}, "tag": "", "line": " Looking for why we have so many syscall failures"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux insane", "line": " Start of nmap, finding version of gunicorn is from 2019"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux insane", "line": " Enumerating the Gitea version (the 404 error page shows it)"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "linux insane", "line": " Trying to find the Gitea version another way (HTTP Files)"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux insane", "line": " Downloading jquery.js, grabbing the md5, then using VirusTotal to get an idea when it was released"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux insane", "line": " Looking at the second website (Running on gunicorn)"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux insane", "line": " Testing for IDOR Vulnerabilities in the /notes/, can confirm a note exists but not read anything"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "linux insane", "line": " Start of explaining the HTTP Smuggling"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux insane", "line": " Adding non-ascii characters to Burpsuite Requests via Base64 Decoding"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux insane", "line": " Explaining HTTP Chunking"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux insane", "line": " Smuggling request created, re-explaining the attack and importance of Content-Length"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 26, "seconds": 55}, "tag": "linux insane", "line": " Sending the Smuggling request in BurpSuite then getting the cookie of another user"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 28, "seconds": 25}, "tag": "linux insane", "line": " Explaining why the attack is unreliable in BurpSuite then using Python to do it"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "linux insane", "line": " The administrator can read three new notes with some saved credentials. Logging into Gitea"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 44, "seconds": 40}, "tag": "linux insane", "line": " Looking at git history to find an SSH Key, then logging into the server"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 49, "seconds": 40}, "tag": "linux insane", "line": " Enumerating AWS using the CLI"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 50, "seconds": 40}, "tag": "linux insane", "line": " Enumerating AWS logs using the CLI to identify some secret rotation events"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 54, "seconds": 30}, "tag": "linux insane", "line": " Enumerating AWS SecretsManager using the CLI to get another users password"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 58, "seconds": 45}, "tag": "linux insane", "line": " Utilizing AWS KMS to Decrypt a file"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 69, "seconds": 20}, "tag": "linux insane", "line": " Extra Content, explaining some unique iptables routing that went into this box to make it stable"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of installing OMI Locally"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " Downloading the exploit, but get a connection error because it cannot talk to OMI"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "", "line": " Editing the OMI Configuration to set it to listen on 5986"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "", "line": " The exploit still isn't working debugging to find it is missing a namespace"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "", "line": " Finding the SCX Package Name and using a Index.Of Google Dork to find it on an open HTTP directory"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Installing the SCX Agent and getting code execution"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 11, "seconds": 13}, "tag": "", "line": " Setting the exploit to go through BurpSuite so we can understand how it works"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "", "line": " Going over the blog post to understand why it was vulnerable"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 16, "seconds": 35}, "tag": "", "line": " Talking about how the researchers may have found it. MS Patched it without major announcement and it was in the Git Changelog!"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro, sorry for double upload. First one missed the last 5 minutes."}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 0, "seconds": 38}, "tag": "linux easy", "line": " Start of nmap, discovering SSH/HTTP are different operating systems"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux easy", "line": " Testing the website"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux easy", "line": " Intercepting the registration and testing for SQL Injection on the Country"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 4, "seconds": 19}, "tag": "linux easy", "line": " Discovering a static cookie is returned that is a MD5Sum of the UserName"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux easy", "line": " Our single quote country caused an Second Order SQL Injection testing Union Injection"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 8, "seconds": 8}, "tag": "linux easy", "line": " Using our Union Injection to drop a webshell"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux easy", "line": " Revrse Shell Returned"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux easy", "line": " Getting the database password out of the webconfig, and its also the root user"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux easy", "line": " Explaining how I gave \"dedicated\" containers to each player"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 13, "seconds": 35}, "tag": "linux easy", "line": " Going over the Kernel Module I wrote to do routing based upon the last octet of an IP Address"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux easy", "line": " Going over the code around SQL Injection and how to do prepared statements in PHP with SQL"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux easy", "line": " Creating middleware with Flask so SQLMap can exploit this second order sql injection"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro FreeBSD Box"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "linux medium", "line": " Start of nmap explaining why versions are useful"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 4, "seconds": 54}, "tag": "linux medium", "line": " Discovering hostname on the box, then adding it to our host file"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux medium", "line": " Using GoBuster to bruteforce virtual hosts and discovering moodle"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux medium", "line": " Searching Moodle on github to find a way to identify Moodle Version"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 11, "seconds": 27}, "tag": "linux medium", "line": " Reading the Moodle Security Announcements since the Moodle Version"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux medium", "line": " Enrolling in the Math Course the announcement hints at XSS"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux medium", "line": " Testing for XSS in our Moodle Net Profile"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 19, "seconds": 55}, "tag": "linux medium", "line": " Changing our HTML to load an external script and then stealing cookies via document.write"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux medium", "line": " Performing CVE-2020-14321 to escalate from Teacher to Manager in moodle"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "linux medium", "line": " Enabling plugin installation, then uploading a malicious moodle plugin"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "linux medium", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "linux medium", "line": " Pulling ht MySQL Password from Moodle's configuration and then cracking hashes for users"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 51, "seconds": 10}, "tag": "linux medium", "line": " SSH as Jamie, and then using gtfobins and fpm to privesc without setting up a repository"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 58, "seconds": 40}, "tag": "linux medium", "line": " Doing the privesc the intended way by setting up a pkg repository"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux hard", "line": " Downloading and installing the deb package with dpkg, then fixing the host file"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 6, "seconds": 35}, "tag": "linux hard", "line": " Running wireshark when examining the unobtainium application then examining the HTTP Requests"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "linux hard", "line": " Proxying the unobtainium app through Burpsuite by creating a new proxy listener and updating the host file"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "linux hard", "line": " Playing with the LFI on /todo and discovering we can only cause errors or include files in the local directory"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux hard", "line": " Using FFUF to attempt to find other JS Files with this LFI"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "linux hard", "line": " Copying the index.js source code and looking for vulnerabilities"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux hard", "line": " Discovering hard coded credentials, examining the administrator password to see there would be too much entropy to bruteforce"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 17, "seconds": 45}, "tag": "linux hard", "line": " Analyzing the upload functionality to discover an RCE if we can upload"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux hard", "line": " Discovering a merge command and looking up Prototype Pollution to potentially update our user object with the upload permission"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 23, "seconds": 55}, "tag": "linux hard", "line": " Giving ourself the Upload Functionality then performing the RCE in Upload"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 25, "seconds": 53}, "tag": "linux hard", "line": " Ping works, now lets get a reverse shell"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux hard", "line": " Reverse shell returned, confirming we are in kubernetes downloading peirates and kubectl"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 32, "seconds": 49}, "tag": "linux hard", "line": " Using kubectl to do basic enumeration of kubernetes, switching our namespace then listing pods"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "linux hard", "line": " Demonstrating Peirates which makes the enumeration of kubernetes easier by providing a menu to list/switch namespaces and get pods"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 38, "seconds": 15}, "tag": "linux hard", "line": " Exploiting the same application in dev which gets us a different kubernetes token"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 41, "seconds": 15}, "tag": "linux hard", "line": " Doing the enumeration with kubectl again but this time we can utilize the Kube-System namespace to list secrets and taking an admin token"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 43, "seconds": 45}, "tag": "linux hard", "line": " Using our stolen token and discovering we can create pods using kubectl auth can-i create pods -n kube-system -token=(token)"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 44, "seconds": 22}, "tag": "linux hard", "line": " Explaining the attack we are about to do to create a pod with host disk mounted in the pod, then doing it in Peirates"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Looking at the Peirates source code to see how the attack works"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 48, "seconds": 55}, "tag": "linux hard", "line": " Doing the attack manually with kubectl"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 52, "seconds": 55}, "tag": "linux hard", "line": " The malicious pod is created now lets go into it and look at the root disk"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro, box is playable on HackTheBox!"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 1, "seconds": 9}, "tag": "linux medium", "line": " Start of nmap and enumerating the page on port 80"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "linux medium", "line": " Discovering Port 8080"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux medium", "line": " Using ffuf to fuzz and discover SSTI"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux medium", "line": " Showing wfuzz doesn't need nearly as many parameters"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux medium", "line": " Reading up on GoLang SSTI"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "linux medium", "line": " Using GoLang {{ . }} to dump all variables and get password"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 11, "seconds": 54}, "tag": "linux medium", "line": " Logging in to get the Source Code and finding the DebugCmd Function"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux medium", "line": " Showing RCE through the GoLang SSTI"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " The Docker is an internal docker, showing a bunch of hints towards AWS"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux medium", "line": " Using the aws commands to list buckets and upload a webshell via S3"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux medium", "line": " Getting a reverse shell"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " Examining the NGINX Configuration -- LocalStack (used for s3) hack to enable authentication"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 26, "seconds": 26}, "tag": "linux medium", "line": " The \"Command on\" flag is for port 8000 in nginx config, googling it to see its a backdoor (NginxExecute)"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 28, "seconds": 28}, "tag": "linux medium", "line": " The backdoor isn't working, running strings against the module to see system.run was changed to ippsec.run and getting RCE as root"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux medium", "line": " Converting the RCE to a shell by uploading an SSH Key"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux medium", "line": " Entering the golang container to show some more about the SSTI Configuration, hoping to make the first step make sense"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "linux medium", "line": " Opening the nginx module in Ghidra"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "linux easy", "line": " Running GoBuster before we start poking at the site"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 3, "seconds": 33}, "tag": "linux easy", "line": " Discover the x-powered-by header says its a weird php version, going to google"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 4, "seconds": 5}, "tag": "linux easy", "line": " Finding a blog post about php-8.1.0-dev being backdoored"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux easy", "line": " Looking at the backdoor"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 5, "seconds": 55}, "tag": "linux easy", "line": " Failing to use the backdoor because of a bad header"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 8, "seconds": 24}, "tag": "linux easy", "line": " Finding the issue, the backdoor uses the header User-Agentt (note the two t's)"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux easy", "line": " Shell returned"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "linux easy", "line": " Discovering we can run knife with sudo, and finding a GTFOBin"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows hard", "line": " Start of nmap and checking the website"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "windows hard", "line": " Looking at the web console which shows the page making a request to Products-Ajax.php then playing with the parameters"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 10, "seconds": 5}, "tag": "windows hard", "line": " If the hash parameter is missing the application errors and leaks the secret key and identifying how it signs"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "windows hard", "line": " Using SQLMaps Eval parameter to automate the secure hash generation (Calculated Parameter Bypass)"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows hard", "line": " Logging into the application with a password from the database and discovering a LFI"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "windows hard", "line": " Creating a python script to automate the LFI Exploitation"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "windows hard", "line": " Script done attempting to perform RFI"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "windows hard", "line": " Another Stack Trace, identifying a race condition in their check for examining malicious php files"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "windows hard", "line": " Using SMB to steal the hash of the user running the webserver"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 40, "seconds": 50}, "tag": "windows hard", "line": " Exploiting the race condition with inotify to get the server in order to execute our PHP Code"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "windows hard", "line": " Reverse shell returned! Finding the GoLang Program"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "windows hard", "line": " Opening the binaries in Ghidra (prior to installing the golang plugin)"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "windows hard", "line": " Installing GoTools to make reversing goland suck less"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 61, "seconds": 30}, "tag": "windows hard", "line": " Start of reversing the client binary, explaining some golang oddities"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 72, "seconds": 0}, "tag": "windows hard", "line": " Running the programs on our local windows machine to identify if we reversed it correctly"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 74, "seconds": 15}, "tag": "windows hard", "line": " Back to Ghidra and reversing server.exe to see what it does to clean files"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 79, "seconds": 50}, "tag": "windows hard", "line": " Using IO Ninja Pipe Monitor to snoop in on the pipes"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 87, "seconds": 50}, "tag": "windows hard", "line": " METHOD 1: Stealing the flag by cleaning, copying off, then decrypting locally"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 95, "seconds": 50}, "tag": "windows hard", "line": " METHOD 2: Creating symlinks to trick the server in copying root.txt to a directory we own"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 110, "seconds": 15}, "tag": "windows hard", "line": " METHOD 3: Tricking server.exe into writing into system32, then using WerTrigger to elevate privileges"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux insane", "line": " Start of nmap and poking at website. Browser Developer Window shows WebSockets + Hostname"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "linux insane", "line": " Setting up full portscan and gobuster while we poke at the box, to always have recon running"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "linux insane", "line": " Ussing ffuf to fuzz for emails (Forgot to set header here, we look at it later)"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux insane", "line": " Playing with the websockets in BurpSuite, discovering SQL Injection"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "linux insane", "line": " Creating a python program to aid our SQL Injection"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 29, "seconds": 15}, "tag": "linux insane", "line": " SQL Injection: Enumerating information_schema to pull out table information"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "linux insane", "line": " Going back to test our previous ffuf to find out i forgot the header flag"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux insane", "line": " Using ffuf to fuzz parameters for the passwordreset php script and trying the token from Sql Injection"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux insane", "line": " Enumerating our SQL Users permissions and then including files"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 49, "seconds": 20}, "tag": "linux insane", "line": " RelayD configuration shows a new domain crossfit-club.htb, failing to sign up with an account"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 57, "seconds": 40}, "tag": "linux insane", "line": " Using grep to extract /api/ endoings from javascript files"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 63, "seconds": 0}, "tag": "linux insane", "line": " Discover the signup endpoint, only administrators can create accounts."}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 66, "seconds": 20}, "tag": "linux insane", "line": " Grabbing unbound secret keys which will let us create DNS Entries on the box"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 70, "seconds": 8}, "tag": "linux insane", "line": " Creating a domain name with unbound and then editing the Host header in the password reset"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 73, "seconds": 0}, "tag": "linux insane", "line": " Explaining the DNS Rebind attack to get around the server examining our DNS Name"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 79, "seconds": 30}, "tag": "linux insane", "line": " Start of XSS to have the user register an account for us"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 86, "seconds": 40}, "tag": "linux insane", "line": " Hitting the start of our XSS to debug, explain bypassing CORS based upon not escaping the period in the URL"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 94, "seconds": 20}, "tag": "linux insane", "line": " Changing our unbound request to use a domain name that bypasses CORS "}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 97, "seconds": 15}, "tag": "linux insane", "line": " Appending a slash to the host header to bypass a regex"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 99, "seconds": 5}, "tag": "linux insane", "line": " The final XSS Payload to have an administrator create an account for us. Checking out the chat applicaiton"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 107, "seconds": 20}, "tag": "linux insane", "line": " Start of creating XSS to steal Direct Messages from chat application"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 111, "seconds": 0}, "tag": "linux insane", "line": " Creating a second account, so we can examine how DM's work in the chat application (use wireshark to do this)"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 114, "seconds": 50}, "tag": "linux insane", "line": " Finishing off the XSS Script to steal DM's by hooking private_recv"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 121, "seconds": 10}, "tag": "linux insane", "line": " Finding a message that contains a password and SSHing into the box"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 123, "seconds": 50}, "tag": "linux insane", "line": " Using find to show files owned by a group"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 125, "seconds": 0}, "tag": "linux insane", "line": " Examining the Statbot NodeJS Script, then exploiting a library injection vulnerability"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 132, "seconds": 30}, "tag": "linux insane", "line": " Reverse shell returned, finding another binary to reverse"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 136, "seconds": 20}, "tag": "linux insane", "line": " Going over why i hate reversing BSD Binaries, comparing Ghidra and Cutter decompiler output"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 143, "seconds": 15}, "tag": "linux insane", "line": " Viewing backups on BSD and discovering root's ssh key is being backed up to /var, so the log binary can read it!"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 145, "seconds": 0}, "tag": "linux insane", "line": " SSH is still asking for a password after using SSH Key, confirming it accepted our key, then viewing sshd/login config on BSD to see what its asking for"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 147, "seconds": 0}, "tag": "linux insane", "line": " Downloading YubiKey Secrets then failing to get it to generate a key for a bit"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 163, "seconds": 0}, "tag": "linux insane", "line": " Using YKPARSE to examine our key, then change the session and generate a valid MFA"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 1, "seconds": 2}, "tag": "linux easy", "line": " Running nmap against all ports"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 4, "seconds": 55}, "tag": "linux easy", "line": " Attempting to enumerate the initial web page (Voting System)"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux easy", "line": " Nmap finished, checking staging.love.htb from the SSL Certificate"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 10, "seconds": 5}, "tag": "linux easy", "line": " Finding an SSRF Vulnerability in the file scanner"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux easy", "line": " Having trouble using WFUZZ to fuzz all ports"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 17, "seconds": 45}, "tag": "linux easy", "line": " Switching to FFUF and still having trouble to fuzz all ports"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux easy", "line": " Fuzzing takes too long, trying ports from nmap to see if any page is restricted by IP and findig creds"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 29, "seconds": 45}, "tag": "linux easy", "line": " Attempting to use an exploit script for Voting System (More at end of video)"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 39, "seconds": 40}, "tag": "linux easy", "line": " Enough with the exploit script, manually exploiting the application with an image upload"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 43, "seconds": 43}, "tag": "linux easy", "line": " Using Nishang to get a reverse shell, then running WinPEAS"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "linux easy", "line": " Seeing AlwaysInstallElevated is set on the system, using msfvenom to build an msi"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 54, "seconds": 45}, "tag": "linux easy", "line": " Box Done - Going back to the exploit script and getting it working"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux medium", "line": " Start of nmap "}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux medium", "line": " Checking out the webpage, trying to identify the language running the page"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "linux medium", "line": " Exploring how Add Note works and testing SSTI/SQL/XSS"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Checking out the cookie to see how the JWT is encoded"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux medium", "line": " JWT.IO shows the JWT is RS256 and there's a URL for the privKey"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux medium", "line": " Editing the PrivKEy, I'm not sure why i didn't do this within the JWT.IO website..."}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux medium", "line": " Confirming the server goes to us to get the PrivateKey"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "linux medium", "line": " Using ssh-rsa/openssl to create a RSA Key and forging the JWT"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 14, "seconds": 55}, "tag": "linux medium", "line": " Exploring the IDOR Vulnerability to see if unauthenticated users can access notes"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 18, "seconds": 45}, "tag": "linux medium", "line": " Uploading a PHP File to confirm code execution then a reverse shell."}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 21, "seconds": 23}, "tag": "linux medium", "line": " Identifying when the box was created by looking at SSH Host Keys, then using find to list files created around that time"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "linux medium", "line": " My reverse shell keeps crashing, doing the finds without the PTY Trick to find a backup that has an SSH Key"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux medium", "line": " SSH into the box with the SSH Key and discovering we can use sudo to access Docker"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 31, "seconds": 40}, "tag": "linux medium", "line": " Exploring the docker for sensitive information that could be used to access other users on the box "}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 34, "seconds": 25}, "tag": "linux medium", "line": " Looking at the Docker Version to see it from 2018 and finding a vulnerability"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 36, "seconds": 10}, "tag": "linux medium", "line": " Performing CVE-2019-5736 to get root"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux easy", "line": " Start of the box, showing a quick way to nmap"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "linux easy", "line": " Looking at web page"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Looking for Drupal Scanners"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Showing how I would fingerprint opensource apps if there was no scanner"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Using DroopeScan to scan the site"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux easy", "line": " Starting to use Drupalgeddon2 to get a shell"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "linux easy", "line": " Installing gems so DrupalGeddon works"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "linux easy", "line": " Drupalgeddon2 works, going from a webshell to reverse shell"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " Confused about OSError: out of pty devices when improving the shell, give up eventually"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux easy", "line": " Looking for users on the box, then hunting for the Drupal configuration"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux easy", "line": " Cannot find the drupal configuration, going to google and asking for how to change the SQL Password"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "linux easy", "line": " Logging into the Drupal MySQL Database then dumping the Drupal Hash but have trouble getting it to work since we don't have a TTY"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux easy", "line": " Cracking the Joomla Password, then testing the password with ssh and logging in"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux easy", "line": " Our user can install Snap Packages with sudo, so building a malicious snap"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "linux easy", "line": " Installing FPM which lets us build packages, building a lot of bad packages until we find one that works"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "linux easy", "line": " Our malicious packages aren't working, switching to a non-malicious one to test the exploit"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 40, "seconds": 16}, "tag": "linux easy", "line": " Having our snap attempt to grab the root flag, turns out i was just impatient before"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 43, "seconds": 43}, "tag": "linux easy", "line": " Moving bash to avoid system directories and setting it to setuid"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux easy", "line": " Explaining what snap is"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "windows hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "windows hard", "line": " Poking at the website"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows hard", "line": " Quickly testing for SQL Injection and coming up with nothing"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "windows hard", "line": " Creating an account and checking what regular users can do"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 14, "seconds": 15}, "tag": "windows hard", "line": " Using BurpSuite Sequencer to identify low entropy within login cookies"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "windows hard", "line": " Finding the 302 redirect still outputs the page, its just that the browser doesn't want to show it"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 21, "seconds": 10}, "tag": "windows hard", "line": " Creating a simple PHP File to be uploaded"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "windows hard", "line": " Finding the /books/ url and checking the book search page again to find LFI"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "windows hard", "line": " Building a quick python script to automate the LFI"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "windows hard", "line": " Windows is really weird with SSH, need to disable PubKeyAuth in order to login with a password"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "windows hard", "line": " Looking at the fileController php file to see who can upload files"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "windows hard", "line": " Looking around the source code to examine how PHP Sessions are built, so we can impersonate Paul"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 46, "seconds": 35}, "tag": "windows hard", "line": " Running makesession with all permutations so we can get Pauls login cookie"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 50, "seconds": 15}, "tag": "windows hard", "line": " Logged in as Paul, now we need to modify the JWT token to say we are Paul"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 53, "seconds": 50}, "tag": "windows hard", "line": " We can now upload php files! Some light AV Evasion and have a reverse shell with Nishang"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "windows hard", "line": " Finding Juliette's password within the web application and SSH'ing into Windows"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 62, "seconds": 20}, "tag": "windows hard", "line": " Hunting for Microsoft Sticky Notes and finding the Developer Password"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 70, "seconds": 50}, "tag": "windows hard", "line": " Logged in as Development, finding a linux app to reverse in ghidra"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 74, "seconds": 50}, "tag": "windows hard", "line": " Mimicing the curl requests by the linux app to port localhost:1234, so using SSH to forward that. (the localhost screws things up)"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 79, "seconds": 3}, "tag": "windows hard", "line": " Our curl still isn't working, figuring out the master key to see if the linux application works."}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 81, "seconds": 50}, "tag": "windows hard", "line": " The localhost in our SSH Port Forward is causing weird issues, changing it to 127.0.0.1 fixes it"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 83, "seconds": 10}, "tag": "windows hard", "line": " The app works, testing for SQL Injection"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 85, "seconds": 10}, "tag": "windows hard", "line": " Using information_schema to dump information about the database (databases, tables, columns), then extracting all info"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 88, "seconds": 40}, "tag": "windows hard", "line": " Using cyberchef to decrypt the AES Blob from the database"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 90, "seconds": 45}, "tag": "windows hard", "line": " PSExec isn't working (av?), switching to wmiexec and getting a shell."}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "windows medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "windows medium", "line": " Running RPCDump which shows if this is vulnerable to PrintNightmare (Exploit it later)"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows medium", "line": " Examining the webpage"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "windows medium", "line": " Explaining why i use lowercase wordlists on against Windows Webservers"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows medium", "line": " Listing shares with smbclient to find an open share"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "windows medium", "line": " Decompiling the Electron installer/app with asar"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows medium", "line": " Everything is extracted looking at package.json and main.js to find electron-updater"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "windows medium", "line": " Searching for exploits within Electron"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "windows medium", "line": " Using MSFVENOM to build a reverse shell"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "windows medium", "line": " Editing our installer YAML to point to our reverse shell"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows medium", "line": " Putting the files on the share and getting our reverse shell"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "windows medium", "line": " Exploring the box to find PortableKanban "}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "windows medium", "line": " Copying the config to our box so we can extract the database password"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "windows medium", "line": " Using CyberChef to decrypt the Portable Kanban password"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 28, "seconds": 20}, "tag": "windows medium", "line": " Authenticating to Redit-CLI and dumping the user information to get administrator password"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "windows medium", "line": " Using rundll32 to create a memory dump of LSASS so we can extract a password"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "windows medium", "line": " Downloading lsass.dmp with evil-winrm"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "windows medium", "line": " Using Pypykatz to parse the dump file and get Jason's password"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "windows medium", "line": " Building our environment to perform CVE-2021-1675 (PrintNightmare)"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "windows medium", "line": " Using PrintNightmare to connect to our netcat to verify it is vulnerable"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "windows medium", "line": " Building a DLL to send a reverse shell"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 46, "seconds": 50}, "tag": "windows medium", "line": " Having trouble with Impacket's SMBServer, configuring our local SMBD to work with this exploit"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 49, "seconds": 20}, "tag": "windows medium", "line": " Reading more errors from impacket to verify we do have code execution"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "windows medium", "line": " Giving a file that doesn't exist to see another error... More verifying that this is working"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 51, "seconds": 20}, "tag": "windows medium", "line": " Giving it our ReverseShell DLL to get a reverse shell"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux medium", "line": " Start of nmap, looking at release date of tomcat"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux medium", "line": " Starting a bruteforce of /manager login to run in the background"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 6, "seconds": 55}, "tag": "linux medium", "line": " Playing with the YAML Parser, sending special characters leads to a stack trace showing the library"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux medium", "line": " Testing a YAML Deserialization payload for Snake YAML"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "linux medium", "line": " Start of weaponizing the payload"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux medium", "line": " Having a lot of trouble with building out a payload due to special characters"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux medium", "line": " Making it simple, just downloading a script then executing it"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "linux medium", "line": " Finally got a shell"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "linux medium", "line": " Going into how we know the sudoers file is non-default by date or filesize"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " Finding out install date of a linux machine by SSH Host Key"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux medium", "line": " Finding where tomcat is installed and then grabbing the password out of the config tomcat-users"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux medium", "line": " Trying the tomcat password with the admin user"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux medium", "line": " Going over the go source code which can be ran with sudo"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux medium", "line": " Downloading the web assembly so we can decompile the wasm into a wat then edit it"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux medium", "line": " Got Root, showing why i used metasploit to bruteforce tomcat password (lockouts)"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Start"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Nmaping the box"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Checking out the web pages, discovering Wordpress"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Getting the username of wordpress by looking at the blog post author"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Running WpScan with Plugins-detection"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 8, "seconds": 25}, "tag": "linux easy", "line": " Finding an open directory on the testing site, accessing a backup"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "linux easy", "line": " Attempting to login with MySQL but cannot due to the account only being allowed on localhost"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux easy", "line": " Logging into wordpress with administrator and the devteam01 password"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 13, "seconds": 25}, "tag": "linux easy", "line": " Getting a shell through WordPress by editing an unused theme"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux easy", "line": " Failing to get a reverse shell..."}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux easy", "line": " Using a common PHP Reverse Shell"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "linux easy", "line": " Discovering we are on a ChromeBook"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "linux easy", "line": " Discovering a password in autologin"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "linux easy", "line": " Using the password with local users on the box"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "linux easy", "line": " Logging in with Katie then seeing she can run sudo initctl"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "linux easy", "line": " Failing to play with init files, switching to a simpler method of testing code exec"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "linux easy", "line": " Putting a python reverse shell inside of init and getting root"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux hard", "line": " Running nmap and giving it capabilities so we don't need to use sudo"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux hard", "line": " Discovering an email on the SQUID Page"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "linux hard", "line": " Running GetNPUsers since Kerberos is running, end up getting a hash we can't crack"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux hard", "line": " Attempting to enumerate DNS, coming up with nothing"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "linux hard", "line": " Using GoBuster to bruteforce DNS Names"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux hard", "line": " Using Curl to send requests through Squid to the new Domains"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux hard", "line": " Mistake here, swapped the IP Addresses :("}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux hard", "line": " Using ProxyChains to create a proxy through Squid"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "linux hard", "line": " Nmaping through our ProxyChains, need to use the -sT flag"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux hard", "line": " Enabling Quiet Mode of ProxyChains to make it less verbose"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "linux hard", "line": " Comparing nmap banners/version to see if these ports go to anything new"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux hard", "line": " Adding the third Squid Proxy and checking if we get anywhere else"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux hard", "line": " Downloading the wpad file to discover some new domains"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux hard", "line": " Using DNSRecon to perform a reverse lookup of a range of domains"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "linux hard", "line": " Running nmap against the new host to discover SMTP"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "linux hard", "line": " Running the Python OpenSMTPD Exploit Script CVE-2020-7247"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 48, "seconds": 15}, "tag": "linux hard", "line": " Troubleshooting payloads with the exploit"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux hard", "line": " Giving python the capability to listen on privilege ports, so we don't need sudo with http.server"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 52, "seconds": 40}, "tag": "linux hard", "line": " Now my proxychains isn't working... Turns out capabilities breaks proxychains?"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 56, "seconds": 44}, "tag": "linux hard", "line": " Shell on the box! Lets run LinPEAS"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 62, "seconds": 15}, "tag": "linux hard", "line": " Finding the msmtprc file which contains a password"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux hard", "line": " Configuring our parrot box's kerberos to connect to Tentacle's KDC"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 68, "seconds": 20}, "tag": "linux hard", "line": " Running NTPQ / NTPDate to sync our time with the server"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 69, "seconds": 30}, "tag": "linux hard", "line": " Running kinit to generate a kerberos ticket that lets us into SSH"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 74, "seconds": 45}, "tag": "linux hard", "line": " SSH into the box as j.nakazawa then discovering a Cron that lets us write into ~admin"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 77, "seconds": 0}, "tag": "linux hard", "line": " After failing to put an SSH Key, putting a .k5login file which behaves similiarly"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 81, "seconds": 50}, "tag": "linux hard", "line": " Running find to show files owned by the user/group of admin and discovering the KeyTab File"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 85, "seconds": 45}, "tag": "linux hard", "line": " Using the KeyTab file to become users in it, taking an admin cred to create a new root principal"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 87, "seconds": 25}, "tag": "linux hard", "line": " Box done, let's explain whats going on and what the \".local\" binaries let you do if you root a KDC"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 90, "seconds": 0}, "tag": "linux hard", "line": " Creating a new Kerberos user, kerberoasting again to see if John The Ripper can crack it"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 93, "seconds": 55}, "tag": "linux hard", "line": " Showing what is in the KeyTab File and doing a bad job parsing it by hand"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 107, "seconds": 20}, "tag": "linux hard", "line": " Finding scripts to dump hashes out of KeyTab"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux medium", "line": " Discovering wordpress, fixing our host file"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux medium", "line": " Running wpscan to enumerate wordpress via aggressive mode"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "linux medium", "line": " Manually enumerating wordpress users by listing blog posts by author"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux medium", "line": " Discovering Sator.php, then using GoBuster to discover hidden backups to find Sator.php.bak"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "linux medium", "line": " Start of looking at the php source to see its a basic deserialization challenge."}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "linux medium", "line": " Building the deserialization gadget to write a file"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux medium", "line": " Uh oh. Made a typo, thankfully can find it quickly and get RCE"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 16, "seconds": 24}, "tag": "linux medium", "line": " Going back a step and showing a proper way to troubleshoot it"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux medium", "line": " Getting a reverse shell then examining wordpress config to get some credentials"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "linux medium", "line": " Testing the credentials with SSH and logging in with neil"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux medium", "line": " Discovering Neil can run enableSSH.sh with sudo, which has a race condition"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux medium", "line": " Writing a bash loop to exploit the race condition"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux medium", "line": " Exploiting the race condition more elegantly by using inotify to be notified when files are created"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux medium", "line": " Googling for an example written in C"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " Going over the program"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 30, "seconds": 12}, "tag": "linux medium", "line": " Modifying the code to write a file upon discovering create"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "linux medium", "line": " Think i forgot to free th pointer, so it segfaults. Writing PleaseSubscribe to prove it worked."}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux easy", "line": " Running nmap"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "linux easy", "line": " Using Firefox Developer Tools to inspect the page and see its a Python webserver"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux easy", "line": " Fuzzing parameters with ffuf to see if anything sticks out"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "linux easy", "line": " Ffuf isnt giving expected output, lets send the request to BurpSuite to find out we are missing a HTTP Header"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux easy", "line": " Adding the Content-Type header to ffuf and finally fuzzing special characters"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " There is a MSFVenom CVE and it looks like the webpage uses MSFVenom"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux easy", "line": " Editing the MSFVenom exploit to place a reverse shell but the exploit keeps failing"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux easy", "line": " Using curl to test the RCE"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "linux easy", "line": " Validated we have RCE, building out a web cradle with our curl to execute code"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "linux easy", "line": " Reverse shell returned as kid user"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "linux easy", "line": " Looking at the web application and discovering a logs directory"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "linux easy", "line": " Using stty to fix up our reverse shell so vim/nano works"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "linux easy", "line": " Running GoSPY to examine processes on the box"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux easy", "line": " Ha. GoSpy found the MSFVenom RCE"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "linux easy", "line": " Examining the scanlosers.sh script to find a RCE"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "linux easy", "line": " Having trouble exploiting scanlosers, taking a deeper look at the script"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux easy", "line": " Reverse shell as pwn returned"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "linux easy", "line": " pwn can run metasploit with sudo, executing commands by just specifying a binary in MSF"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "linux easy", "line": " Showing the IRB console within metasploit which would give us another way to execute commands"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "linux easy", "line": " Taking a look at the MSFVenom exploit"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 1, "seconds": 17}, "tag": "windows hard", "line": " Start of nmap, showing having valid hostnames will give more information"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 3, "seconds": 54}, "tag": "windows hard", "line": " Error message on source.cereal.htb leaks a path"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows hard", "line": " Showing .git doesn't exist in DirectyList but does in Raft"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 8, "seconds": 2}, "tag": "windows hard", "line": " Using Git-Dumper to download the .git directory and view the source"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "windows hard", "line": " Looking at Git History shows where deserialization happens and a hard coded JWT "}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 12, "seconds": 8}, "tag": "windows hard", "line": " Using the hard coded JWT To build our own token in dotnet."}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "windows hard", "line": " Trying to use our JWT to access authenticated pages"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 25, "seconds": 42}, "tag": "windows hard", "line": " Going through the React JavaScript to see the token is stored in our browsers local storage"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "windows hard", "line": " Our browser keeps clearing the storage lets just intercept a request in BurpSuite and do what we need"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "windows hard", "line": " Start of the Desrialization, BadWords Filter to prevent ySoSerial, but we can manually create our own deserialization payload"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "windows hard", "line": " Finding the name of our JSON Library then finding a blackhat talk on abusing it, to build our payload"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 40, "seconds": 11}, "tag": "windows hard", "line": " More examining javascript to find routes that leaks pages of the pplication"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 42, "seconds": 15}, "tag": "windows hard", "line": " Using npm audit to find an XSS Vulnerability on /admin due to an out of date plugin react-marked-markdown"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 46, "seconds": 10}, "tag": "windows hard", "line": " Testing the XSS Vulnerability with a simple payload"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "windows hard", "line": " Putting it all togather, writing notes on how we are going to build the exploit"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 51, "seconds": 15}, "tag": "windows hard", "line": " Start of exploit script making python requests not care about SSL, then building our JWT with pyJwt"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "windows hard", "line": " Testing out bad character evasion with Base64 by using a benign XSS Payload first"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 66, "seconds": 20}, "tag": "windows hard", "line": " Adding stage 1 to our script to send the deserialization payload"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 68, "seconds": 22}, "tag": "windows hard", "line": " Changing our payload to use XMLHttpRequest to force the browser to make a request to perform the deserialization which bypasses the RestrictIP Policy"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 73, "seconds": 8}, "tag": "windows hard", "line": " Our script did not work, troubleshooting it"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 77, "seconds": 57}, "tag": "windows hard", "line": " Script worked, lets now host a ASPX File for it to download"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 79, "seconds": 20}, "tag": "windows hard", "line": " Using our webshell to download the SQLite Database"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 82, "seconds": 45}, "tag": "windows hard", "line": " Our Powershell One-Liner to convert the database to b64 just fails. Lets copy the database to the web directory so we can download it without encoding it"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 85, "seconds": 0}, "tag": "windows hard", "line": " Showing IIS isn't allowing us to download files that end in .db"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 87, "seconds": 45}, "tag": "windows hard", "line": " Showing odd behavior with SSH not prompting us for password due to it treating PubKey as login attempts. Fix is tell SSH to not us pubkey"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 93, "seconds": 0}, "tag": "windows hard", "line": " Discovering port 8080, forwarding that port and discovering GraphQL. Installing GraphQL Playground"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 97, "seconds": 20}, "tag": "windows hard", "line": " Using GraphQL Playground to dump data out of the database, then use a mutation to trigger the SSRF"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 99, "seconds": 30}, "tag": "windows hard", "line": " Downloading GenericPotato so we can use this SSRF to steal the Token"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 104, "seconds": 20}, "tag": "windows hard", "line": " Running Generic Potato in HTTP Mode triggering the SSRF and getting a root shell"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 0, "seconds": 46}, "tag": "linux easy", "line": " Starting with nmap"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "linux easy", "line": " Enumerating the website to see links to the HelpDesk and Mattermost"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux easy", "line": " Attempting to enumerate the version of osTicket"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "linux easy", "line": " Searchsploit json output shows the date"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " No exploits found, lets open a new ticket and see it gives us a way to update the ticket via email"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux easy", "line": " Creating an account on Mattermost with the email of the helpdesk to get the activation link"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux easy", "line": " Viewing the internal chat and seeing a password, then SSHing to the server"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux easy", "line": " Using hashcat to create a wordlist with its internal rule system"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux easy", "line": " Going over how Hashcat Rule files work"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 15, "seconds": 20}, "tag": "linux easy", "line": " Root #1: Running sucrack to bruteforce the root users password"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux easy", "line": " Root #2: Cracking the Mattermost Password"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux easy", "line": " Using hashcat to crack the Mattermost Password"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "linux easy", "line": " Going over how i set up the email server on this box"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "linux medium", "line": " Start of nmap discovering gitlab"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Registering for an account, then finding the version"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux medium", "line": " Searching the GitLab commit history to see the patch changing how localhost is verified"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux medium", "line": " Using the import repo from URL feature to force the server to make a request"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "linux medium", "line": " Attempting SSRF Attacks with Gopher"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux medium", "line": " Successfully got the server to connect back using git with line breaks"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux medium", "line": " Finding a gitlab RCE Path from SSRF using Redis"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux medium", "line": " Failing to gttempting to get RCE"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux medium", "line": " Ping isn't working, trying Whoami with NC"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux medium", "line": " Finally get RCE with whoami and putting a space at the end of our payload"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "linux medium", "line": " Attempting to get a Reverse Shell"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux medium", "line": " Using CyberChef to get rid of the plus in our base64 paylaod"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux medium", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux medium", "line": " DeepCE didn't give us much, running linPEAS again"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "linux medium", "line": " Finding the SMTP Password in a backup which is the root password"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "linux medium", "line": " Mounting the hosts disk to get root"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux insane", "line": " Showing a tmux keybinding to "}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 3, "seconds": 6}, "tag": "linux insane", "line": " Setting up an IPTables rule to log new connections"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux insane", "line": " Using SWAKS to send an email "}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux insane", "line": " Starting up a python SMTP Server so we can see the email coming back to us"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 12, "seconds": 23}, "tag": "linux insane", "line": " Finding a VIM RCE and verifying it works by using ping"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "linux insane", "line": " Testing a python2 web cradle within the VIM Exploit"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux insane", "line": " Explaining how our C2 is going to work and why what we are doing it uniquely"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux insane", "line": " Quick high level overview of the C2 Program we are creating"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "linux insane", "line": " Start coding the C2"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "linux insane", "line": " Demoing the C2 Keeping the HTTP Request alive until a command is sent"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux insane", "line": " Updating our Client/Implant to work with the new C2"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 41, "seconds": 45}, "tag": "linux insane", "line": " Updating the Web Cradle with our improved agent and getting a shell as Guly"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 44, "seconds": 10}, "tag": "linux insane", "line": " Discovering an SSH Config, updating it to put our web cradle in ProxyCommand to get shell as Freshness"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 59, "seconds": 15}, "tag": "linux insane", "line": " Start of analyzing the AuthKeys binary"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 69, "seconds": 10}, "tag": "linux insane", "line": " Installing OpenBSD"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 75, "seconds": 16}, "tag": "linux insane", "line": " Getting GEF on OpenBSD to help with reversing"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 77, "seconds": 30}, "tag": "linux insane", "line": " Back to analyzing the binary, examining the registers after Base64"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 82, "seconds": 10}, "tag": "linux insane", "line": " Using Pattern Create with a large string to crash the program and find out what registers we control"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 85, "seconds": 50}, "tag": "linux insane", "line": " Controlling RIP and dealing with an annoying python3 oddity that makes me use Python2"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 91, "seconds": 10}, "tag": "linux insane", "line": " Start of talking about ROP Chains and looking up the Execve Syscall information"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 92, "seconds": 39}, "tag": "linux insane", "line": " Comparing OpenBSD to Linux Syscall numbers and realizing why linux segfaulted (different codes!)"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 95, "seconds": 0}, "tag": "linux insane", "line": " Using Ropper to print gadgets"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 96, "seconds": 30}, "tag": "linux insane", "line": " Start of RAX Gadget, finding SHR and NOT"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 99, "seconds": 0}, "tag": "linux insane", "line": " Showing the start of base64 decode is hard coded at a memory address"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 100, "seconds": 52}, "tag": "linux insane", "line": " Explaining how to create any number with just the NOT and SHR instructions."}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 108, "seconds": 10}, "tag": "linux insane", "line": " Start of RDI Gadget (movss and cvtss1si)"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 114, "seconds": 40}, "tag": "linux insane", "line": " Start of creating our exploit program and prove we can set RAX"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 124, "seconds": 15}, "tag": "linux insane", "line": " Adding the ability to set RDI which requires putting some data on the stack"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 133, "seconds": 30}, "tag": "linux insane", "line": " Explaining our writing to the stack"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 149, "seconds": 0}, "tag": "linux insane", "line": " Explaining the SSH Public Key Format/Algorithm and adding the header"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 162, "seconds": 10}, "tag": "linux insane", "line": " Having trouble with our format, generating a large SSH Key to steal its structure"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 160, "seconds": 0}, "tag": "linux insane", "line": " Switching out our webshell for a reverse shell because its having weird issues..."}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 182, "seconds": 0}, "tag": "linux insane", "line": " Crap... forgot to put a null byte on the reverse shell code got a reverse shell"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 183, "seconds": 30}, "tag": "linux insane", "line": " Testing against our target to get a reverse shell. The C2 Web Cradle did not work because Requests was not installed."}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "windows hard", "line": " Running CrackMapExec to discover null authentication and an open share"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows hard", "line": " Running Spider_Plus with CME then JQ to parse the output"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "windows hard", "line": " Looking into KanBan"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "windows hard", "line": " Using smbclient to download files"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "windows hard", "line": " Running Impacket's SMBServer so we can easily copy things between our linux and windows VM"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "windows hard", "line": " Editing the KanBan config to perform a \"password reset\", log into kanban and then decrypt the passwords."}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "windows hard", "line": " Using DnSpy to decompile KanBan (dotnet) and then extract the Crypto Keys"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "windows hard", "line": " Creating a python script to decrypt items in the KanBan config"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 31, "seconds": 10}, "tag": "windows hard", "line": " Using CME to password spray with the credentials from KanBan, running spider plus again then downloading files"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "windows hard", "line": " Using DnSpy yet again to decompile the new executables, discovering dotnet remoting and credentials"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "windows hard", "line": " Looking into exploiting .net remoting to discover ExploitRemotingService and Ysoserial.net "}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "windows hard", "line": " Sharing the OpenVPN Connection from Linux with Windows so we can have two boxes connected simultaniously"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 55, "seconds": 12}, "tag": "windows hard", "line": " All the commands needed to turn our linux machine into a router with NAT"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 57, "seconds": 48}, "tag": "windows hard", "line": " Getting a reverse shell by executing the ExploitRemotingService Binary with the payload from ysoserial .net"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 59, "seconds": 20}, "tag": "windows hard", "line": " Using Compress-Archive to zip up the WCF Directory then copy it to our linux and windows machines"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "windows hard", "line": " Analyzing the WCF Source in Visual Studio to discover we can execute powershell"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 67, "seconds": 20}, "tag": "windows hard", "line": " Attempting to run the binary but get login failure, using net use with /netonly to run the binary with the lars creds"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 69, "seconds": 50}, "tag": "windows hard", "line": " Running the InvokePowerShell method with a reverse shell to get system"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux medium", "line": " Start of nmap discovering the HTTP Site bucket.htb"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Poking at the website, using the developer console to discover s3.bucket.htb"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux medium", "line": " Using curl to view HTTP Headers and discovering amazon"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux medium", "line": " Oh god... I forgot to edit the URL in this gobuster! Actually created a feature request in GoBuster to fix this mistake from happening."}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "linux medium", "line": " Installing AWS CLI"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Using the aws to connect to a custom endpoint, then configure credentials"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux medium", "line": " Exploring the S3 Bucket "}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "linux medium", "line": " Using S3 to add a reverse shell to the website"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux medium", "line": " Reverse Shell returned, spending some time to start taking notes."}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux medium", "line": " End of notes, poking around on the terminal to find"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Discovering some weird ports, checking the apache configuration to see if they are related"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 20, "seconds": 55}, "tag": "linux medium", "line": " The Apache mpm_itk_module specifies the site is running as root and not www-data"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux medium", "line": " Poking at DynamoDB to get user credentials"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "linux medium", "line": " Doing some jq fu to get exactly the information we want and building a username/password list"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux medium", "line": " Explaining extended file attributes and using getfacl to see Roy can access bucket-app"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux medium", "line": " Exploring the bucket-app to see it pull information from DynamoDB to build PDF's"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 35, "seconds": 5}, "tag": "linux medium", "line": " Using Flameshot to explain exactly what is happening in the code"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux medium", "line": " Looking at pd4ml (library used to make PDF) to see we can attach a file"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 41, "seconds": 45}, "tag": "linux medium", "line": " Doing a port forward to forward port 8000 back to our box"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "linux medium", "line": " Creating the alerts table in DynamoDB"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "linux medium", "line": " Creating the JSON Document we want to insert into the alert table"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 48, "seconds": 10}, "tag": "linux medium", "line": " Using AWS dynamodb --put-item to put the document into the table"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 49, "seconds": 50}, "tag": "linux medium", "line": " Creating the PDF and pulling /etc/passwd from the server"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "linux medium", "line": " Because this is java if we fopen a directory, we get a listing, discovering .ssh"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "linux medium", "line": " Pulling the SSH Key"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 54, "seconds": 22}, "tag": "linux medium", "line": " Exploring our notes to see what else we wanted to do"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 56, "seconds": 20}, "tag": "linux medium", "line": " Showing off the timeline plugin in obsidian"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of nmap, looking at SSL Certificates to get a hostname"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Examining the website"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Getting git.Laboratory.htb out of the certificate and checking that host"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "", "line": " Registering for a GitLab Account then poking at gitlab"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Getting the GitLab Version and finding a Vulnerability"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Creating two issues, so we can perform the LFI"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "", "line": " Using the LFI to extract the application secret then b"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 15, "seconds": 55}, "tag": "", "line": " Installing a vulnerable gitlab docker so we can build our serialized payload"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " Starting the docker container, then executing bash inside of it"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 17, "seconds": 55}, "tag": "", "line": " Changing the docker secret to the one of Laboratory"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 18, "seconds": 25}, "tag": "", "line": " Restarting with gitlab-ctl restart, then entering the console with gitlab-rails console"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "", "line": " Creating the serialization payload"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 22, "seconds": 10}, "tag": "", "line": " Reverse shell as git returned. Discovering we are inside of docker"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Running the automated docker script DeepCe "}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "", "line": " Playing with the gitlab console to turn our user into an admin"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "", "line": " Sorry for the abrupt cut, phone went off and edited that out poorly."}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 27, "seconds": 15}, "tag": "", "line": " Viewing projects on gitlab as admin to find an SSH Key"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "", "line": " Shell as dexter, running LinPEAS"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 34, "seconds": 5}, "tag": "", "line": " SetUID Binary docker-security found, searching for strings then running ltrace"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "", "line": " ltrace shows the binary does not use absolute path, doing a PATH HIJACK to trick the program into executing a shell"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 36, "seconds": 50}, "tag": "", "line": " Going over notes"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 1, "seconds": 42}, "tag": "windows insane", "line": " Start of nmap and poking at the webserver"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "windows insane", "line": " Looking into MSRPC, showing MSF info overflow which is why I had historically ignored it"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "windows insane", "line": " Poking at RPC with Impacket's RPCMap"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "windows insane", "line": " Converting a RPC Script to get IPv6 address from Python2 to Python3"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "windows insane", "line": " Using nmap to scan the IPv6 Address"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "windows insane", "line": " Showing how I would enumerate a Firewall, nothing works here but something I do."}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "windows insane", "line": " Finding SMB accepts anonymous users and contains an Active Directory Backup"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 32, "seconds": 45}, "tag": "windows insane", "line": " Using Impacket's SecretsDump to extract the NTDS.DIT with password last set, user status, and history"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 41, "seconds": 15}, "tag": "windows insane", "line": " Using KerBrute to enumerate valid users on the box based upon the AD Backup"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 49, "seconds": 15}, "tag": "windows insane", "line": " Using PyKerbrute to bruteforce Henry.Vinson's account"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 64, "seconds": 0}, "tag": "windows insane", "line": " Using Socat + CrackMapExec to enumerate IPv6 (if i updated CME, it would be able to do IPv6)"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 68, "seconds": 0}, "tag": "windows insane", "line": " Using Impacket's reg.py to query Windows Registry remotely from linux"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 77, "seconds": 30}, "tag": "windows insane", "line": " Using Evil-WINRM to run WinPEAS/Seatbelt and bypass AMSI"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 86, "seconds": 0}, "tag": "windows insane", "line": " Some good information talking about LmCompatibilityLevel and NetNTLMv1"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 89, "seconds": 15}, "tag": "windows insane", "line": " Unintended method. Using Defender to make a SMB Request then decrypting the NetNTLM-v1 hash"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 90, "seconds": 50}, "tag": "windows insane", "line": " Editing responder to use a pre-set challenge (1122334455667788 used by Crack.SH)"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 95, "seconds": 30}, "tag": "windows insane", "line": " Modifying RoguePotato to allow for IPv6"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 101, "seconds": 15}, "tag": "windows insane", "line": " RoguePotato flagged by defender... Some weird AV Bypass..."}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 108, "seconds": 30}, "tag": "windows insane", "line": " Showing the Compiler flags will make RoguePotato undetectable by defender"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 118, "seconds": 5}, "tag": "windows insane", "line": " RoguePotato working, lets start modifying impacket to allow us to stand up an RPC Server"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 141, "seconds": 3}, "tag": "windows insane", "line": " Start debugging our impacket studd with pdb set_trace"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 150, "seconds": 0}, "tag": "windows insane", "line": " Got the NetNTLM v1 hash from Rogue Potato"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 159, "seconds": 50}, "tag": "windows insane", "line": " Cleaning up notes"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Poking at the website"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "", "line": " Finding a way to generate error messages"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "", "line": " Researching the error message"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " Throwing a random exploit from the internet and getting a new error"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "", "line": " Trying another exploit but this one will make a HTTP Request back to our server"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Testing RCE with this exploit with a simple ping"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "", "line": " RCE Confirmed switching to a reverse shell"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 18, "seconds": 4}, "tag": "", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 22, "seconds": 40}, "tag": "", "line": " Exploring the custom System Backup Timer Service"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "", "line": " Editing the Timer Backup Shell Script to get Root"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 26, "seconds": 25}, "tag": "", "line": " Extra Content - Explaining some forensics with time stamps"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "", "line": " Writing a quick script to search our path for files with full time stamps"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 31, "seconds": 25}, "tag": "", "line": " Cleaning up our notes."}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Introduction"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Starting nmap, using min-rate to speed up things and explaining why I don't normally show this"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Doing basic recon on /, noticing authentication isn't required everywhere find robots.txt"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "linux easy", "line": " Taking a look at port 9001, searching for default credentials"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "linux easy", "line": " Once logged into Supervisord, we can examine processes see HTTP is using LUA"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux easy", "line": " Using FFUF to fuzz the /weather/ endpoint based upon the Supervisord and robots.txt "}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux easy", "line": " Using FFUF to fuzz the city parameter of /weather/forecast for special characters"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux easy", "line": " Confirmed injection, failing to get it to work"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "linux easy", "line": " Going back to FFUF to fuzz for another character after the single quote. We can now inject into the LUA"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "linux easy", "line": " Reverse shell returned, attempt to crack the hash on my VM and crash my VM... Reboot use John to crack it"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "linux easy", "line": " Using the webapi_user in order to access the webserver"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 42, "seconds": 40}, "tag": "linux easy", "line": " Looking into the arguments for HTTP Running on port 3001, since we can hit that directly from our reverse shell"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 49, "seconds": 45}, "tag": "linux easy", "line": " Looks like nginx supports going into home directories, looking at r.michaels to get his ssh key"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 53, "seconds": 10}, "tag": "linux easy", "line": " Looks like r.michaels has some PGP Keys associated with his account, finding a tar backup and decrypting"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "linux easy", "line": " The encrypted tar had a different password for webapi_user, decrypting it and using doas to get root"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 57, "seconds": 50}, "tag": "linux easy", "line": " Box done, cleaning up notes"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "linux insane", "line": " Installing Obsidian which lets us take notes in Markdown format"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux insane", "line": " Running nmap to see FTP over SSL and it has certificates"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux insane", "line": " Using openssl to grab the SSL Certificate from FTP"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "linux insane", "line": " Going over the web page extracting emails, people, and user input locations"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux insane", "line": " Installing flameshot, which helps us take better screenshots"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux insane", "line": " Testing each contact form with XSS Cross Site Scripting"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "linux insane", "line": " XSS in blog-single.php Triggers an security error saying admins will be looking over our request, attempt to attack admins"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "linux insane", "line": " Putting XSS Payloads in the User Agent"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 25, "seconds": 25}, "tag": "linux insane", "line": " XSS Attempting to steal cookies with a basic payload, failing here. Document.location is lazy, should do document.write to write an image so the user is not redirected."}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux insane", "line": " Using ffuf to bruteforce domains via the CORS Origin header to discover FTP"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 33, "seconds": 35}, "tag": "linux insane", "line": " XSS Using XMLHttpRequest to use the victims browser like a proxy and return web pages to us"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 38, "seconds": 20}, "tag": "linux insane", "line": " XSS Using XMLHttpRequest to grab a CSRF Token then send a post request to create a user"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 46, "seconds": 50}, "tag": "linux insane", "line": " Using lftp to login to the ftp and upload a webshell to development-test"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 57, "seconds": 50}, "tag": "linux insane", "line": " Shell returned as www-data, finding a Hank's password in /etc/ansible/playbooks"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 76, "seconds": 5}, "tag": "linux insane", "line": " SSH as hank and examine the send_updates.php file to find command injection "}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 84, "seconds": 40}, "tag": "linux insane", "line": " Finding credentials for ftpadm which lets us create a file to trigger the command injection"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 93, "seconds": 40}, "tag": "linux insane", "line": " SSH as Isaac and doing some basic enumeration, explaining why we can't see processes from other users hidepid is set on /proc"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 95, "seconds": 50}, "tag": "linux insane", "line": " Using find to do a bunch of IR to find what is unique about hank"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 97, "seconds": 50}, "tag": "linux insane", "line": " Using find to look for files modified between two dates and dbmsg stands out"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 102, "seconds": 10}, "tag": "linux insane", "line": " The dbmsg stands out due to its timestamp having nanoseconds, it is the only file like this in /usr/bin"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 111, "seconds": 0}, "tag": "linux insane", "line": " Going over DBMSG in Ghidra, explaining the SRAND setting seed to current time"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 116, "seconds": 15}, "tag": "linux insane", "line": " Attempting to name variables based upon what we think they are"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 123, "seconds": 0}, "tag": "linux insane", "line": " Attempting to explain how we are going to get code execution through symlinks"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 127, "seconds": 50}, "tag": "linux insane", "line": " Creating a C Program to set the seed to be the next minute + 1 second and call RAND()"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 133, "seconds": 40}, "tag": "linux insane", "line": " Incorrectly putting data into database in order to trigger the file write exploit"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 141, "seconds": 40}, "tag": "linux insane", "line": " Changing up how we put things into the database and hoping we write the key correctly"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 147, "seconds": 45}, "tag": "linux insane", "line": " Explaining why we broke the ssh key up into multiple variabes. The fputsc(0x20) is the spaces"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 148, "seconds": 50}, "tag": "linux insane", "line": " Cleaning up our notes"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 163, "seconds": 10}, "tag": "linux insane", "line": " using cat to combine all pages into one, then exporting to PDF"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "windows hard", "line": " Start of NMAP"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "windows hard", "line": " Gobuster using a case insensitive wordlist because windows"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "windows hard", "line": " Checking out the application on port 8080, wallstant"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "windows hard", "line": " OWA Discovering the Exchange version based upon login interface"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows hard", "line": " OWA How the \"User Enumeration\" of Exchange may work... It's time based "}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "windows hard", "line": " Troubleshooting the Metasploit Module, SSL Error prevents it from loading ECONNRESET SSL_CONNECT"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "windows hard", "line": " Using Wallstant to build a username list to perform password spray"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "windows hard", "line": " Using Username Anarchy to take our list of names and build a wordlist of usernames"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "windows hard", "line": " For some reason when using Metasploit's OWA Password Spray, OWA_2010 is broken... but settiing it to OWA_2013 works."}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "windows hard", "line": " Showing SprayingToolkit to bruteforce OWA without metasploit"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 39, "seconds": 10}, "tag": "windows hard", "line": " Sending an email address to all users and seeing if anyone clicks the link"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "windows hard", "line": " Using Responder to attempt to force the user's computer to give up an NTLMv2 Hash over HTTP"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "windows hard", "line": " Cracking the NTLMv2 Hash of k.svensson"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 49, "seconds": 50}, "tag": "windows hard", "line": " Failing to use Evil-WinRM to access the box, switching to powershell on linux"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 54, "seconds": 10}, "tag": "windows hard", "line": " Using Powershell on Linux to Enter-PSSession on a Windows Box then finding out we are in constrainedlanguage mode"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 56, "seconds": 20}, "tag": "windows hard", "line": " Breaking out of ConstrainedLanguage Mode by creating a function"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "windows hard", "line": " Getting a reverse shell in FullLanguage mode, then looking at some PSRC and PSSC files"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 64, "seconds": 20}, "tag": "windows hard", "line": " Finding a link to StickyNotes on the desktop"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 66, "seconds": 50}, "tag": "windows hard", "line": " Doing a hex dump of the stickynote log to see there is a password written"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 68, "seconds": 30}, "tag": "windows hard", "line": " Attempting to use the JEA_TEST_ACCOUNT but failing without ConfigurationName parameter due to JEA"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 71, "seconds": 50}, "tag": "windows hard", "line": " Using an LFI Vulnerability in the function JEA can do in order to access any file"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 73, "seconds": 30}, "tag": "windows hard", "line": " Using the LFI to get root.txt"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "windows hard", "line": " Box is done.. Trying to dump the proces and flailing, never get it working but figured people may still enjoy it."}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 2, "seconds": 10}, "tag": "linux medium", "line": " Identifying this is likely Ubuntu Xenial"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Attempting basic SQL Map"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux medium", "line": " Failing to find a way to enumerate CuteNews version"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 6, "seconds": 55}, "tag": "linux medium", "line": " Looking over an exploit script from SearchSploit"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux medium", "line": " Finding there is a page that exposes a bunch of user hashes... wat?"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "linux medium", "line": " Copying a bunch of PHP Blobs, then using grep to only show us the hashes"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux medium", "line": " Going back to looking over the exploit script"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Sent the exploit script through burpsuite and looking at each request"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "linux medium", "line": " Getting a reverse shell and fixing out TTY"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Searching CuteNews PHP Files for passwords"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 20, "seconds": 35}, "tag": "linux medium", "line": " Decoding the php files within the users directory to get password hashes"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux medium", "line": " Writing a nasty bash one liner to go over all the files and output the base64, then use grep to only show what we want to get hashes"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux medium", "line": " Using Hash Identifier to get an idea what the hash is, then using CrackStation to quickly crack"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux medium", "line": " The Cred we decrypted was for John, using SU to switch to the john user"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " Oddly enough the SSH Public key is John's directly wasn't generated by him... Validating that is the public key to the private key"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux medium", "line": " Using Nadav's key to SSH into the box"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 31, "seconds": 48}, "tag": "linux medium", "line": " Exploring VIMINFO to see some forensics on what this user has done"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 34, "seconds": 14}, "tag": "linux medium", "line": " Looking for USBCreator Privesc's"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux medium", "line": " Running the GDBus command to copy files and get root."}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Adding academy to our host file, then taking a look at the web page"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux easy", "line": " Discovering a weird port (33060), attempting to enumerate it manually"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "linux easy", "line": " Discovering admin.php from our gobuster results"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux easy", "line": " Playing with having spaces in usernames, then seeing roleid in the parameter"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux easy", "line": " Creating and logging in with an admin to see a new vhost"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux easy", "line": " Looking for Laravel Exploits, finding a metasploit module"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux easy", "line": " Getting the APP_KEY from the laravel error page, which is needed for exploitation"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux easy", "line": " Using metasploit to exploit Laravel and send the requests through burpsuite so we can analyze the exploit"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux easy", "line": " Analyzing the exploit, going to CyberChef to decrypt the payload"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux easy", "line": " Reverse Shell returned"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "linux easy", "line": " Looking at .env files to get passwords, then failing at logging into the database"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux easy", "line": " Creating a list of users on the box"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 36, "seconds": 10}, "tag": "linux easy", "line": " Running crackmapexec with users and the password we found"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 38, "seconds": 45}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "linux easy", "line": " We are in the ADM Group so taking a look at /var/log"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "linux easy", "line": " Looking at AuditD logs, then running aureport to get more details"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 54, "seconds": 30}, "tag": "linux easy", "line": " Finding mrb3n can run sudo, then doing a simple GTFOBin with composer to get root"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap digging into Version numbers of applications"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux hard", "line": " Finding Tomcat is an old version"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Checking out the web page "}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux hard", "line": " Playing with the file upload, uploading an EICAR to test virus scanning"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux hard", "line": " Finding if we put a directory or nothing for filename we get an error message"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux hard", "line": " Looking at Tomcat exploits to see that we may be able to perform a deserialization attack by uploading a serialized object"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux hard", "line": " Using ysoserial to generate a CommonsCollection payload"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux hard", "line": " Showing a trick to copy binary content into BurpSuite"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux hard", "line": " Testing RCE by making the application ping us"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Failing to get a reverse shell, going through a lot of issues, attempting to encode our command to avoid bad characters"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "linux hard", "line": " Attempting to use a different one-liner to get a shell"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "linux hard", "line": " Giving up using one liners, sometimes two payloads are better than one. Downloading a script and then executing it."}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux hard", "line": " Discovering Docker is running on this box"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 40, "seconds": 35}, "tag": "linux hard", "line": " Finding out SALT is running on this box, which did have an unauth RCE recently (Salt Stack)"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 44, "seconds": 40}, "tag": "linux hard", "line": " Running chisel to forward SALT Ports which are listening on localhost (firewall bypass)"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "linux hard", "line": " Downloading a different exploit as the one we had doesn't seem to be working"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "linux hard", "line": " Getting a reverse shell with the SALTSTACK exploit and using script to log all the output of our reverse shell"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux hard", "line": " Reverse shell returned and we are in a Docker Container. This is weird."}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 57, "seconds": 55}, "tag": "linux hard", "line": " Running LinPEAS and discovering it has docker.sock exposed in it, along with .bash_history works."}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 58, "seconds": 50}, "tag": "linux hard", "line": " Exploring the Docker Web API, which we can access through the exposed docker socket"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 63, "seconds": 25}, "tag": "linux hard", "line": " Doing some redirection magic to allow the Web API Request to be sent to our box which automatically does JQ to prettify it"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 65, "seconds": 50}, "tag": "linux hard", "line": " Creating a JSON File which we will use in our HTTP Request to create a new docker container"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 67, "seconds": 30}, "tag": "linux hard", "line": " Using CURL To make the request and send our JSON File"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 68, "seconds": 45}, "tag": "linux hard", "line": " Fixing up our terminal with the STTY command as our line wrapping is behaving oddly"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 72, "seconds": 0}, "tag": "linux hard", "line": " Having trouble running the CMD, changing it up the command"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 79, "seconds": 15}, "tag": "linux hard", "line": " Finally getting the command right and getting a reverse shell"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "linux medium", "line": " Start of nmap, going into why it needs sudo"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux medium", "line": " Checking Phusion Passenger version"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux medium", "line": " Downloading the source code from port 8000 (GitWeb)"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux medium", "line": " Using Brakeman to analyze the source code to the RAILS App"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "linux medium", "line": " Checking Rails release date to see it is old"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "linux medium", "line": " Researching CVE-2020-8165 and checking if our application is vulnerable"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux medium", "line": " Performing the CVE-2020-8165 serialization exploit"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " Fixing my APT from expired: signature could not be verified because public key is not available NO_PUBKEY"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux medium", "line": " Installing RAILS Then building our deserialization"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux medium", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "linux medium", "line": " LinPEAS showed some password hashes, lets check out those files to see if there was more passwords"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "linux medium", "line": " Cracking the passwords, then finding sudo requires a 2FA Password"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "linux medium", "line": " Finding .google_authenticator"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux medium", "line": " Installing oathtool"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "linux medium", "line": " Using OathTool to read out google_auth file to generate the One Time Pad (OTP)"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "linux medium", "line": " Switching to TOTP Mode, then lots of issues because of AM/PM"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 51, "seconds": 51}, "tag": "linux medium", "line": " Changing the timezone of our box to Europe/London to get away from conversions"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux medium", "line": " Our date went up an entire day! Fixing the day then getting a shell"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux easy", "line": " Start of Nmap"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 1, "seconds": 40}, "tag": "linux easy", "line": " Poking at the website and doing Gobuster/SQLMap In the BG"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux easy", "line": " Registering an account and enumerating the new features, looking for XSS"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux easy", "line": " Testing if the box will click links, discovering Curl reaches back to us"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux easy", "line": " Finding command injection in the URL, finding a way to execute commands with spaces"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 13, "seconds": 37}, "tag": "linux easy", "line": " Brace expansion isn't working, but IFS allows us bypass space being a bad character"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux easy", "line": " Trying to get a reverse shell but failing due to bad characters"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 18, "seconds": 47}, "tag": "linux easy", "line": " Using Curl to download a rev shell script and then execute it in order to avoid bad characters"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux easy", "line": " Transfering site.db to our box, so we can view the contents and attemp to crack the admins password"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux easy", "line": " Finding out we are part of the ADM Group and can read logs! Log contains a password"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "linux easy", "line": " Checking the Splunk Version and looking for exploits"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 34, "seconds": 55}, "tag": "linux easy", "line": " Didn't see anything in SearchSploit googling for an exploit then getting root"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 38, "seconds": 22}, "tag": "linux easy", "line": " Unintended: Exploring the SSTI Vulnerability"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "linux easy", "line": " Using Basic SSTI to identify what framework the website is using"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "linux easy", "line": " Creating an SSTI Jinja2 Reverse Shell payload and getting a shell"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux easy", "line": " Exploring the CURL Vulnerability"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux easy", "line": " Deep dive into the SSTI Vulnerability and patching it"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "windows medium", "line": " Checkign out the open SVN Port"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "windows medium", "line": " Adding the discovered domains to /etc/hosts and checking out the websites"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "windows medium", "line": " Some grep magic to show only what we want, which is URLS"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "windows medium", "line": " Using GoBuster to see if there are any more more VHOSTS"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "windows medium", "line": " Checking out the SVN and seeing creds in a previous revision (commit)"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "windows medium", "line": " Logging into Azure Devops (devops.worker.htb) and discovering the pipelin to deploy master branch to a server"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "windows medium", "line": " Pushing our webshell to the git master branch and getting shell on the box"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 16, "seconds": 10}, "tag": "windows medium", "line": " Choosing the revshell out of the tennc github page"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "windows medium", "line": " Creating a powershell one liner to get a reverse shell via Nishang"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "windows medium", "line": " Discovering SVN Credentials and using CrackMapExec to find valid passwords"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "windows medium", "line": " CrackMapExec was giving me issues, installing it from source with Poetry"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows medium", "line": " Using CrackMapExec to test a list of credentials without bruteforcing all passwords to all users"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 32, "seconds": 10}, "tag": "windows medium", "line": " Using WinRM to get a shell as Robisl"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "windows medium", "line": " Logging into Azure Devops as Robisl and discovering we can edit the build pipeline"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "windows medium", "line": " Copying our reverse shell to the box, so we can easily execute it from the build pipeline and getting admin"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "windows medium", "line": " UNINTENDED: Doing the box via RoguePotato"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "windows medium", "line": " Poorly explaining why we need to use chisel"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "windows medium", "line": " Running Chisel to setup a reverse port forward between the target and our box"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 52, "seconds": 15}, "tag": "windows medium", "line": " Setting up SoCAT to go through our tunnel"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 52, "seconds": 50}, "tag": "windows medium", "line": " Executing RoguePotato to get an admin shell"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "windows medium", "line": " Explaining the tunneling again in MSPaint. Hope this helps."}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 61, "seconds": 40}, "tag": "windows medium", "line": " Doing RoguePotato without socat, just a single Chisel tunnel"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux hard", "line": " Start of nmap, discover web and ssh. Discover litecart, fail to find a way to identify version"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux hard", "line": " Running GoBuster to find the backup directory"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux hard", "line": " Examining the tar archive"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux hard", "line": " Talking about the unix time being 32-bit timestamps but tar did not keep entire timestamp"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "linux hard", "line": " Using find with printf to sort files by modified time"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux hard", "line": " Discovering the admin/login.php file was modified to drop the credentials to disk"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux hard", "line": " Logging into LiteCart as admin"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux hard", "line": " Finding exploits on searchsploit, then manually running through the exploit because its Python2 with some annoying libraries"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux hard", "line": " Uploading our PHP Shell but it doesn't work, checking for PHP Disabled functions by using a simple php file. Then doing phpinfo() to see other functions"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux hard", "line": " Running through Chankro even thoe it wouldn't work."}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux hard", "line": " Uploading large binary files in BURPSUITE by pasting base64 and decoding it within burpsuite"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 25, "seconds": 33}, "tag": "linux hard", "line": " Chankro wont work due to putenv being disabled. Looks like there's a PHP 7.0 - 7.4 bypass. Trying this!"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux hard", "line": " Attempting a reverse shell but it doesn't work. Viewing iptables configuration"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 29, "seconds": 45}, "tag": "linux hard", "line": " Using my Forward Shell script to get a TTY on the box"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "linux hard", "line": " Again, talking about 32-bit timestamps to find files that were put into /lib/ not by a Apt"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "linux hard", "line": " Discovering the PAM Backdoor (pam_unix.so), then reversing it to get a skeleton password"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "linux hard", "line": " BOX COMPLETED. Doing USER/ROOT a different way"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux hard", "line": " Generating a Weevely Reverse shell which will let us do more things in PHP"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Discovering MySQL has a bash shell"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "linux hard", "line": " Discovering the MySQL has a UDF (User Defined Function) that allows for code execution"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "linux hard", "line": " Dropping an SSH Key, then seeing a strace-log.dat file which acts as a keylogger on linux. Also the 32 bit timestamp sticks out"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 60, "seconds": 15}, "tag": "linux hard", "line": " Discovering a LD_PRELOAD Rootkit (libdate.so),reversing it to see a hidden privesc"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux insane", "line": " Start of nmap"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux insane", "line": " Checking out the webpages, find Gitlab and Page about a custom chrome"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "linux insane", "line": " Viewing the Git log for the custom v8 javascript project and finding the vulnerability"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux insane", "line": " Finding an XSS in Contact Us"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux insane", "line": " Using the banners to find what version of Ubuntu the target is using"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux insane", "line": " Building v8 in Ubuntu 18.04"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux insane", "line": " Warning about needing 4 gigs of memory."}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux insane", "line": " Everything is compiled! Start of the exploit, looking at some webpages that help out"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux insane", "line": " Starting v8 in gdb, then examining some memory structures"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux insane", "line": " Explaining Smi, Immediate Small Integer"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux insane", "line": " Starting our helper script with number conversions (float/bigint/hex)"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 34, "seconds": 10}, "tag": "linux insane", "line": " Doing DebugPrints on our float arrays to examine memory"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "linux insane", "line": " Digging into the memory to see where Map/Property/Elements/Length are in the memory"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "linux insane", "line": " Showing Objects in memory"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 58, "seconds": 15}, "tag": "linux insane", "line": " Precursor material to AddrOf and FakeObject, why type confusion leads to memory shenanigans "}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 66, "seconds": 30}, "tag": "linux insane", "line": " Finding GetLastElement() behaves different on object arrays"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 77, "seconds": 0}, "tag": "linux insane", "line": " Doing Faiths AddrOf and troubleshooting why it doesn't work in ours "}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 82, "seconds": 27}, "tag": "linux insane", "line": " Recoding the AddrOf, to start out with an array not object"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 86, "seconds": 45}, "tag": "linux insane", "line": " Explaining the FakeObj Primative"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 93, "seconds": 20}, "tag": "linux insane", "line": " Doing the Read Memory portion"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 97, "seconds": 50}, "tag": "linux insane", "line": " Coding the Write Memory function"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 100, "seconds": 40}, "tag": "linux insane", "line": " Using Web Assembly to create RWX"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 102, "seconds": 30}, "tag": "linux insane", "line": " Doing some memory analysis to find where our RWX location is"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 106, "seconds": 30}, "tag": "linux insane", "line": " Doing some memory analysis to find where the Backing Store address is"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 110, "seconds": 10}, "tag": "linux insane", "line": " Using MSFVenom to create some shellcode to touch a file"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 114, "seconds": 20}, "tag": "linux insane", "line": " Replacing the shellcode with a reverse shell!"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 116, "seconds": 30}, "tag": "linux insane", "line": " Testing on the custom chrome browser"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 118, "seconds": 30}, "tag": "linux insane", "line": " Running our exploit against the target!"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux easy", "line": " Begin of nmap"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux easy", "line": " Finding out this is Windows IOT"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux easy", "line": " Showing the BlackHat paper on Hacking Windows IOT "}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Trying SirepRAT out against this box"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux easy", "line": " Finally getting code execution witht he SirepRAT tool, trying to run powershell"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " Finally getting Powershell working, trying to get a Reverse Shell"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 19, "seconds": 45}, "tag": "linux easy", "line": " Getting a Reverse shell by downloading NC64.EXE and running it"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux easy", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux easy", "line": " Extracting the SAM/SYSTEM Registry hive so we can run SECRETSDUMP to pull user hashes"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux easy", "line": " Had trouble with Impacket's SMB Server, editing smbd.conf"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux easy", "line": " Getting a shell as APP using the website, so we can decrypt the user.txt and iot-admin.txt secure strings"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 40, "seconds": 40}, "tag": "linux easy", "line": " Getting a shell as ADMINISTRATOR using the website so we can decrypt root.txt"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 1, "seconds": 11}, "tag": "linux insane", "line": " Running nmap"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux insane", "line": " Discovering port 9100, and poking at it with nmap/pret"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux insane", "line": " Got access to the printer via PRET, dumping print jobs"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux insane", "line": " Running ENT to see the entropy is 7.99 which means it is probably encrypted... Then doing the same thing in Cyber Chef"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "linux insane", "line": " Discovering the encryption algorithm via inspecting variables on the printer. Then dumping the memory of the printer to get the AES Key and trying to decrypt in Cyber Chef"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "linux insane", "line": " Cutting up the Print Job with DD to extract the IV/Encrypted payload out of the print job."}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 18, "seconds": 58}, "tag": "linux insane", "line": " CyberChef decrypted our AES! Reading the PDF"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 23, "seconds": 46}, "tag": "linux insane", "line": " Creating the Protobuf object and converting to python"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "linux insane", "line": " Interacting with Port 9000 with our protobuf payload"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 31, "seconds": 10}, "tag": "linux insane", "line": " Attempting to Pickle a deserialization payload, to see its disabled"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux insane", "line": " Taking the example JSON Data and sending it to port 9000 and finding a SSRF Vulnerability!"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux insane", "line": " Using SSRF to scan ports on localhost and discovering SOLR"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "linux insane", "line": " Forcing the SSRF to send an HTTPS Post Request via GOPHER"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "linux insane", "line": " Sending the SOLR Post Payload"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 67, "seconds": 30}, "tag": "linux insane", "line": " Creating the second payload for SOLR"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 79, "seconds": 50}, "tag": "linux insane", "line": " Verifying our payloads doing some JSON Validation"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 91, "seconds": 50}, "tag": "linux insane", "line": " Finally fixed our payload! Darn URL Encoding issues."}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 95, "seconds": 50}, "tag": "linux insane", "line": " Reverse shell returned, doing some basic enumeration and seeing SSHPass"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 103, "seconds": 10}, "tag": "linux insane", "line": " Using PSPY to monitor processes and catching SSHPASS before it can rewrite its commandline"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 108, "seconds": 0}, "tag": "linux insane", "line": " Gaining root on the Docker Container, disabling SSH, and bending the port back at the host and gaining code execution"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 0, "seconds": 31}, "tag": "linux medium", "line": " Begin of nmap"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux medium", "line": " Nmap shows it is BSD, going over some command differences"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux medium", "line": " Running GoBuster to find other PHP Scripts"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux medium", "line": " Looking at the includes directory and finding source code"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 10, "seconds": 14}, "tag": "linux medium", "line": " Reversing the Check_Auth binary with Ghidra, to see it doesn't decompile well"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux medium", "line": " Using VirusTotal to find out if this an old binary"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux medium", "line": " Using Cutter to decompile this binary, to see it does a better job than Ghidra!"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux medium", "line": " Finding some BSD Exploits related to authentication"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux medium", "line": " Putting SCHALLENGE as the username, causes a different error message. Then doing some code analysis around $_REQUEST"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "linux medium", "line": " Abusing the $_REQUEST() feature to overwrite the username file with a valid user and grab their SSH Key"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "linux medium", "line": " Showing how OpenBSD has some different command line switches"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "linux medium", "line": " Going back to the earlier CVE, since it showed a privesc aswell and explaining CVE-2019-19520"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 40, "seconds": 45}, "tag": "linux medium", "line": " EXTRA: Looking at the PHP Code to explain the $_REQUEST exploit again"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Introduction"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 1, "seconds": 3}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 2, "seconds": 27}, "tag": "linux hard", "line": " Setting Squid up to do a portscan while we work on something else"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux hard", "line": " Poking at RSYNC and seeing we can download encrypted config backups"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 9, "seconds": 40}, "tag": "linux hard", "line": " Examining files downloaded from RSYNC, specifically looking at entropy to validate encryption"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux hard", "line": " Finding the EncFS Config file, and then using John to Crack it"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux hard", "line": " Decrypting the config directory and finding a squid password and some hostnames"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Examining the new website exposed to us, configuring BurpSuite to use the squid proxy"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux hard", "line": " Showing the Intranet-Host header is changing, then accessing Squid Cache Manager to find some more ip addresses"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux hard", "line": " Using curl to view Squid Cache Information"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 28, "seconds": 25}, "tag": "linux hard", "line": " Finding a new IP Address for a decomissioned server. Looks like this one has a vulnerability"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "linux hard", "line": " Poking at the login form on the intranet-host1, looks like its vulnerable to SQL Injection"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux hard", "line": " Trying SQL Injection in the Password Field since the User was behaving weirdly.. Password behaving slightly differently"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 38, "seconds": 20}, "tag": "linux hard", "line": " Examining what XPATH Injection is"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 39, "seconds": 15}, "tag": "linux hard", "line": " Confirming it is XPATH Injection by using standard XPATH Payloads"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 44, "seconds": 10}, "tag": "linux hard", "line": " Using a XPATH Payload to extract the password length for a user"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux hard", "line": " Using XPATH Injection to bruteforce the password one character at a time"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "linux hard", "line": " Using Python to Automate the XPATH Injection to dump passwords"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 61, "seconds": 30}, "tag": "linux hard", "line": " Script near done, grabbing the password for all users"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 66, "seconds": 40}, "tag": "linux hard", "line": " Using Hydra to find one of the users had SSH Access"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 68, "seconds": 30}, "tag": "linux hard", "line": " Reading the TODO and finding pi-hole by checking arp with ip neigh"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 70, "seconds": 10}, "tag": "linux hard", "line": " Creating an SSH Port Forward to access Pi-Hole"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 73, "seconds": 55}, "tag": "linux hard", "line": " Finding Pi-Hole Exploits"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 75, "seconds": 0}, "tag": "linux hard", "line": " Using FFUF to bruteforce the Pi Hole login form"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 77, "seconds": 50}, "tag": "linux hard", "line": " Failing to use public exploits for this"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 79, "seconds": 45}, "tag": "linux hard", "line": " Finding a blog post to examine how this exploit works"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 81, "seconds": 45}, "tag": "linux hard", "line": " Using CyberChef to edit the payload for our Pi Hole exploit"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 83, "seconds": 55}, "tag": "linux hard", "line": " Manually sending the exploit and getting a shell"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 85, "seconds": 0}, "tag": "linux hard", "line": " Finding the root password in a config file, then using SU to get root"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux medium", "line": " Poking a the websites"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux medium", "line": " Starting gobusters in the background while we look at the site"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux medium", "line": " Grabbing a list of emails off of the website"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux medium", "line": " Using SWAKS to mass email users with a link"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "linux medium", "line": " User went to our website, grabbed credentials"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux medium", "line": " Failing to do FTP User Enumeration, do this at the end of the video"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Failing with Thunderbird to login"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Switching to the Evolution Mail client to check mailboxes, finding FTP Details in Sent Mail"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 28, "seconds": 40}, "tag": "linux medium", "line": " Using wget to mirror the FTP Directory, then poking at PHP Files"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux medium", "line": " Showing pypi/Register.php, which *should* have been used during the phishing stage"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "linux medium", "line": " Checking if we can upload files to the FTP Directory and finding the dev VHOST "}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux medium", "line": " Shell Returned"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux medium", "line": " Discovering a HTPASSWD file, then cracking it with hashcat"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "linux medium", "line": " Checking out pypi.sneakycorp.htb:8080 and finding a pypi server"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux medium", "line": " Creating a Malicious PyPi Package"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "linux medium", "line": " Adding a reverse shell to our pypi package"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 44, "seconds": 45}, "tag": "linux medium", "line": " Creating a pypi configuration file"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux medium", "line": " Uploading the package and getting a shell as low"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "linux medium", "line": " Checking sudoers, and finding low can run pip3 - Use GTFO Bin to get root"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "linux medium", "line": " EXTRA: Enumerating the FTP Users by creating a quick webapp then using FFUF against it."}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Introduction"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "windows easy", "line": " Begin of nmap and poking at the website"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows easy", "line": " Checking when an image was uploaded to the server with wget and exiftool"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "windows easy", "line": " Contact.php discloses the software Gym Management Software is being used. Examining the exploit"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "windows easy", "line": " Editing the Python Exploit to force everything through a proxy, so we can examine what the exploit does."}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "windows easy", "line": " Running the exploit and examining in Burp"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "windows easy", "line": " Having trouble getting a reverse shell via PS, Uploading NC.EXE to do it"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "windows easy", "line": " Running WinPEAS.exe "}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "windows easy", "line": " Discovering CloudMe in the Downloads directory then looking at the exploit"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "windows easy", "line": " CloudMe isn't listening on a port... Reverting and getting a shell again"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "windows easy", "line": " Reverse shell returned... Still waiting for CloudMe to listen on a port"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 27, "seconds": 27}, "tag": "windows easy", "line": " Uploading Chisel to the box, then doing a port forward for MySQL to enumerate the database"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows easy", "line": " Finding MySQL Credentials in db.php, then checking the database from our box thanks to Chisel"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "windows easy", "line": " Replacing the payload in the CloudMe exploit with a reverse shell"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "windows easy", "line": " Running the exploit and getting root"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux hard", "line": " Begin of nmap"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux hard", "line": " Examining the Message, pointing out the endpoint does not need authentication"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux hard", "line": " Using FFUF to fuzz the API End Point and show importence of Content-Type"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux hard", "line": " Starting SQLMAP then manually fuzzing this application"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux hard", "line": " SQLite Boolean Injection, with CASE IF/THEN/ERROR"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux hard", "line": " SQLite Boolean Injection, Enumerating Usernames"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux hard", "line": " SQLite Boolean Injection, Start of Dumping Password"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "linux hard", "line": " SQLite Boolean Injeciton, Optimization chat about UNICODE and SUBSTR"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux hard", "line": " Start of coding out python script to dump the hash"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 41, "seconds": 20}, "tag": "linux hard", "line": " This hash looks weird... Tons of troubleshooting"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 45, "seconds": 12}, "tag": "linux hard", "line": " Explaining the issue, we are hitting the 140 character limit... Switching script up to do SUBSTR"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 51, "seconds": 55}, "tag": "linux hard", "line": " Script completed to dump hashes."}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 53, "seconds": 15}, "tag": "linux hard", "line": " Static source code analysis, find its vulnerable to Hash Length Extension Attack"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "linux hard", "line": " Using HashPumpy to perform the Hash Length Extension Attack"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 71, "seconds": 30}, "tag": "linux hard", "line": " We base64'd the signing portion wrong"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 73, "seconds": 30}, "tag": "linux hard", "line": " Now we have access to /admin, can use its API to read files and directories, showing Sched_debug and /proc/net/tcp,udp,environ to get important information"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 83, "seconds": 30}, "tag": "linux hard", "line": " Finding a RW SNMP Community string and then using snmp-shell to get code execution "}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 89, "seconds": 0}, "tag": "linux hard", "line": " Generating a SSH Key then copying it slowly to the box"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 95, "seconds": 0}, "tag": "linux hard", "line": " Doing a Local Port Forward with the Debian-SNMP User"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 97, "seconds": 20}, "tag": "linux hard", "line": " Binary Exploitation with Note_Server: Going over Source and recompiling with ggdb flag"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 101, "seconds": 0}, "tag": "linux hard", "line": " Binary Exploitation: Setting up PwnTools so we can interact with the binary"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 106, "seconds": 40}, "tag": "linux hard", "line": " Binary Exploitation: Defeating ASLR by leaking an address"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 116, "seconds": 20}, "tag": "linux hard", "line": " Binary Exploitation: Leaking LibC and Getting Code Execution"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 125, "seconds": 30}, "tag": "linux hard", "line": " Binary Exploitation: Creating offset's for our remote server to get it working"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Academy URL: https://academy.hackthebox.eu"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 1, "seconds": 3}, "tag": "", "line": " Accessing Academy"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "", "line": " Talking about Paths"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 2, "seconds": 10}, "tag": "", "line": " Talking about what a Cube is"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "", "line": " Showing all the modules and tiers"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Starting the Intro to Academy Course"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Showcasing interactive modules by starting a pwnbox instance"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "", "line": " Spawning a lab to interact with"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux easy", "line": " Start of Nmap"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 1, "seconds": 25}, "tag": "linux easy", "line": " Taking a look at the web page"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux easy", "line": " Discovering Megahosting.HTB and adding it to /etc/hosts"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 4, "seconds": 4}, "tag": "linux easy", "line": " Playing with news.php and explaining the logic of LFI"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux easy", "line": " Discovering it is a file_get_contents(), which means we can skip all our \"RCE Tests\" as it won't execute PHP Code"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux easy", "line": " Poking at Tomcat and hunting for its tomcat-users.xml file to use with our LFI on apache2"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux easy", "line": " Uploading a JSP Webshell to tomcat with credentials found in tomcat-users.xml"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "linux easy", "line": " Using Curl to upload the JSP webshell."}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "linux easy", "line": " Whoops was uploading to the wrong port and then forgot to convert the JSP to a WAR File"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 25, "seconds": 38}, "tag": "linux easy", "line": " Reverse shells having trouble running due to bad characters."}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 27, "seconds": 55}, "tag": "linux easy", "line": " Downloading the shell to disk, then executing it in order to avoid special characters"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 31, "seconds": 15}, "tag": "linux easy", "line": " Reverse shell returned and TTY fixed. Discovering an encrypted zip file that we crack with John"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux easy", "line": " Exploring the Zip file to find there's nothing really interesting"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux easy", "line": " Trying the zip password as users on the box and getting a shell as Ash, dropping an SSH key and logging in with ash"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux easy", "line": " Running linpeas"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "linux easy", "line": " Discovering user is a member of LXD Group"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 44, "seconds": 42}, "tag": "linux easy", "line": " Building an alpine container, then uploading it to the target machine"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 47, "seconds": 45}, "tag": "linux easy", "line": " Uploading the alpine container and using lxc to privesc"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Begin of nmap, see a Active Directory server with HTTP"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows medium", "line": " Gathering usernames from the website"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "windows medium", "line": " Using KerBrute to enumerate which users are valid "}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "windows medium", "line": " Using Cewl to generate a password list for brute forcing"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "windows medium", "line": " Using Hashcat to generate a password list for brute forcing"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "windows medium", "line": " Trying to use RPCClient to change the password. Cannot"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "windows medium", "line": " Using SMBPasswd to change the password"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "windows medium", "line": " Logging in via RPCClient and enumerating Active Directorry with EnumDomUsers and EnumPrinters"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "windows medium", "line": " Password for SVC-PRINT found via Printer description (EnumPrinters) in Active Directory, Logging in with WinRM"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "windows medium", "line": " Discovering SeLoadDriverPrivilege"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "windows medium", "line": " Switching to Windows Downloading everything needed for loading the Capcom Driver and Exploiting it"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "windows medium", "line": " Compiling the EoPLoadDriver from TarlogicSecurity"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "windows medium", "line": " Compiling ExploitCapcom from FuzzySecurity"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "windows medium", "line": " Copying everything to our Parrot VM then to Fuse"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 37, "seconds": 45}, "tag": "windows medium", "line": " Loading the Capcom Driver then failing to get code execution"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "windows medium", "line": " Creating a DotNet Reverse shell incase the Capcom Exploit didn't like PowerShell"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 47, "seconds": 50}, "tag": "windows medium", "line": " Exploring the ExploitCapcom source and editing it to execute our reverse shell"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 50, "seconds": 11}, "tag": "windows medium", "line": " Copying our new ExploitCapcom file and getting a shell"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux insane", "line": " Start of the box, running nmap with all ports."}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux insane", "line": " Using a Google Image Search to map icons with applications"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux insane", "line": " Manually fuzzing test.dyplesher.htb to check if there's any easy vulns"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux insane", "line": " Running NMAP Scripts against the results of our full port scan with awk and ORS"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux insane", "line": " Discovering a .git repo exposed on the website, using git-dumper to download it"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux insane", "line": " Memcache credentials discovered, download and test auth"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux insane", "line": " Creating a simple web application that will let us fuzz the remote memcat service"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux insane", "line": " Logging into GOGS as Felamos to download another repo, using git to restore a git bundle file"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux insane", "line": " Logging into dyplesher.htb with creds in the Git Repo"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Setting up our environment (IntelliJ)"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Skeleton Code"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Uploading the plugin and checking console"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Adding the ability to READ FILES and print Current Username"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Had trouble getting it to run, had to revert"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Add the ability to write files and drop SSH Key + Web Shell"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 63, "seconds": 0}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: SSH Key and WebShell dropped! Logging into the server"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 66, "seconds": 15}, "tag": "linux insane", "line": " Discovering DumpCap can be ran by our user, dumping localhost then running wireshark"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 73, "seconds": 25}, "tag": "linux insane", "line": " Discovering credentials in AMQP Traffic, these work on SSH"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 75, "seconds": 40}, "tag": "linux insane", "line": " Downloading AMQP-PUBLISH to send a URL to the queue as the note says"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 80, "seconds": 15}, "tag": "linux insane", "line": " Running PSPY while we dig through the wireshark some more, find the password in WireShark"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 82, "seconds": 20}, "tag": "linux insane", "line": " Using AMQP-PUBLISH with the correct credential and get the server to download a file"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 84, "seconds": 40}, "tag": "linux insane", "line": " Searching Cuberite plugins, to see its just lua. Writing a quick plugin and getting code execution"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "linux insane", "line": " Getting a root shell"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 89, "seconds": 40}, "tag": "linux insane", "line": " Failing to do some ERLANG stuff. May be useful if you want to try it yourself but i didn't get it working"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 95, "seconds": 0}, "tag": "linux insane", "line": " Exploring iptable/ufw rules and common mistakes"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 1, "seconds": 3}, "tag": "linux easy", "line": " Start of NMAP"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux easy", "line": " Discovering install.php, which says bludit is being installed."}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Looking for exploits searchsploit, everything requires Auth"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 7, "seconds": 35}, "tag": "linux easy", "line": " Attempting a login and noticing the CSRF Tokens"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "linux easy", "line": " Looking for exploits online that haven't made it to SearchSploit yet"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux easy", "line": " Placing the X-FORWARDED-FOR header to bypass brute force protection"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux easy", "line": " Creating a Python Brute Forcer"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux easy", "line": " Scripting: Grabbing the CSRF Value with python requests"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux easy", "line": " Scripting: Grabbing the PHP Session Cookie with python requests"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux easy", "line": " Scripting: Sending a login request with python requests"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux easy", "line": " Scripting: Telling request to not follow and detect a valid login"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 31, "seconds": 10}, "tag": "linux easy", "line": " Using Cewl to build a wordlist, then changing our python script to pull passwords from our wordlist"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux easy", "line": " Scripting: Setting a random IP in X-Forwarded-For header"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "linux easy", "line": " Scripting: Scripting fixing a bug then getting a password via brute force!"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux easy", "line": " Start of playing around with the Bludit Image Upload Vulnerability."}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux easy", "line": " Having trouble, running the exploit with metasploit through a proxy to understand what is going on"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 47, "seconds": 50}, "tag": "linux easy", "line": " Uploading a PHP Reverse shell then HTAccess file to get code execution"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "linux easy", "line": " Reverse shell returned, finding passwords in the bludit database, then cracking them."}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 68, "seconds": 20}, "tag": "linux easy", "line": " Cracked a password for hugo, switching to his user"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 69, "seconds": 30}, "tag": "linux easy", "line": " Doing the SUDO underflow exploit"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux medium", "line": " Running NMAP and checking out the page"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Author page contains a hint to do some type Domain Brute Forcing"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux medium", "line": " The Login form won't go to burpsuite, lets check out javascript"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 8, "seconds": 5}, "tag": "linux medium", "line": " Doing VirtualHost (VHOST) Bruteforcing with GoBuster to discover hms.htb"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux medium", "line": " Discovering OpenEMR, running searchsploit, attempting to find the version of it"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 15, "seconds": 25}, "tag": "linux medium", "line": " Searchsploit doesn't have any exploits, checking one on google to find a SQL Injection"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Discovering error based SQL Injection (XPATH)"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "linux medium", "line": " Manually extracting data from error based SQL Injection (XPATH)"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 27, "seconds": 25}, "tag": "linux medium", "line": " Using BurpSuite Intruder to aid us in running a bunch of SQL Injections, incrementing a number to get all the fields"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 33, "seconds": 8}, "tag": "linux medium", "line": " XPATH Injection only extracts 32 characters, we need to use SUBSTRING to extract fields longer than 32"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux medium", "line": " Logging into OpenEMR then using file upload functionality to upload a webshell"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 46, "seconds": 15}, "tag": "linux medium", "line": " Enumerating Memcache to discover credentials for luffy"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 50, "seconds": 40}, "tag": "linux medium", "line": " Luffy is a member of Docker, using GTFO Bins to use docker to privesc"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux medium", "line": " EXTRA: Going back to memcache, lets forward the memcache port to our box via chisel, so we can easily run tools against it."}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 61, "seconds": 25}, "tag": "linux medium", "line": " Using Metasploit to dump memcache"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 62, "seconds": 40}, "tag": "linux medium", "line": " Using Memcache utilities to manually enumerate memcache"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows hard", "line": " Enumerating fileshares with SMBClient and CrackMapExec, highlighting some picky syntax"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "windows hard", "line": " Mounting the profiles$ directory so we can build a username list"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "windows hard", "line": " Using Kerbrute to enumerate valid usernames"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "windows hard", "line": " Running GetNPUsers to perform an ASREP Roast"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "windows hard", "line": " Checking what we can do with the Support User from the ASREP Roast"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "windows hard", "line": " Running the python Bloodhound ingestor from Linux"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 27, "seconds": 55}, "tag": "windows hard", "line": " Bloodhound ran, playing around with the data, eventually seeing support can reset audit2020's password"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "windows hard", "line": " Setting an Windows users (Audit2020) password from linux using RPCClient"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 36, "seconds": 45}, "tag": "windows hard", "line": " Audit2020 has access to the forensic share which has a memory dump of lsass, running pypykatz to extract credentials"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "windows hard", "line": " Using Evil-WinRM to access the box as SVC_Backup and discovering the backup privilege"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "windows hard", "line": " Failing to get WBADMIN to send a backup file to impacket"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "windows hard", "line": " Creating a NTFS Block Device/Partition but does not fix our impacket issues"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 49, "seconds": 45}, "tag": "windows hard", "line": " Editing samba to create a windows fileshare from linux. Purposefully don't point it to our NTFS Disk so you can see the errors."}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 54, "seconds": 54}, "tag": "windows hard", "line": " Pointing samba to our NTFS Directory, to show it works much better"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 55, "seconds": 50}, "tag": "windows hard", "line": " Running wbadmin to create a backup to our fileshare and include ntds.dit"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "windows hard", "line": " Running wbadmin to restore a ntds.dit out of our backup and creating a backup of the SYSTEM Registry hive"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "windows hard", "line": " Using secretsdump to extract credentials out of the Active Directory database (ntds.dit) and show the history flag"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 64, "seconds": 20}, "tag": "windows hard", "line": " Showing you can't grab the flag as SYSTEM user due to EFS (Encrypted File System). Using WMIExec to get a shell as the actual user"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 72, "seconds": 30}, "tag": "windows hard", "line": " Using Mimikatz to restore the password of Audit2020, so it's like we were never there."}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux easy", "line": " Doing nmap quickly by not running scripts to get open ports, then using that output to run scripts."}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux easy", "line": " Checking out the webserver, discovering robots.txt"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux easy", "line": " Running gobuster on the admin-dir with the extensions txt and php"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux easy", "line": " Finding credentials.txt within that admin-dir"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "linux easy", "line": " Logging into FTP to discover the web directory source"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux easy", "line": " Running gobuster again on utility-scripts to discover adminer.php"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 24, "seconds": 55}, "tag": "linux easy", "line": " Going to adminer and trying to login"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "linux easy", "line": " Bypassing adminer authentication by creating a MySQL Database"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 31, "seconds": 45}, "tag": "linux easy", "line": " Failing to drop a file in adminer"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux easy", "line": " Using LOAD DATA LOCAL to insert a file into our database"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 38, "seconds": 5}, "tag": "linux easy", "line": " Uploading the servers index.php to our database and discovering the password"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux easy", "line": " SSH into the server with the password found before"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "linux easy", "line": " Sudo allows us to set environment variables, using PYTHONPATH to hijack a python library... Failing to get a rev shell"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux easy", "line": " Switching to nc for a revshell and getting a root shell!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows insane", "line": " Begin of nmap, going over what videos show KRB/LDAP/SMB enumeration"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "windows insane", "line": " Checking out the web page, finding an API that allows us to search employees"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows insane", "line": " Extracting usernames from the database using the above API"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "windows insane", "line": " Using wfuzz to fuzz this endpoing and discover there's a WAF that blocks us on BruteFoce and special characters"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "windows insane", "line": " Sending wfuzz to burpsuite so we can see why the page is giving us an HTTP 415 (hint: Its content-type!)"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "windows insane", "line": " Using unicode to bypass the bad character list, then launching a super slow SQLMap that never finishes"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "windows insane", "line": " While SQLMap runs, lets manually exploit this"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "windows insane", "line": " Found a union injection! Start of creating a Python Script, tons of issues around getting Request to send unicode"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "windows insane", "line": " Basic script is done, we can now send unicode data via python - Then convert to use the Cmd Module"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "windows insane", "line": " CmdLoop done, we can now send raw queries to the database. Lets make an option to do union injection"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 44, "seconds": 10}, "tag": "windows insane", "line": " Script now makes it easy to run UNION Commands and get the output, running through some basic MSSQL Injection to get data from the server"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 47, "seconds": 15}, "tag": "windows insane", "line": " Extracting database information (Table Names)"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "windows insane", "line": " Extracting Usernames and hashes from the Logins table, then cracking the passwords"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 61, "seconds": 15}, "tag": "windows insane", "line": " Performing a RID BruteForce via MS-SQL, getting and explaining the SID of Administrator. Then adding BruteForcing to our script"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 78, "seconds": 25}, "tag": "windows insane", "line": " Bruteforcing RID's to discover more usernames"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 83, "seconds": 8}, "tag": "windows insane", "line": " Using Evil-WinRM to get a shell as Tushikikatomo, then running WinPEAS and BloodHound to enumerate Active Directory"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 99, "seconds": 0}, "tag": "windows insane", "line": " Resetting the Neo4j Password Bloodhound uses by deleting auth dbms file"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 105, "seconds": 45}, "tag": "windows insane", "line": " Discovering a VS Code is running, and some random ports keep opening up. Debug ports? Downloading CEFDebug then running"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 113, "seconds": 34}, "tag": "windows insane", "line": " Testing CEF exploit with ping, then create a powershell cradle. Edit Nishang to bypass AMSI"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 118, "seconds": 10}, "tag": "windows insane", "line": " Shell returned as CYORK"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 121, "seconds": 0}, "tag": "windows insane", "line": " Discover a DLL in the web directory, run strings against it and discover a new password"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 123, "seconds": 30}, "tag": "windows insane", "line": " Updating bloodhound to see if we gained any new paths with the new compromised user (SBAUER) and we have GenericWrite to user"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 126, "seconds": 30}, "tag": "windows insane", "line": " Using SBAUER to enable DoesNotRequirePreAuth, so we can obtain a password hash (asrep 23) and crack it"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 132, "seconds": 30}, "tag": "windows insane", "line": " Shell as Jorden and we can edit services! Use SC to replace the binpath with a reverse shell and get root!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 138, "seconds": 25}, "tag": "windows insane", "line": " ALTERNATE METHOD: Using ZeroLogon/ZeroLogin CVE-2020-1472... Failing to use impacket correctly "}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 143, "seconds": 15}, "tag": "windows insane", "line": " Reverting my box, doing impacket the correct way (Installing in an Virtual Environment)"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 146, "seconds": 30}, "tag": "windows insane", "line": " Running the Zero Logon exploit to discover it worked! Running SecretsDump performs a DCSync and we can login as administrator... Rest of video is reverting what the exploit did to not leave a vulnerability!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 150, "seconds": 50}, "tag": "windows insane", "line": " SecretsDump with the -history flag shows the previous passwords... Now how to set a machine account, and how to \"pass the hash\" when setting a password."}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 157, "seconds": 10}, "tag": "windows insane", "line": " Running mimikatz to see Defender deleted it, using MpCmdRunto delete all defender definitions."}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 158, "seconds": 45}, "tag": "windows insane", "line": " Defender bypassed mimikatz runs!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 160, "seconds": 15}, "tag": "windows insane", "line": " Running mimikatz with lsadump::setntlm to restore the password"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "linux hard", "line": " Start of recon, discovering a bunch of hostnames in a cert"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 4, "seconds": 24}, "tag": "linux hard", "line": " Running wpscan against blog.travel.htb"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "linux hard", "line": " Running the raft-large-files.txt against blog-dev.travel.htb to discover the git repo"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux hard", "line": " Using git-dumper to download the git repo"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 10, "seconds": 28}, "tag": "linux hard", "line": " Examining the git project to discover what it is and where its installed on the webserver"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux hard", "line": " Discovering a debug file"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux hard", "line": " Hunting for where web app accepts user input"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "linux hard", "line": " Getting the server to make a request back to us"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux hard", "line": " Examining what debug.php is telling us (memcache)"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux hard", "line": " Hunting around wordpress/simplepie to see how it is using memcache"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux hard", "line": " Begin of trying to poison the memcache object, talking about bypass the ip filter via hex encoding the ip"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Bypassing the file:// filter by using gopher to smuggle in a request to memcache. Using gopherus"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 39, "seconds": 15}, "tag": "linux hard", "line": " Explaining what gopherus is doing"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 41, "seconds": 48}, "tag": "linux hard", "line": " Creating a php serialized object to drop a file to the webserver"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 44, "seconds": 24}, "tag": "linux hard", "line": " Having gopherus generate a malicious payload then dropping a web shell to the server"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 50, "seconds": 50}, "tag": "linux hard", "line": " Examining the MySQL database"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 53, "seconds": 45}, "tag": "linux hard", "line": " Discovering the wordpress backup file with additional users"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 56, "seconds": 40}, "tag": "linux hard", "line": " Logging in with lynik-admin and cracked password from WP backup. Finding ldaprc and viminfo"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 58, "seconds": 45}, "tag": "linux hard", "line": " Downloading Apache Directory Studio so we have a gui to LDAP"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 59, "seconds": 45}, "tag": "linux hard", "line": " Using SSH to forwarding port 389 to our box, so our LDAP Gui can access the service"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 64, "seconds": 0}, "tag": "linux hard", "line": " Using Apache Directory Studio to modify a users password"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "linux hard", "line": " Using Apache Directory Studio to add an SSH Key"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 69, "seconds": 10}, "tag": "linux hard", "line": " Using Apache Directory Studio to modify the user group to sudo, then we can sudo su to root"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows easy", "line": " Begin of nmap, enumerate ftp, and smb"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 5, "seconds": 32}, "tag": "windows easy", "line": " Taking a look at the website to discover umbraco"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "windows easy", "line": " Examining NFS with showmount"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "windows easy", "line": " Discovering umbraco.sdf on NFS is a database and contains the admin password"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "windows easy", "line": " Logging into umbraco and discovering the unauthenticated RCE"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 23, "seconds": 35}, "tag": "windows easy", "line": " Editing the umbraco exploit to ping our box"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "windows easy", "line": " Getting a reverse shell using Invoke-WebRequest instead of (New-Object Net.WebClient)"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "windows easy", "line": " Running WinPEAS to discover UsoSvc service is editable"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "windows easy", "line": " Editing the UsoSvc binpath to execute our reverse shell"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "windows easy", "line": " Alternate Path: Using Rogue Potato to get a shell"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 0, "seconds": 48}, "tag": "linux hard", "line": " Begin of Nmap, examining the page and running gobuster"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux hard", "line": " Identifying some extra care"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux hard", "line": " Adding portal.quick.htb to the host file so we can resolve hostname"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Trying to identify if the web application will tell us if an account is valid"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux hard", "line": " Building an email list based upon clients and then running wfuzz to try and identify valid emails"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux hard", "line": " Searching for the latest HTTP and seeing HTTP3 utilizes UDP instead of TCP"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux hard", "line": " Installing Quiche so we can navigate to the http3 site"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux hard", "line": " Having Quiche download files, discoving an initial password then revisiting the bruteforce to gain access to a ticket system"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "linux hard", "line": " Using wfuzz to search the helpdesk for all tickets "}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "linux hard", "line": " Finding ESIGATE is vulnerable to xml entity injection"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 40, "seconds": 20}, "tag": "linux hard", "line": " Testing the XXE Attack to see if it connects to our webserver"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "linux hard", "line": " The server keeps putting the full URL in its GET Request, which messes with pythons webserver. Switching to PHP's built in will fix this."}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "linux hard", "line": " Failing to get a reverse shell to execute via XSLT, switching to download a file and execute it"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 56, "seconds": 45}, "tag": "linux hard", "line": " Reverse Shell Returned as SAM"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 58, "seconds": 30}, "tag": "linux hard", "line": " Finding printerv2.quick.htb and a little apache confusion its only listening on port 80. Esigate listens on 9001 then redirects to 80"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 64, "seconds": 20}, "tag": "linux hard", "line": " Dumping password hashes from MySQL to discover the server does some mangling of the password before md5sum, so we cant use hashcat"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 67, "seconds": 45}, "tag": "linux hard", "line": " Creating a cracking script in PHP"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 73, "seconds": 15}, "tag": "linux hard", "line": " Logging into the application and seeing we can print jobs, then looking at source code to see how its doing it"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 76, "seconds": 40}, "tag": "linux hard", "line": " Creating a script to abuse the race condition of printing a document. To replace documents with a symlink to sensitive files prior to printing."}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 85, "seconds": 20}, "tag": "linux hard", "line": " Printing out the SRVADM SSH Key"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 87, "seconds": 30}, "tag": "linux hard", "line": " Finding a password in the cups configuration file, which is the root password"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux medium", "line": " Nmap"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux medium", "line": " Starting GoBuster on the root and images"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux medium", "line": " Finding Auth Bypass via SQL Injection on login then throwing it to SQLMap"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux medium", "line": " Creating a basic PHP Shell, then attempting to upload it"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux medium", "line": " Grabbing the magic bytes off a JPG, then prepending it to our shell"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " File uploaded, hunting for an LFI and doing more SQLMap"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux medium", "line": " Turns out we don't need the PHP Extension (.htaccess allows anything)"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "linux medium", "line": " Reverse Shell returned"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux medium", "line": " Grabbing the username and password out of Website Configuration"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 36, "seconds": 10}, "tag": "linux medium", "line": " Using VirusTotal to identify when a file was created"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "linux medium", "line": " Examining the .htaccess to see why we could execute code (should have a $ at the end)"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux medium", "line": " Using MsqlDump to dump the database and get a password out of it, su to the theseus user"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux medium", "line": " Found a SetUID Binary (sysinfo) then using strace to see what it does"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux medium", "line": " Using the -f argument with strace to follow forks and see the exec() calls"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux medium", "line": " Using Path Injection since absolute paths were not used in exec() and getting a root shell"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux medium", "line": " Showing SQLMap did complete with the increased level/risk"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux easy", "line": " Checking the web page, then running a SecList wordlist for CommonBackdoors"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux easy", "line": " GoBuster returned smevk.php"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux easy", "line": " Attempting to guess the password, get in with admin:admin"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 5, "seconds": 55}, "tag": "linux easy", "line": " Running script prior to my reverse shell to log the output... I forget to check this again but it did work!"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux easy", "line": " Reading note.txt which hints at finding a LUA File, using find to hunt for files"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 9, "seconds": 5}, "tag": "linux easy", "line": " The reverse shell is misbehaving, lets fix it by setting the the rows/columns"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux easy", "line": " Running LinPEAS, discover sudo with luvit; then looking up how to write files with a lua script"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 16, "seconds": 10}, "tag": "linux easy", "line": " SSH'ing in with SysAdmin after our key was written"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux easy", "line": " Using find some more to hunt for interesting files"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 23, "seconds": 11}, "tag": "linux easy", "line": " Using find to search between dates of interest shows an interesting backup directory"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "linux easy", "line": " Running pSpy to search for running processes"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux easy", "line": " Puzzled... Probably should have ran find commands to look for files edited within the last day!"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux easy", "line": " Changing up our tactic and using find commands to search for writable files "}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 34, "seconds": 10}, "tag": "linux easy", "line": " Editing MOTD with a reverse shell then SSH'ing in"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "linux easy", "line": " Extra: Running linPeas to see if it would have seen this privesc."}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux easy", "line": " Looking at the script.log output"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 2, "seconds": 10}, "tag": "linux insane", "line": " Using wget to recursively download files off an annonymous FTP Server"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux insane", "line": " Attempting to execute the Java Thick Client, then switching to Java version 8 and trying again"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux insane", "line": " Seeing the Thick Client makes some DNS Requests, make the DNS Request resolve and attempt to intercept with Burp"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux insane", "line": " BurpSuite failed us, using SOCAT to forward the traffic and exploring the Thick Client features"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 15, "seconds": 20}, "tag": "linux insane", "line": " Using CFR to decompile a Java JAR File then VS Studio Code to analyze the source"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "linux insane", "line": " Downloading Eclipse and then configuring it to utilize Java 8 and creating a Hello World Java Application"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux insane", "line": " Importing a Java JAR File into our Java Project then calling Login"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux insane", "line": " Replicating the functionality to identify what Role we are, then other functions"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 37, "seconds": 45}, "tag": "linux insane", "line": " Calling the Invoker Class to execute methods on the server"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "linux insane", "line": " Attempting to call methods that the GUI prohibited us from"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "linux insane", "line": " Using ShowFiles to see we can list files in our parent directory, then using Open to download files"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 53, "seconds": 40}, "tag": "linux insane", "line": " Failing to download the fatty-server.jar file due to encoding issues"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 58, "seconds": 40}, "tag": "linux insane", "line": " Unsealing the JAR File so we can edit the Invoker Class Object to fix our encoding issue by creating a binaryOpen function"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 70, "seconds": 0}, "tag": "linux insane", "line": " Utilizing our new binaryOpen function to write to a file"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 74, "seconds": 45}, "tag": "linux insane", "line": " Debugging a null pointer error, our binaryOpen function returned nothing!"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 81, "seconds": 0}, "tag": "linux insane", "line": " Decompiling the downloaded fatty server and analyzing it to discover a SQL Injection and Deserialization vector"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 88, "seconds": 50}, "tag": "linux insane", "line": " Playing with SQL Injections in the username to get an admin session"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 100, "seconds": 0}, "tag": "linux insane", "line": " Modifying the ChangePW Function to allow us to send malicious payloads, then using ysoserial to generate a payload"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 108, "seconds": 30}, "tag": "linux insane", "line": " Using CommonsCollections5 to generate a malicious payload to send and getting a reverse shell"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 117, "seconds": 17}, "tag": "linux insane", "line": " Getting PsSpy on the box and discovering SCP is pulling files"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 119, "seconds": 50}, "tag": "linux insane", "line": " Explaining what our exploit path is, having a tar overwrite itself and point to authorized_keys then the next time it is copied to it overwrites auth_key"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 124, "seconds": 50}, "tag": "linux insane", "line": " Reverse shell returned, attempting to explain the exploit vector again"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 1, "seconds": 24}, "tag": "linux hard", "line": " Start the box checking out nmap, seeing an FTP Server with a file hinting at OAUTH"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux hard", "line": " Poking at the login for the flask application (Port 5000)"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux hard", "line": " Playing with the Change Password fied, made a mistake which puts me down a rabbit hole"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "linux hard", "line": " Checking the Contact page, seeing we get banned with a XSS Attempt but someone will click URL's if we send them"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux hard", "line": " Creating an account on Authorization.oouch.htb"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 27, "seconds": 40}, "tag": "linux hard", "line": " Enumerating the /token/ an endpoint through error messages"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "linux hard", "line": " Using the webapp to give our authorization account access to our consumer account"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 38, "seconds": 45}, "tag": "linux hard", "line": " Going through the same workflow to give authorization access to consumer account, but tricking a different user into going to the last piece of the workflow"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " We are now the QTC User! Going into the Documents shows some hints like a develop credential"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "linux hard", "line": " Reading the Django Docs to see how the oauth endpoints are setup, finding the application register endpoint and the develop creds to again access"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux hard", "line": " Looking at the oauth authorization workflow again in order to build a authorization link for our new application!"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 56, "seconds": 30}, "tag": "linux hard", "line": " Thanks to our application's redirect url we stole QTC's token which will eventually let us develop endpoints"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 60, "seconds": 20}, "tag": "linux hard", "line": " Used the token to authenticate and get our Bearer token, then playing with API endpoints and noticing get_user and get_userjaskldfj both go to the same route. Helpful when brute forcing"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 64, "seconds": 25}, "tag": "linux hard", "line": " TIL, I don't know how to use FFU eventually i switch to wfuzz to bruteforce the endpoint"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 68, "seconds": 46}, "tag": "linux hard", "line": " Got shell on the box, discover note.txt and it hints at DBUS"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 73, "seconds": 30}, "tag": "linux hard", "line": " Creating a bash script to ping/port scan in order to enumerate other containers"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 80, "seconds": 30}, "tag": "linux hard", "line": " Digging through the code in order to discover UWSGI and how the webapp sends, attempting to send the dbus message but getting access denied."}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 88, "seconds": 30}, "tag": "linux hard", "line": " Searching for a UWSGI Code execution route so we can switch to www-data, finding a script "}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 98, "seconds": 30}, "tag": "linux hard", "line": " Reverse shell as www-data returned, doing the DBUS Message again via python to get code execution"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 104, "seconds": 40}, "tag": "linux hard", "line": " ALTERNATE DBUS Method - Using the dbus commands (busctl/dbus-send) send the message without touching python"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "windows medium", "line": " Begin of nmap"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "windows medium", "line": " Enumerating RPC to identify usernames"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "windows medium", "line": " Setting up a bruteforce and creating a custom wordlist with hashcat"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows medium", "line": " Enumerating LDAP with LDAPSEARCH"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "windows medium", "line": " Discovering the cascadeLegacyPwd LDAP Attribute which has a password"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "windows medium", "line": " Using CrackMapExec to test the credential found in LDAP "}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "windows medium", "line": " Installing the latest CrackMapExec to gain access to the Spider_Plus Module"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "windows medium", "line": " Using the spider_plus module of CME (CrackMapExec) to crawl the SMB Share as R.Thompson"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 20, "seconds": 10}, "tag": "windows medium", "line": " Mounting the SMB Share as R.Thompson in order to view the files in Data share"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "windows medium", "line": " Discovering the VNC Install.reg file which contains an encrypted password"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 30, "seconds": 10}, "tag": "windows medium", "line": " Using Metasploit IRB to decrypt TightVNC's password"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "windows medium", "line": " Using the VNC Password to gain a WinRM Session to Cascade as s.smith discovering he is in the Audit Group"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "windows medium", "line": " Using DNSPY to decompile the CascAudit DotNet application "}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "windows medium", "line": " Setting a breakpoint in DNSPY where the password is decrypted and viewing the variable after it decrypts the pw"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "windows medium", "line": " Gaining e remote shell as ArkSvc to discover this user is in the AD Recycle Bin Group"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "windows medium", "line": " Viewing deleted Active Directory items to see the TempAdmin has the CascadeLegacyPwd field and discovering this is the PW for administrator"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows easy", "line": " Running Nmap"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 2, "seconds": 7}, "tag": "windows easy", "line": " Poking at SMB with CrackMapExec, SMBMap, and RPCClient to get nothing"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "windows easy", "line": " Checking out the web page"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows easy", "line": " Playing with user input in the website and getting an error \"HTTP VERB used is not allowed\""}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows easy", "line": " Copying names from the website"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "windows easy", "line": " Using some VIM/VI Magic (macro) to convert names into potential usernames"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "windows easy", "line": " Identifying valid usernames by using KerBrute which can enumerate valid usernames"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "windows easy", "line": " Running some Impacket scripts and performing an ASREP Roast to extract password hash from Active Directory"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "windows easy", "line": " Running GetNPUsers to get the hash for a user and then using hashcat to crack ASREP$23"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "windows easy", "line": " Seeing a RICOH printer share, pulling EXIF data off website to get an idea if it may be exploitable"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "windows easy", "line": " Using Evil-WinRM to log into the box with FSMITH and run WinPEAS to get saved credentials"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows easy", "line": " Running BloodHound"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 34, "seconds": 25}, "tag": "windows easy", "line": " Identifying that svc_loanmgr can perform a DCSYNC"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "windows easy", "line": " Running SecretsDump with svc_loanmgr to perform a DCSYNC"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 37, "seconds": 45}, "tag": "windows easy", "line": " Performing a Pass The Hash with the administrator user using PSExec"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 0, "seconds": 34}, "tag": "linux medium", "line": " Begin of Recon"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux medium", "line": " Enumerating the login page"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 3, "seconds": 5}, "tag": "linux medium", "line": " Creating an account, identifying what fields are unique"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux medium", "line": " Logged into the page, examining functionality starting with the download.php file"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux medium", "line": " Playing with the search field"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux medium", "line": " Playing with XSS by using img src"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux medium", "line": " Examining the user signup more closely"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 15, "seconds": 25}, "tag": "linux medium", "line": " Viewing javascript on the page to show there is a maximum number of characters in username/email"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux medium", "line": " Start of attempting SQL Truncation attack"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 22, "seconds": 25}, "tag": "linux medium", "line": " Attempting to login to /admin/ with our account to see we get in, then redoing everything to explain it."}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux medium", "line": " Explaining the SQL Truncation Attack"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "linux medium", "line": " Noticing the PDF Generation processes HTML and probably JavaScript"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux medium", "line": " Using a Javascript payload that reads a local file on the box"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "linux medium", "line": " Getting rid of the Base64 Encoding in the payload and reading /etc/passwd"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 46, "seconds": 18}, "tag": "linux medium", "line": " Trying (and failing) to grab /proc/self/environ "}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 54, "seconds": 10}, "tag": "linux medium", "line": " Attempting to grab an SSH Key for the Reader User"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux medium", "line": " SSH Key is poorly formatted. Using pdf2text to see if formatting is better"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "linux medium", "line": " PDF2Text didn't work, lets try PDF2HTML which does a great job"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 59, "seconds": 45}, "tag": "linux medium", "line": " Revisiting the Base64 Payload to see if PDF2HTML grabs all the Base64 (it does)"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 62, "seconds": 15}, "tag": "linux medium", "line": " Running LINPEAS to see we may be able to exploit log rotate"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 66, "seconds": 10}, "tag": "linux medium", "line": " Poorly explaining how logrotten works"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 72, "seconds": 30}, "tag": "linux medium", "line": " Performing the Logrotten exploit to get a reverse shell"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 78, "seconds": 15}, "tag": "linux medium", "line": " Finally keeping the reverse shell alive"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 80, "seconds": 25}, "tag": "linux medium", "line": " Examining how the SQL Truncation vulnerability came to be by looking at the PHP Source Code and then SQL Table Schema"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 87, "seconds": 30}, "tag": "linux medium", "line": " Showing how it determines the admin user and uses trim() which is why our attack works"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 89, "seconds": 40}, "tag": "linux medium", "line": " Examining the PHP Sessions"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 0, "seconds": 52}, "tag": "linux hard", "line": " Begin of Nmap"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux hard", "line": " Running Gobuster to Bruteforce the pages and subdomains to find backup.forwardslash.htb"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "linux hard", "line": " Registering an account and examining the functions to signed in users"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux hard", "line": " Playing with the ProfilePicture.php to discover we can do file inclusion"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "linux hard", "line": " Testing for RFI"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 14, "seconds": 25}, "tag": "linux hard", "line": " Using the PHP Filter Wrapper to convert php files to base64 and extract source code"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux hard", "line": " Start of creating a script to automate this"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux hard", "line": " Terminal portion of the script completed, now to add HTTP Requests"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux hard", "line": " Script cannot access the page due to requiring a login session, hard code the login cookie"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "linux hard", "line": " Script now is able to extract files off the server, now to add a save_file function"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "linux hard", "line": " Using the script we created as a library and building a brute forcer!"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "linux hard", "line": " Manually looking at source code while our script runs in the background"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux hard", "line": " Going back to gobuster seeing the \"/dev\" directory, extracting source to get credentials to SSH into the box"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux hard", "line": " Examining the Backup SetUID File with strace, explaining Path Injection (but it doesn't work here)."}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux hard", "line": " Opening up the backup file in Ghidra"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux hard", "line": " Using find to search for files owned by Pain to discover config.php.bak, then abusing the backup program to read this file"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 53, "seconds": 40}, "tag": "linux hard", "line": " Abusing the sudo rules to skip the crypto challenge. Upload a luks container with a SetUID Binary"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 55, "seconds": 45}, "tag": "linux hard", "line": " Creating a Luks Container"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "linux hard", "line": " Adding a SetUID Binary in the luks container then uploading it, and executing it to get root"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 62, "seconds": 40}, "tag": "linux hard", "line": " Going back to look over the Crypto Challenge"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 66, "seconds": 30}, "tag": "linux hard", "line": " Using the program to encrypt text we know the key to, so we can build a bruteforcer"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 74, "seconds": 0}, "tag": "linux hard", "line": " Found a weird bug, we only need to know the first character of the key and length... Build a cracker based upon that"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 83, "seconds": 40}, "tag": "linux hard", "line": " Key found, decrypt the container"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 88, "seconds": 55}, "tag": "linux hard", "line": " Going back to the ProfilePicture, and finding the SSRF + XXE Chain"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 93, "seconds": 50}, "tag": "linux hard", "line": " Showing the importance of double URL Encoding"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 102, "seconds": 55}, "tag": "linux hard", "line": " Creating another module for our LFI Script to add some crawl functionality to automatically download a bunch of source code!"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 0, "seconds": 51}, "tag": "", "line": " Begin of NMAP"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Identifying the Virtual Host (VHOST) player2.htb and doing recon on the webserver"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Testing basic SQL Injection on product.player2.htb"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "", "line": " Running gobuster against the product domain to find potential pages"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Running gobuster to try to enumerate sub domains."}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "", "line": " Checking the full port scan of the box to see 8545"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 19, "seconds": 45}, "tag": "", "line": " Gobuster had an issue enumerating subdomains, switched to wfuzz"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "", "line": " Investigation TWIRP because port 8545 had that in an error mesage"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "", "line": " Running gobuster to hunt for protobuf files and api endpoints"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "", "line": " Exploring the generated.proto file"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "", "line": " Seeing how TWIRP uses Protobuf files, then making the HTTP Request to pull credentials"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "", "line": " Using Hydra to bruteforce an http login form"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 47, "seconds": 50}, "tag": "", "line": " Exploring login logic to see how SESSIONS are handled after invalid logins"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " Testing /api/totp now that we have a session and finding ways to generate backup codes"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "", "line": " Looking at the authenticated product page"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "", "line": " Playing with the upload form of the protobs interface"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 59, "seconds": 20}, "tag": "", "line": " (unintended) Hunting for the uploads/ directory and testing for potential race condition"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 63, "seconds": 0}, "tag": "", "line": " Winning the race to get a reverse shell"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 65, "seconds": 15}, "tag": "", "line": " Doing the firmware upload the intended way."}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 67, "seconds": 20}, "tag": "", "line": " Using DD to extract data out of binwalk"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 69, "seconds": 50}, "tag": "", "line": " Exploring the firmware in Ghidra"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 71, "seconds": 50}, "tag": "", "line": " Testing the firmware signing by opening the ELF in a hex editor and changing a byte near the beginning of the file, then the end of the binary"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 75, "seconds": 10}, "tag": "", "line": " Editing the string in the system() call test for RRCE"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 79, "seconds": 30}, "tag": "", "line": " Changing our ping command to be a reverse shell"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "", "line": " Reverse shell returned but wanted to see how much of this ELF we messed up by overflowing the string."}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 95, "seconds": 0}, "tag": "", "line": " Checking the MySQL Database for creds"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 101, "seconds": 50}, "tag": "", "line": " Running pspy to see some hidden crons"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 104, "seconds": 40}, "tag": "", "line": " Running chisel to forward the MQTT Port back to our box"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 111, "seconds": 10}, "tag": "", "line": " Using mosquitto_sub to subscribe to a topic and get messages"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 113, "seconds": 40}, "tag": "", "line": " Subscribing to $SYS/# and seeing an SSH Key broadcast to it"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 114, "seconds": 40}, "tag": "", "line": " Changing the SSH Key on the box, which root reads and broadcasts. Use this to get shadow and root.txt"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "windows easy", "line": " Start of NMAP"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "windows easy", "line": " Using SMBClient to search for open shares (None)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "windows easy", "line": " Checking out the web page, some light fuzzing on login and examining how the language selection works"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "windows easy", "line": " Taking a Screenshot on Parrot and pasting it into Cherry Tree (Shift+PrintScreen)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "windows easy", "line": " Checking out FTP and downloading the two txt files"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "windows easy", "line": " Viewing port 8443, and realizing this page really hates firefox. Switch to Chromium"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 19, "seconds": 5}, "tag": "windows easy", "line": " Using searchsploit to find there's a directory traversal exploit in NVMS"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 20, "seconds": 5}, "tag": "windows easy", "line": " Grabbing Passwords.txt off Nathan's Desktop (filename was an FTP Note)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "windows easy", "line": " Using CrackMapExec to bruteforce logins for SMB and SSH (SSH alread bug fixed in DEV Branch)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows easy", "line": " Logging in with SSH, then looking for WebServer directories"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "windows easy", "line": " Examining the NSClient directory to view the config"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "windows easy", "line": " Using SSH to setup a port forward"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "windows easy", "line": " Lots of flailing around trying to get code execution"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "windows easy", "line": " Enough flailing, box reverted and do a clean run of this exploit"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "windows easy", "line": " Flailing around trying to get Nishang to run... Defender is giving me issues."}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 59, "seconds": 30}, "tag": "windows easy", "line": " Giving up with Defender Evasion, switching to nc.exe to get a reverse shell"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 61, "seconds": 20}, "tag": "windows easy", "line": " Reverse shell returned as System grabbing root.txt"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Into"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "windows medium", "line": " Begin of recon"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 3, "seconds": 36}, "tag": "windows medium", "line": " Using rpcclient with null authentication and dumping active directory users"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 6, "seconds": 26}, "tag": "windows medium", "line": " Building a password list with hashcat --stdout (Forest Video does it better)"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 8, "seconds": 41}, "tag": "windows medium", "line": " CrackMapExec shows SABatchJobs:SABatchJobs are valid credentials"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 12, "seconds": 6}, "tag": "windows medium", "line": " Using SMBMap to list contents of directories"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "windows medium", "line": " Using SMBMap to download azure.xml which has a hardcoded credential in it then testing with WinRM to see if we can get a shell"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "windows medium", "line": " Downloading and running Seatbelt on the server"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "windows medium", "line": " Running WinPEAS for a second opinion"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 27, "seconds": 45}, "tag": "windows medium", "line": " Talking about the Azure Admins group"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 28, "seconds": 55}, "tag": "windows medium", "line": " Playing with SQLCMD to view the MSSQL Database"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 30, "seconds": 45}, "tag": "windows medium", "line": " Downloading and running PowerUpSQL to see if there's any obvious escalation paths"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "windows medium", "line": " Using XP_DIRTREE to connect to our Responder Instance and leak an NetNTLMv2 hash (I should of noticed its the machine account due to username ending with a $, these are pretty much never crackable)"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "windows medium", "line": " Searching google to find XPNSec's post on \"Azure AD Connect for Red Teamers\""}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "windows medium", "line": " Running through the commands with SQLCMD to understand what is going on"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "windows medium", "line": " Executing the Azure AD Connectdecryption script and having Evil-WinRM Crash on us"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 49, "seconds": 10}, "tag": "windows medium", "line": " Stepping through the script to see where it is failing"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 51, "seconds": 25}, "tag": "windows medium", "line": " Updating the SQL Connection script to work with our MSSQL Configuration, then fixing the script"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "windows medium", "line": " Running the updated script, and getting the administrator password then using PSExec to get a system shell on the box"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 58, "seconds": 30}, "tag": "windows medium", "line": " Using DNSPY to decompile the MCRYPT.DLL binary to just explore what is going on"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "windows medium", "line": " Dumping the DNS Zone for MEGABANK.LOCAL via powershell"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows easy", "line": " Showing why we should run NMAP as root or sudo."}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "windows easy", "line": " Running nmap to see only SMB is open, start a full port scan and move on"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows easy", "line": " Enumerating SMB (Port 445) with CrackMapExec, SMBClient, and SMBMap to explore how each program works"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows easy", "line": " Running SMBClient to mount the share"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "windows easy", "line": " Installing CIFS-Utils so we can mount SMB and run commands like find against the share"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "windows easy", "line": " Discovering a password, doing a credential spray and getting some odd results"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "windows easy", "line": " Mounting the shares with as TempUser to discover we have access to more files"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "windows easy", "line": " Using iconv to cat a windows text file because it showed a bunch of bad characters"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "windows easy", "line": " Viewing the NotepadPlusPlus files to see the path of a file in the Secure$ Directory, we can get into this folder"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "windows easy", "line": " Downloading the source-code to RUScanner in the User share"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "windows easy", "line": " Switching to Windows so we can use Visual Studio to compile the RUScanner application and decrypt the password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "windows easy", "line": " Dropping the config in bin/debug and setting a breakpoint on the line of code which decrypts the password to view the output"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 35, "seconds": 55}, "tag": "windows easy", "line": " Using CrackMapExec to validate these are valid credentials, then exploring the fileshares again"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "windows easy", "line": " Exploring the application on port 4386 and showing why we need to use TELNET and not NC or NETCAT"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "windows easy", "line": " Playing with the various options on port 4386"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 44, "seconds": 58}, "tag": "windows easy", "line": " Using SMBClient to mount the Users directory as C.SMITH so we can use \"allinfo\" to see an ADS (Alternate Data Stream) Exists, then downloading the hidden password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "windows easy", "line": " Using the custom program on port 4386 and using the DEBUG Options to download the configuration file with an encrypted LDAP Password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "windows easy", "line": " Using DNSPY to decompile HqkLdap.exe"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "windows easy", "line": " Editing the application to print the password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 58, "seconds": 20}, "tag": "windows easy", "line": " Running HqkLdap to get the decrypted password, which is the administrator password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 59, "seconds": 20}, "tag": "windows easy", "line": " Using psexec to get a shell on the box as the SYSTEM user"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "windows medium", "line": " Talking about my switch to Parrot"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "windows medium", "line": " Begin of nmap, discovering it is likely a Windows Domain Controller"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "windows medium", "line": " Checking if there are any open file shares "}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 6, "seconds": 11}, "tag": "windows medium", "line": " Using RPCClient to enumerate domain users (enumdomusers)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "windows medium", "line": " Using CrackMapExec to dump the PasswordPolicy"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows medium", "line": " Using RPCClient to dump Active Directory information (querydispinfo)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "windows medium", "line": " Bruteforcing accounts via CrackMapExec with password of Welcome123!"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "windows medium", "line": " Using Evil-WinRM to remote into the server as Melanie"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "windows medium", "line": " Building the latest version of Seatbelt on CommandoVM (The DotNet version is incompatible)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "windows medium", "line": " Explaining some cool bash one line tricks, then linking Egypt's \"One liners to rule them all\" talk"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "windows medium", "line": " Changing Seatbelt to compile to Version 4.0 then trying again."}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "windows medium", "line": " Finally examining the Seatbelt output, see the PSTranscript Directory and a Custom group in DNSAdmins"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "windows medium", "line": " Using RPCClient to Enumerate members of the Contractors group (enumdomgroups/querygroupmem)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "windows medium", "line": " Running WinPEAS to compare the differences"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "windows medium", "line": " Exploring hidden directories to see PSTranscripts, then finding credentials in a powershell log"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "windows medium", "line": " Using Evil-WinRM with the password from a PSTranscript File to get shell as Ryan"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 45, "seconds": 40}, "tag": "windows medium", "line": " Quickly going over how to execute code on a Domain Controller as a DNS Admin"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 46, "seconds": 10}, "tag": "windows medium", "line": " Using MSFVenom to create a Reverse Shell DLL (we'll do this better at end of the video)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 49, "seconds": 10}, "tag": "windows medium", "line": " Using DNSCMD to have the DNS Server execute our MSFVenom created DLL from a SMB Network Path... Works but hangs the DNS Server"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 52, "seconds": 50}, "tag": "windows medium", "line": " Using the DNS-EXE-Persistance to help us create a better to do the Reverse Shell"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 53, "seconds": 3}, "tag": "windows medium", "line": " Explaining the DNSCMD Exploit path on how it can be used both foor lateral movement and privesc"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 54, "seconds": 50}, "tag": "windows medium", "line": " Start of creating the DLL to use with this DNS Exploit"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 56, "seconds": 45}, "tag": "windows medium", "line": " Grabbing a C++ Reverse Shell program from github to add to our DNS Exploit Project, then modify it to execute as a thread"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 62, "seconds": 20}, "tag": "windows medium", "line": " Showing that we get a Reverse shell and DNS Keeps running"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 63, "seconds": 52}, "tag": "windows medium", "line": " Removing the \"CreateThread\" portion of our code to show that was needed, without CreateThread the DNS Server hangs because it stops on the RevShell code"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "", "line": " Nmap the box, then play with the WebServer. 404 msg are interesting"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "", "line": " Discovering Directory Traversal and then grabbing the webserver by going to /proc/self/cwd/"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "", "line": " Opening the binary up in Ghidra and exploring the binary to understand what it does"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 18, "seconds": 35}, "tag": "", "line": " Discovering we have control over the first argument in log_access/printf"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 20, "seconds": 5}, "tag": "", "line": " Showing one of my most hated things about debugging forks. Be sure to always kill the process!"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 21, "seconds": 5}, "tag": "", "line": " Using GDB to help us analyze the log_access call, by breaking and examining the stack"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "", "line": " Begin of PrintF (Format Strings) Exploitation, leak a bunch of memory addresses, then identify a spot in memory where we control"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 28, "seconds": 40}, "tag": "", "line": " Starting to write an exploit script"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "", "line": " Grabbing /proc/self/maps to obtain a memory map which helps bypass ASLR. Analyze the binary again and see it supports the \"RANGE\" HTTP Header which is required to grab these special files"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "", "line": " Back to Coding the exploit script, now that we can grab the process map"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 41, "seconds": 25}, "tag": "", "line": " Testing our leaking/rebasing code to verify we are leaking correctly then using fmtstr_payload to automate the exploit"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "", "line": " Running the exploit, seeing the output of \"GET\" on the Server's STDOUT... Lots of fighting with a debugger to show exactly what happened (explain it later, may want to skip to the next part)"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 61, "seconds": 30}, "tag": "", "line": " Replacing GET in our request with commands, to see it is running them. Placing a reverse shell here using IFS as space."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "", "line": " Changing the exploit to use the target... For some reason we have the wrong libc version, once we figure that out it works."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 68, "seconds": 25}, "tag": "", "line": " Going to /proc/self/maps again to leak the path of libc, redownloading it and then we instantly get a shell. Drop SSH Keys and SSH in"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 71, "seconds": 30}, "tag": "", "line": " Going back.. the issues with debugging the printf exploit, to explain it. The issues had was system() calls fork and we followed it"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 77, "seconds": 0}, "tag": "", "line": " John can sudo the readlogs binary, analyze it with ghidra/ldd to see it calls a printlog() option in a custom library that is chmod'd to 777"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 81, "seconds": 10}, "tag": "", "line": " Creating a custom library that replaces printlog() with a system(\"/bin/bash\") call, uploading and getting our shell. Drop an SSH Key and go in via ssh"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 86, "seconds": 0}, "tag": "", "line": " Examining the contact bin in Ghidra, this one is stripped so it will be a bit more pain to navigate"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 91, "seconds": 20}, "tag": "", "line": " Explaining the buffer overflow in the recv() call -- Then lots of fighting with gdb to get to a part of the code to explain overwriting the canary"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 106, "seconds": 49}, "tag": "", "line": " Partially overwriting the canary and showing it in GDB, then explaining how its like a padding oracle attack due to it not changing. "}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 110, "seconds": 10}, "tag": "", "line": " Begin the exploit script, start off with creating our threaded bruteforcer() class."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 122, "seconds": 45}, "tag": "", "line": " Explaining what our code will do, then running it and fixing errors"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 131, "seconds": 30}, "tag": "", "line": " Testing our program to see we can leak the canary. Then leaking RBP and RIP"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 134, "seconds": 50}, "tag": "", "line": " Using VMMAP to aid us in rebase the binary to bypass ASLR."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 138, "seconds": 22}, "tag": "", "line": " Using pwntools to create a write() gadget to leak a libc address, then rebase libc"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 143, "seconds": 35}, "tag": "", "line": " Since Canary/RBP/RIP are always the same, lets just hard code those variables for now to save time"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 145, "seconds": 30}, "tag": "", "line": " Going over the ROP Gadget, then verifying the libc address is correct and doing dup2,dup2,execve for code execution"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 155, "seconds": 40}, "tag": "", "line": " Found why the ExecVE wasn't working, didn't update the rop variable name, so ran libc leak twice"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 156, "seconds": 30}, "tag": "", "line": " Updating the code to work remotely. Use Chisel to forward port 1337 to our box"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 165, "seconds": 30}, "tag": "", "line": " Printing a few more debug things so we know the code is working, downgrading the # of workers, then running it remotely, to get a shell"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 168, "seconds": 50}, "tag": "", "line": " Showing we don't need the Pop RDI because RDI is already set as the FD"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 174, "seconds": 19}, "tag": "", "line": " Removing the first 16 bytes of our libc leak, to skip over RDI"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 176, "seconds": 40}, "tag": "", "line": " Removing the RDI's from our Dup2 calls"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 180, "seconds": 35}, "tag": "", "line": " Removing all the PwnTools magic from our binary, manually rebasing"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 182, "seconds": 30}, "tag": "", "line": " Manually specifying the addresses for everything, gadgets (ropper), objdump (PLT), ReadElf (GOT), Strings (binsh)"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 194, "seconds": 0}, "tag": "", "line": " Leaking libc gadget works. Repeating everything we did here with LibC and building the execve gadget"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 203, "seconds": 30}, "tag": "", "line": " Begin of manual PrintF, showing the liveoverflow videos I recommend watching."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 215, "seconds": 15}, "tag": "", "line": " Creating the printf payload (have a typo, should be %4x)"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 218, "seconds": 35}, "tag": "", "line": " Going to the pritnf call in GDB, examining the GOT PUTS address before/after to see we screwed up"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 222, "seconds": 30}, "tag": "", "line": " Had the wrong address for PUTS in our printf payload, put the correct one in and examine the call in GDB to see PUTS@GOT is now 0xc"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 224, "seconds": 17}, "tag": "", "line": " Explaining why we want to break the SYSTEM() address into two 2 byte pieces instead of one 4 byte... Modifying our PrintF Payload to allow this. This piece should really show what the \"n\" variable does in printf"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 227, "seconds": 9}, "tag": "", "line": " Our memory address is close to what we want for SYSTEM, modifying the number slightly"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 229, "seconds": 20}, "tag": "", "line": " Address matches! Running the exploit with our reverse shell and hand crafted printf payload to show it works."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Begin of nmap, there's a weird 8888 port."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 3, "seconds": 55}, "tag": "linux hard", "line": " Looking at the website, downloading a docx"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux hard", "line": " Finally running GoBuster, doing the raft wordlist because it has \"UpdateDetails\""}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux hard", "line": " Running GoBuster against the \"release\" directory to get release notes and researching XML and DocX"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux hard", "line": " Adding an XXE Payload into our Word Document: customXml/item1.xml"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux hard", "line": " Making an XXE Chain to extract files using HTTP and PHP's Encoder"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "linux hard", "line": " Extracting the Apache Config to see DocRoot, then extracting config.php"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux hard", "line": " Exploring LFI Injection into getPatent_alphav1.0.php, explaining what happens with bad regex to remove things."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " Exploring Log File Poisoning"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "linux hard", "line": " Shell returned on the box, fixing up the TTY and searching for files by creation time"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 58, "seconds": 30}, "tag": "linux hard", "line": " There's a file in /opt/, that hints at a cronjob running a task every minute. Running PSPY to see the process creation"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 61, "seconds": 40}, "tag": "linux hard", "line": " Password is exposed in the command, this is the root password to the docker. Exploring the Cron and /opt/lfm directory"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 71, "seconds": 25}, "tag": "linux hard", "line": " Exploring the lfm directory and examining old git commit's to get the binary of lfmserver and some old source code."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 75, "seconds": 0}, "tag": "linux hard", "line": " Opening up on Ghidra, defining main"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 77, "seconds": 20}, "tag": "linux hard", "line": " Going into the first piece of the program which looks like an argument check. Looking at the source to verify we are correct."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 80, "seconds": 30}, "tag": "linux hard", "line": " Searching for the password in the binary to see where it is used. Use GDB to help us understand what is happening"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 84, "seconds": 30}, "tag": "linux hard", "line": " Start of creating an exploit script"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 89, "seconds": 50}, "tag": "linux hard", "line": " Changing the password to ippsec, and looking at it in GDB to confirm a variable... Bunch more playing around learning the binary"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 104, "seconds": 10}, "tag": "linux hard", "line": " Discover the applicaiton is expecting files to be in /files/, behaves like DOC_ROOT"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 105, "seconds": 10}, "tag": "linux hard", "line": " Explaining where I think the Buffer Overflow Happens (URLDecode)"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 110, "seconds": 0}, "tag": "linux hard", "line": " Crashed the applicaiton, discovering the correct spot to overwrite with \"pattern create\""}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 114, "seconds": 0}, "tag": "linux hard", "line": " Using Ropper to find some pop gadgets to use, then creating a gadget to leak an address using write(). Then doing a bunch of troubleshooting around MD5Sum to get the code to a spot that triggers our overflow."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 139, "seconds": 0}, "tag": "linux hard", "line": " End of troubleshooting that MD5 issue. Viewing what the server is sending in wireshark"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 147, "seconds": 30}, "tag": "linux hard", "line": " Calculating Memory Offsets based upon the link"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 156, "seconds": 10}, "tag": "linux hard", "line": " Creating a gadget to map stdin/stdout then execute bash... Then lots of troubleshooting, some encoding issue."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 162, "seconds": 20}, "tag": "linux hard", "line": " Memory address looks weird, using GDB to confirm we grabbed the wrong address."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 169, "seconds": 0}, "tag": "linux hard", "line": " Calculating where the BinSH String would be located and now our script works locally!"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 171, "seconds": 10}, "tag": "linux hard", "line": " When going against target, our script isn't even getting the memory leak... Incorrectly thinking there's some ACL based around IP Address. Using an SSH Tunnel to create a reverse tunnel and access the server through the docker"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 175, "seconds": 0}, "tag": "linux hard", "line": " Realizing the MD5 is wrong since convert.php on our target is different than our box!"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 177, "seconds": 15}, "tag": "linux hard", "line": " Address leaked! Using libc-database to hunt for the version of libc on the target machine"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 180, "seconds": 0}, "tag": "linux hard", "line": " Libc-database found the correct libc, modifying our exploit script to use this libc. Then getting a shell"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 185, "seconds": 30}, "tag": "linux hard", "line": " Running LinPEAS and noticing that /dev/sdb1 is mounted to /root, examining /dev/sda2 to see if there was a /root directory underneat to get root.txt."}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 1, "seconds": 3}, "tag": "linux medium", "line": " Quick rant about Security through Obscurity and why it can be good"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Begin of nmap'ing the box "}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Checking out the webpage, GoBuster giving weird errors, try WFUZZ"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 12, "seconds": 5}, "tag": "linux medium", "line": " Taking a deeper look at the website while we have some recon running"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 17, "seconds": 45}, "tag": "linux medium", "line": " Wfuzz found nothing hunting for /$directory/SuperSecureServer.py"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux medium", "line": " Doing some Directory Traversal attempts against the webserver, and seeing it looks like its vulnerable"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux medium", "line": " Extracting the source code to the webserver by specifying /../SuperSecureServer.py"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux medium", "line": " Installing VS Code so we can run this webserver and insert breakpoints"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 28, "seconds": 20}, "tag": "linux medium", "line": " Creating main.py then running the code in VSCode"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux medium", "line": " Exploiting the exec() statement in the WebServer"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux medium", "line": " Explaining that we can't use + for spaces in the url, have to do %20, then testing a reverse shell"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 46, "seconds": 50}, "tag": "linux medium", "line": " Turns out the intended way is to find the /develop/ directory. Looking into why wfuzz missed it"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "linux medium", "line": " Copying the SuperSecureCrypt files back to our local box, then reading the source"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux medium", "line": " Explaining modulus "}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 59, "seconds": 45}, "tag": "linux medium", "line": " Explaining Known Plaintext Attack"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 63, "seconds": 35}, "tag": "linux medium", "line": " Having trouble deciphering arguments, typing out the arguments on decrypting the key"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 67, "seconds": 0}, "tag": "linux medium", "line": " Decrypting the PasswordReminder.txt"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 70, "seconds": 39}, "tag": "linux medium", "line": " Explaining Block Ciphers and how to protect against Known-PlainText"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 71, "seconds": 25}, "tag": "linux medium", "line": " Rant about Initialization Vectors (IV) and why repeating them is bad (WEP)"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "linux medium", "line": " Looking at the BetterSSH Source Code"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 77, "seconds": 10}, "tag": "linux medium", "line": " Explaining why we can overload the -u parameter of Sudo"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 80, "seconds": 30}, "tag": "linux medium", "line": " Setting up a watch command to copy all files in /tmp/SSH to /dev/shm so we can crack them later"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 81, "seconds": 10}, "tag": "linux medium", "line": " Root #1: Exploiting BetterSSH via overloading parameters"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 85, "seconds": 20}, "tag": "linux medium", "line": " Root #2: Cracking the password"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 2, "seconds": 35}, "tag": "linux easy", "line": " Running GoBuster to discover /music/, checking the page to try to find out what it is."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux easy", "line": " Going to login reveals this is OpenNetAdmin version 18.1.1, searchsploit isn't updated and fails to find the correct exploit"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Showing what to do when an web exploit script gives HTML"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux easy", "line": " Finding the correct exploit script, setting it to go through burpsuite"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux easy", "line": " Failing to get a reverse shell for a bit because of bad characters (explained at end, we needed to URL Encode it)."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Reverse shell worked when doing the python one."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "linux easy", "line": " Looking for a config file with database connection info"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux easy", "line": " Exploring the MySQL Database to get additional creds"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux easy", "line": " Running Medusa to test the passwords against users on the box to discover we can login as jimmy"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "linux easy", "line": " Showing of \"sucrack\" to brute force with \"su\" incase SSH Was not open"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux easy", "line": " Running find to see what files are owned by Jimmy to see some new php scripts"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux easy", "line": " Discovering a second webserver, accessing main.php lets us read an SSH Key... Digging into why, because it looks like it wants us to login (forgot the die; command)"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 48, "seconds": 10}, "tag": "linux easy", "line": " Lets try it the \"correct\" way with an SSH Tunnel and using firefox to login, going down a \"magic hash (===)\" rabbit hole. When we could just crack the pw."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 61, "seconds": 20}, "tag": "linux easy", "line": " Running John to crack the SSH Key"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 68, "seconds": 35}, "tag": "linux easy", "line": " Linpeas shows Joanna can run nano with sudo"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "linux easy", "line": " GTFOBins shows a way to have nano execute commands"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 79, "seconds": 0}, "tag": "linux easy", "line": " GOING BACK: URL Encoding the the original RCE to see a standard bash revshell would work"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Start"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 1, "seconds": 2}, "tag": "windows hard", "line": " Begin of nmap"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows hard", "line": " Checking out the webpage, notice an IP in the comments and run GoBuster to discover /uploads/. Run GoBuster on /uploads/ looking for PHP files"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "windows hard", "line": " Begin fuzzing Proxy Headers with wfuzz to access admin.php"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "windows hard", "line": " Using Python's netaddr to generate an IP List based upon subnet, discovering X-Forwarded-For: 192.168.4.28 allows access to admin.php"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "windows hard", "line": " Having BurpSuite automatically add the x-forwarded-for header to our requests"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "windows hard", "line": " Explaining a reason why this header exists in the first palce"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "windows hard", "line": " Discovering Union injection on the admin page"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "windows hard", "line": " Telling SQLMap to run in the background, while we manually enumerate this ourselves."}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "windows hard", "line": " Using Group_Concat to return multiple rows in a union injection and enumerate the INFORMATION_SCHEMA Database"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "windows hard", "line": " Using LOAD_FILE and TO_BASE64 in our SQL Injection to extract source code from the webserver"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "windows hard", "line": " Enumerating who has the FILE privilege in the database, showing SQLMAP gives us some bad info"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "windows hard", "line": " Grabbing user hashes out of the database with our injection then cracking them to discover hector's password"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "windows hard", "line": " Using OUTFILE in our injection to drop a php webshell to the server"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 58, "seconds": 5}, "tag": "windows hard", "line": " Having trouble getting a reverse shell back, assuming it is defender so changing the name of some functions to bypass it"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 64, "seconds": 2}, "tag": "windows hard", "line": " Using powershell to run a command as hector with the password we cracked from the database"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 68, "seconds": 15}, "tag": "windows hard", "line": " Running WinPEAS and going over what it finds, looks like it misses some permissions around editing services"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "windows hard", "line": " Looking at the PSReadLine directory to get some powershell history and a hint at enumerating permissions in the registry"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 75, "seconds": 40}, "tag": "windows hard", "line": " Running ConvertFrom-SddlString to make sense of the registry permissions"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 81, "seconds": 20}, "tag": "windows hard", "line": " Listing services on the box, then shrinking the number by only showing ones that run as LocalSystem with a Manual startup type"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 86, "seconds": 0}, "tag": "windows hard", "line": " Shrink the list some more by only showing the services that our user has permission to startup"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 95, "seconds": 30}, "tag": "windows hard", "line": " Showing the \"SC\" command cannot set the BinPath of services, need to do this via registry"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 98, "seconds": 0}, "tag": "windows hard", "line": " Changing the ImagePath of the wuauserv service in the registry via PowerShell"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 101, "seconds": 15}, "tag": "windows hard", "line": " Setting the ImagePath to be a reverse shell via netcat, then starting the service to get a shell as LocalSystem"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap and examining the HTTPS Certificate to get a potential hostname"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux medium", "line": " Doing light testing on the HTTPS Site for SQL Injection, then sending to SQLMap. Using --force-ssl to make SQLMAP do HTTPS instead of HTTP"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 6, "seconds": 26}, "tag": "linux medium", "line": " Playing with analytics.php and some light testing to see if we could do SSRF. Put it on the backburner and move on."}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 7, "seconds": 42}, "tag": "linux medium", "line": " Testing the logon prompt on the HTTP Site, playing with SQL Injection and starting another SQLMap"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 8, "seconds": 51}, "tag": "linux medium", "line": " Going over NoSQL Injection"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 9, "seconds": 44}, "tag": "linux medium", "line": " Attempting to explain NoSQL Injection"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "linux medium", "line": " Performing a NoSQL Injection test via x-www-form-encoded data"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 12, "seconds": 44}, "tag": "linux medium", "line": " Doing Regular Expressions with NoSQL Injection to extract the password length"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Explaining how you would have done NoSQL Injection on NodeJS (Sending objects in JSON)"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " Logging into the webserver via NoSQL Injection, running GoBuster with our cookie that is logged in"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux medium", "line": " Going back to NoSQL Injection with RegularExpression and Boolean injection to extract the password"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "linux medium", "line": " Going over doing Burp Intruder to extract data"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 21, "seconds": 45}, "tag": "linux medium", "line": " Creating a Python Script to do this NoSQL Injection since Burp cost $$ and is slow."}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 37, "seconds": 11}, "tag": "linux medium", "line": " Script mostly done extracting admin's password"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 40, "seconds": 47}, "tag": "linux medium", "line": " Trying to extract Mango's password but there's a tricky character, troubleshooting"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux medium", "line": " Screwed up a loop and didn't go through all the character space. Getting Mango's password using SSH to login to the box."}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux medium", "line": " Running LinPEAS and seeing JJS is a SetUID Bin"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux medium", "line": " Turns out we can't execute JJS as mango, only admin. Use \"su\" to switch to admin and run JJS"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 50, "seconds": 11}, "tag": "linux medium", "line": " Using JJS to write a file and drop an SSH Key"}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Unofficial Time Schedule."}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - First 30 minutes - Using ansible to build a Windows Domain"}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Next 30-45 minutes - Searching Exploit-DB and taking apart exploits to understand them"}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - The remainder of time - VulnHub or something."}, {"machine": "Sunday Night Learning", "videoId": "Or21g3iw6BU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Unofficial Time Schedule."}, {"machine": "Sunday Night Learning", "videoId": "Or21g3iw6BU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - First 30 minutes - Using ansible to build a Windows Domain"}, {"machine": "Sunday Night Learning", "videoId": "Or21g3iw6BU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Next 30-45 minutes - Searching Exploit-DB and taking apart exploits to understand them"}, {"machine": "Sunday Night Learning", "videoId": "Or21g3iw6BU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - The remainder of time - VulnHub or something."}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Running nmap against the box, port 80 is running a unique webserver (nostromo)"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Lets check out the website before we throw any exploits"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 6, "seconds": 37}, "tag": "linux easy", "line": " Launching metasploit then exploting Nostromo but sending the exploit through burpsuite to see what it is doing"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 10, "seconds": 34}, "tag": "linux easy", "line": " Code Execution worked, for some reason the proxies command didn't work the first time"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 11, "seconds": 18}, "tag": "linux easy", "line": " Explaining why the script does a GET request before throughing an exploit (Exploit Verification)"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux easy", "line": " Editing the payload to send a Bash Reverse Shell"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux easy", "line": " Running LinEnum in Thorough mode"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 19, "seconds": 22}, "tag": "linux easy", "line": " Going over LinPEAS Output"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 22, "seconds": 16}, "tag": "linux easy", "line": " Going over LinEnum Output"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux easy", "line": " Discovering a HTPASSWD Password, then using hashcat to crack it"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "linux easy", "line": " Looking at the HTTP Configuration file to discover public_www directory in home directories"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux easy", "line": " Explaining Linux Permissions on Directories and why we can do a ls in /home/david/public_www but not /home/david/ "}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "linux easy", "line": " Discovering an encrypting SSH Key for David in public_www, downloading the file via netcat then cracking the key with sshng2john.py John"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux easy", "line": " SSH into the box as David"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "linux easy", "line": " Discovering David can sudo journalctl,"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux easy", "line": " Demonstrating that the pipe operator doesn't run as an elevated user when doing sudo"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "linux easy", "line": " Privesc by removing the pipe and then running !bash. Explaining why this works by tracing parent processes to see journalctl is just executing pager which is symlink'd to less"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 40, "seconds": 50}, "tag": "linux easy", "line": " Comparing the Directory traversal exploits (MSF and non-MSF) to see a weird bug adding %0d bypassed the /../ whitelist check"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "linux easy", "line": " Downloading the source code to nostromo (patched and unpatched versions) and analyzing the patch to see why %0d worked."}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 50, "seconds": 27}, "tag": "linux easy", "line": " Using find and grep to md5sum all the files to figure out what has changed."}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 53, "seconds": 26}, "tag": "linux easy", "line": " Using diff to compare two files"}, {"machine": "Creating a VM to learn Linux PrivEsc", "videoId": "B_7NIkSlYuQ", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Support the stream: https://streamlabs.com/ippsec"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux hard", "line": " Begin of Recon, discovering hostname in SSL Certificate"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux hard", "line": " Running GoBuster against Registry.htb and Docker.Registry.htb to discover CA Certificate in /install/"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux hard", "line": " /v2/ on Docker.Registry.HTB requires login, guessing admin:admin and then looking into the Docker Registry API"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux hard", "line": " Manually downloading a Blob off the Registry and extracting it to reveal files "}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux hard", "line": " A bit more elegant way to do this, configure Docker to use this registry by adding the CA to our Docker SSL Cert Store. Then downloading the Bolt-Image Container"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "linux hard", "line": " Discovering an Encrypted SSH Key on the container"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Explaining SSH Config Files"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux hard", "line": " Using find to show files modified between two dates to discover a file with the SSH Key Password"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux hard", "line": " Using more forensic artifacts (viminfo) to dicover the file with SSH Key Password"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux hard", "line": " Checking /var/www/html to discover the Web User can probably use sudo with restic. Try to get a shell as www-data"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "linux hard", "line": " Checking out Bolt CMS Exploits to discover an authenticated RCE"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 40, "seconds": 20}, "tag": "linux hard", "line": " Downloading the bolt SQLite database then viewing the contents and cracking the admin password"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 42, "seconds": 45}, "tag": "linux hard", "line": " Identifying the algorithm bolt uses to hash passwords"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux hard", "line": " Exploiting Bolt by editing the config to allow PHP Files and then uploading a webshell"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux hard", "line": " Could not get a reverse shell, checking iptable rules to see iptables blocks packets initiating a connection on OUTBOUND. Switching to localhost for reverse shell"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux hard", "line": " Setting up a Reverse SSH Tunnel to forward 127.0.0.1:8000 to our box, so Restic can talk to us"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "linux hard", "line": " Setting up a Restic Server on our box"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "linux hard", "line": " Using Restic to download /root and get the Root SSH Key to login to the box"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 0, "seconds": 34}, "tag": "", "line": " Explaining how networking is setup, then nmap"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Examining why nmap says a port is filtered in Wireshark"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " Exploring the webpage and doing basic SQL Injections in the search functionality"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "", "line": " Starting GoBuster in the background, #AlwaysHaveReconRunning"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "", "line": " Explaining SQL Injection"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 13, "seconds": 55}, "tag": "", "line": " Explaining SQL Union Injection"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "", "line": " Testing Union Injection by doing \u201cUNION SELECT\u201d, then testing it by doing \u201cORDER BY\u201d. "}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Explaining how to get data out of INFORMATION_SCHEMA"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 20, "seconds": 55}, "tag": "", "line": " Doing GROUP_CONCAT to extract multiple lines from a UNION Statement"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "", "line": " Using SED to replace \u201c,\u201d with line breaks and extracting a bunch of information out of the database"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "", "line": " Cracking the hash to see admin\u2019s password is transorbital1"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 34, "seconds": 41}, "tag": "", "line": " Using wfuzz to brute force a login prompt with two FUZZ Variables (some troubleshooting)"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "", "line": " Fuzzing the MANAGE.PHP script for a filename parameter with wfuzz"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "", "line": " Exploring the LFI"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "", "line": " Using LFI with /proc/sched_debug to get processes running and discovering KnockD"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "", "line": " The Opening up the SSH Port with port knocking"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 70, "seconds": 0}, "tag": "", "line": " Using medusa combo list to test SSH Credentials, then logging chandlerb and running linpeas"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 76, "seconds": 0}, "tag": "", "line": " Exploring the MySQL Database, discovering Janitor was created at a different time. Explore his directory to discover new credentials"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 82, "seconds": 0}, "tag": "", "line": " Using find to output a list of readable files for other users then finding files that can only be read by single users"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 88, "seconds": 50}, "tag": "", "line": " FredF can execute the \u201ctest\u201d binary as root. Looking at source, it allows appending lines to a file."}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 90, "seconds": 15}, "tag": "", "line": " File Write Method 1: Appending a line to allow joeyt to sudo"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 93, "seconds": 30}, "tag": "", "line": " File Write Method 2: Appending line to passwd to create a new user"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 96, "seconds": 50}, "tag": "", "line": " Extra content, going over the Source Code to view the LFI Exploit and a pretty funny login bypass bug"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows medium", "line": " Begin of Nmap scans"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "windows medium", "line": " Checking out the website and running a few GoBuster dir searches"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "windows medium", "line": " Examining Links on the blog page and discover a LFI Vulnerability in the LANG Parameter"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows medium", "line": " Discovering .. is a bad character, working around it by starting the path with a slash"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 10, "seconds": 28}, "tag": "windows medium", "line": " Testing RFI via SMB, then failing to steal a hash and use impackets SMBServer"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "windows medium", "line": " Configuring SMBd to host a share that is accessible by anonymous users"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "windows medium", "line": " Testing the SMB Share locally, then testing the RFI with just text, and finally putting a PHP Script for code execution. "}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "windows medium", "line": " Powershell Reverse Shells fail, find out we are in constrained language mode, switch to netcat for reverse shell"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "windows medium", "line": " Reverse Shell Returned!"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows medium", "line": " Discovering Chris's password then using Powershell to run a command as him to upgrade the shell."}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "windows medium", "line": " Going over to Windows to create a malicious CHM file with Nishang's out-chm (via NC on a SMB Share)"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 46, "seconds": 55}, "tag": "windows medium", "line": " Copying the malicious CHM File to c:\\Docs and not getting any shell. Simplify the exploit to run ping instead."}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "windows medium", "line": " Using Out-CHM to have it execute NC out of c:\\users\\chris\\downloads\\ instead of a SMB Share and getting shell as administrator"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 53, "seconds": 25}, "tag": "windows medium", "line": " Start of doing the box the second way. "}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 54, "seconds": 15}, "tag": "windows medium", "line": " Explaining the LFI + PHP Session Exploit Chain"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 56, "seconds": 30}, "tag": "windows medium", "line": " Identify bad characters by creating a in python to to create accounts and test logins"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 67, "seconds": 0}, "tag": "windows medium", "line": " Testing minimal php code for code execution"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 68, "seconds": 30}, "tag": "windows medium", "line": " Testing Code exeuction with Powershell Encoded commands"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 78, "seconds": 26}, "tag": "windows medium", "line": " Downloading Netcat to the box then executing it for a reverse shell"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 83, "seconds": 0}, "tag": "windows medium", "line": " Uploading Chisel to the box then forwarding ports 3306 and 5985 to us"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 91, "seconds": 40}, "tag": "windows medium", "line": " Using Evil-WinRM to get a shell on the box as chris through our chisel tunnel"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 92, "seconds": 20}, "tag": "windows medium", "line": " Creating a CHM File that includes a file off a SMB Server so we can use Responder to steal the hash"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 100, "seconds": 0}, "tag": "windows medium", "line": " Uploading the CHM and stealing the hash with Responder"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 91, "seconds": 20}, "tag": "windows medium", "line": " Using Hashcat to crack a NetNTLMv2 hash from Hashcat (5600)"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 102, "seconds": 40}, "tag": "windows medium", "line": " Using PSexec to remote into the boxh"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "windows easy", "line": " Running NMAP and queuing a second nmap to do all ports"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "windows easy", "line": " Using LDAPSEARCH to extract information out of Active Directory"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "windows easy", "line": " Dumping user information from AD via LDAP then creating a wordlist of users"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "windows easy", "line": " Creating a custom wordlist for password spraying with some bashfu and hashcat"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "windows easy", "line": " Using CrackMapExec to dump the password policy of Active Directory using a null authentication, then doing a Password Spray"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "windows easy", "line": " Enumerating information out of AD using rpcclient and null authentication"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 28, "seconds": 10}, "tag": "windows easy", "line": " Now that our PWSpray is running in the background, lets go through Impacket Scripts to see what works."}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "windows easy", "line": " Using GetNPUsers to perform an ASREP Roast (Kerberos PreAuth) with Null Authentication to extract SVC-ALFRESCO's hash. Then Cracking it."}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "windows easy", "line": " Using Evil-WinRM to get a shell on the box with SVC-ALFRESCO's credentials"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "windows easy", "line": " Setting up a SMBShare, using New-PSDRive to mount the share, then running WinPEAS"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "windows easy", "line": " Going over WinPEAS Output"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "windows easy", "line": " Downloading Bloodhound and the SharpHound Ingestor"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "windows easy", "line": " Importing the Bloodhound Results and finding an AD Attack Path"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 52, "seconds": 10}, "tag": "windows easy", "line": " Going over the Account Operators Group (will allow us to create an account)"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "windows easy", "line": " Using Net User to create a new user, then adding it to the Exchange Group"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 58, "seconds": 40}, "tag": "windows easy", "line": " Downloading the PowerSploit Dev Branch to utilize the function \"Add-DomainObjectAcl\""}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 61, "seconds": 40}, "tag": "windows easy", "line": " Some basic troubleshooting when the command goes wrong, then giving ippsec the DCSync Rights"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "windows easy", "line": " Performing SecretsDump to perform a DCSync and extract hashes, then PSEXEC with Administrator to gain access"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 67, "seconds": 10}, "tag": "windows easy", "line": " Going over the \"--users\" option in hashcat so you can easily identify whos hash was cracked"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 70, "seconds": 43}, "tag": "windows easy", "line": " Using the KRBTGT Hash to perform the GoldenTicket attack from Linux"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 95, "seconds": 11}, "tag": "windows easy", "line": " Showing it worked, Issues were we could not use IP Addresses anywhere in the command and need FQDN for the domain. Create entries in Host file if DNS is not there."}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Begin of nnmap scan"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux easy", "line": " Checking out the website, trying to identify what technology runs the site"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Nmap scan finished, start more recon (GoBuster and full nmap port scan)"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux easy", "line": " Trying to find out when the website was stood up with exiftool"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux easy", "line": " Full nmap showed the REDIS port, initial poking"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "linux easy", "line": " Searching the internet for things you can do with a REDIS Server"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "linux easy", "line": " Dropping a webshell didn't work, lets try dropping an SSH Key"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux easy", "line": " Discovering the location of a .ssh directory by guessing the default (/var/lib/redis/.ssh)"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux easy", "line": " Got a shell on the box!"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 29, "seconds": 45}, "tag": "linux easy", "line": " Running LinEnum twice (once with throrough mode enabled). To make sure we have good recon."}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 33, "seconds": 10}, "tag": "linux easy", "line": " Discovering Matt logged in at a time we did not previously have"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 36, "seconds": 7}, "tag": "linux easy", "line": " Discovering an encrypted SSH key, cracking the SSH Key with John"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux easy", "line": " SSH failing to work, decide to just use \"su\" to switch to the Matt User"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux easy", "line": " Discovering we can login to WebMin with Matt"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 42, "seconds": 48}, "tag": "linux easy", "line": " Running searchsploit, then using Metasploit to exploit Webmin"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "linux easy", "line": " Root shell returned, set Metasploit to go through burp and play with it until we get the exploit working."}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 0, "seconds": 59}, "tag": "windows insane", "line": " Begin of nmap, discover XAMPP"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 5, "seconds": 51}, "tag": "windows insane", "line": " Running GoBuster while we poke at the website"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows insane", "line": " Registering an account then seeing what new functions are avaialble"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "windows insane", "line": " Attempting to transfer money and discovering XSS "}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows insane", "line": " Basic Cross Site Scripting worked, check cookies to see HttpOnly is false then do a basic XSS to steal cookies"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 15, "seconds": 33}, "tag": "windows insane", "line": " Doing the OnError payload to steal administrative cookie"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 17, "seconds": 38}, "tag": "windows insane", "line": " Logging in as the administrative user, checking out the new pages. Search which is SQL Injectable and BackDoorChecker which can execute code from localhost"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "windows insane", "line": " Playing with the SQL Injection in Search, confirming it is union then sending it to SQLMap to dump the database"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "windows insane", "line": " Using SQL Injection to read the source code via LOAD_FILE in a Union Injection."}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "windows insane", "line": " Creating a XSS Payload that can send a Post Request (XMLHttpRequest)"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 40, "seconds": 45}, "tag": "windows insane", "line": " Reverse shell returned"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 46, "seconds": 20}, "tag": "windows insane", "line": " Manually poking around the box, discover port 910 is open but our nmap didn't show it"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 48, "seconds": 10}, "tag": "windows insane", "line": " Using Chisel to forward the port back to our box, and discover it's a telnet interace to perform transfers"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 52, "seconds": 20}, "tag": "windows insane", "line": " Using PwnTools to bruteforce the PIN Code on port 910"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 56, "seconds": 10}, "tag": "windows insane", "line": " Send it 100 A's to see if the program crashes, instead it executesa payload after 32 bytes"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 61, "seconds": 0}, "tag": "windows insane", "line": " Failing to run netcat froma UNC Path"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 68, "seconds": 26}, "tag": "windows insane", "line": " Running netcat from C:\\ to get a reverse shell"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux hard", "line": " Begin of Recon"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux hard", "line": " Discovering an SQL Injection inside of the WhoIs Service"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux hard", "line": " Identifying we can perform DNS Zone Transfers with dig axfr (aquatone is the application i mention to take screenshots)"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux hard", "line": " Explaining the SQL Union Injection"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux hard", "line": " Dumping information out of Information_Schema via the SQL Union Injection"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 23, "seconds": 5}, "tag": "linux hard", "line": " Dumping hostnames out of the whois database via the SQL Union Injection"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 28, "seconds": 45}, "tag": "linux hard", "line": " Discovering the pwned website, discovering shell.php with GoBuster"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 31, "seconds": 45}, "tag": "linux hard", "line": " Using wget to get the date the webserver was defaced"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux hard", "line": " Using wfuzz to find the parameter (hidden) the attackers shell used, then we have code execution on the machine."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 39, "seconds": 15}, "tag": "linux hard", "line": " Using find with newermt to identify what happened around the time the attacker pwned the box"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux hard", "line": " Discovering mail file that has some credentials for an FTP User"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 49, "seconds": 17}, "tag": "linux hard", "line": " Using grep/awk to find the hacker in an apache access logs"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 51, "seconds": 44}, "tag": "linux hard", "line": " Searching wireshark to pull the attackers post request to pull more credentials and the files the attacker uploaded to the server."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 55, "seconds": 5}, "tag": "linux hard", "line": " Analyzing root.c kernel module "}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux hard", "line": " Testing the kernel rootkit didn't work over HTTP, lets get a forward shell and try it there."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 62, "seconds": 22}, "tag": "linux hard", "line": " Testing passwords to gain access to ib01c01, which has the compiled kernel root kit (root.ko)"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 65, "seconds": 20}, "tag": "linux hard", "line": " Analyzing root.ko in Ghidra to discover some slight changes to the root.c source code."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 69, "seconds": 20}, "tag": "linux hard", "line": " Sending g3tPr1v to /dev/ttyR0 to activate the rootkit and switch to root"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 70, "seconds": 2}, "tag": "linux hard", "line": " Testing nc with a source port of 20 to verify our assumption only root can do this is true"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 71, "seconds": 50}, "tag": "linux hard", "line": " Creating a PHP Script to act as middleware between SQLMap and the WhoIs port and allow us to use SQLMap to dump the database"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 82, "seconds": 20}, "tag": "linux hard", "line": " Manually installing Zeek (formerly known as Bro) to analyze the pcap. "}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 85, "seconds": 50}, "tag": "linux hard", "line": " Zeek has been installed, running it against the pcap with Cr to ignore checksum errors"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 86, "seconds": 42}, "tag": "linux hard", "line": " Showing how to manually analyze zeek logs with less -S and zeek-cut"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 91, "seconds": 50}, "tag": "linux hard", "line": " Installing zkg which is the zeek package manager then installing ja3 and http-post modules to extract SSL Signatures and HTTP Post Data"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 96, "seconds": 20}, "tag": "linux hard", "line": " Running Zeek again with the modules, identify the HTTP Attack used (Google: \"prestashop mail proxycommand exploit\" to find the exploit the attacker used)"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux hard", "line": " Begin of NMAP, then examining FTP to see the banner leak time and IPv6 compatibility."}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux hard", "line": " Running GoBuster so we always have recon running in the background"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 5, "seconds": 38}, "tag": "linux hard", "line": " Examining the Web Page to see it has some usernames and FTP Creds"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux hard", "line": " Logging into FTP and testing basic things like downloading/uploading files"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "linux hard", "line": " Ran out of things to test. Run NMAP on all ports, then look into things we don't know."}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "linux hard", "line": " Explaining what FXP is and what an FTP Bounce Attack is"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Performing the FTP Bounce Attack to get the IPv6 Address, then doing a nmap on the ipv6 address "}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "linux hard", "line": " Identifying what port 8730 is (RSYNC) using both NMAP and NETCAT"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 18, "seconds": 45}, "tag": "linux hard", "line": " Downloading /etc via rsync, then explaining a bunch of configurations on the box"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Identifying there is an RSYNCD.SECRETS via the RSYNCD.CONF file. Cannot download but can identify filesize which will tell us the number of characters the password is."}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "linux hard", "line": " Extracting all 8/9 character words out of RockYou.txt then using bash to script a rsync bruteforce (end of video we code a better brute force)"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux hard", "line": " Got Roy's password (computer),then downloading his directory to get user.txt. After that upload an SSH Key"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 39, "seconds": 48}, "tag": "linux hard", "line": " SSH into the box as roy with the key, then failing to run lynis before running LinPEAS"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 48, "seconds": 8}, "tag": "linux hard", "line": " Using find to list files edited around the time User.txt was created (newermt) to identify git repo's under RSYSLOG and FTP"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 52, "seconds": 5}, "tag": "linux hard", "line": " Examining git repo in RSYSLOG to identify it sends syslog to POSTGRES and is SQL Injectable"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 57, "seconds": 10}, "tag": "linux hard", "line": " Performing the SQL Injection with logger, but before that tailing the postgres log for some output"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "linux hard", "line": " Running commands on Postgres 9.3 via PROGRAM command. Get into trouble with quotes, find postgres has a third quote option which is $$"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 73, "seconds": 57}, "tag": "linux hard", "line": " EXTRA CONTENT: Building a threaded RSYNC Bruteforcer"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 74, "seconds": 20}, "tag": "linux hard", "line": " Script 1: Figuring out how RSYNC Authentication works, its a Challenge/Response. "}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 82, "seconds": 44}, "tag": "linux hard", "line": " Script 1: Downloading the RSYNC Source and searching how it creates the hash"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 92, "seconds": 40}, "tag": "linux hard", "line": " Script 1: Adding SOCKET Support so we can connect to the RSYNC Server"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 105, "seconds": 40}, "tag": "linux hard", "line": " Script 2: Python3 Threading example "}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 110, "seconds": 45}, "tag": "linux hard", "line": " Script 3: Combining the Threaded example with our RSYNC Auth to get a good bruteforcer!"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 0, "seconds": 52}, "tag": "windows medium", "line": " Start of recon, NMAP"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 4, "seconds": 35}, "tag": "windows medium", "line": " Using SMBClient to look for OpenShares"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "windows medium", "line": " Examining the HTTP Redirect on the page"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 6, "seconds": 56}, "tag": "windows medium", "line": " Attemping default credentials"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 8, "seconds": 25}, "tag": "windows medium", "line": " Running GoBuster with PHP Extensions"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "windows medium", "line": " Examining the /api/ Requests made in BurpSuite"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 13, "seconds": 35}, "tag": "windows medium", "line": " Comparing Requests to notice one has a \"BEARER\" Header. Researching exactly what it is."}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "windows medium", "line": " Examining the contents of BEARER/OAUTH2 by base64 decoding it."}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "windows medium", "line": " Inducing an error message by placing invalid base64, then trying to get a different error message by putting valid but unexpected bas64"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "windows medium", "line": " See a serialization error, pointing towards JSON.NET, then switching to Windows to install ysoSerial"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 22, "seconds": 54}, "tag": "windows medium", "line": " Creating a .net Deserialization exploit that will ping us"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "windows medium", "line": " Base64 encoding the exploit, starting tcpdump, and checking for code execution. Then editing our exploit use a PowerShell webcradle with Nishang to get a reverse shell"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 32, "seconds": 51}, "tag": "windows medium", "line": " Reverse Shell Returned, Running WinPEAS from my SMBShare so we don't touch disk"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "windows medium", "line": " Going over WinPEAS.bat, which doesn't have color (we will do EXE later in the video to get colors!)"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "windows medium", "line": " PrivEsc #1: Reversing Sync2Ftp to decrypt a password"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 50, "seconds": 15}, "tag": "windows medium", "line": " Decompile SyncLocation.exe via DNSPY, then edit the executable to display the decrypted password."}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 56, "seconds": 15}, "tag": "windows medium", "line": " Couldn't use PSEXEC with the decrypted creds. Lets use Powershell Invoke-Command to switch users"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 65, "seconds": 25}, "tag": "windows medium", "line": " PrivEsc #2: FileZilla Server - This will require us to pop the box from Windows!"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 70, "seconds": 50}, "tag": "windows medium", "line": " Using Chisel to forward 127.0.0.1:14147 to us"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 75, "seconds": 15}, "tag": "windows medium", "line": " Running the FileZilla Server and connecting to the box through our tunnel to create new users"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 81, "seconds": 53}, "tag": "windows medium", "line": " PrivEsc #3: JuicyPotato"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 84, "seconds": 53}, "tag": "windows medium", "line": " Running JuicyPotato to get a system shell"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 0, "seconds": 30}, "tag": "windows hard", "line": " Begin of Recon"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 1, "seconds": 55}, "tag": "windows hard", "line": " Creating an entry in /etc/hosts for reblog.htb (found on webpage)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows hard", "line": " Reading each blog post and taking notes"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "windows hard", "line": " Poking at SMB to see MALWARE_DROPBOX"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "windows hard", "line": " Digging into why SMBMAP says READ_ONLY. Don't get anywhere but its an impacket thing?"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "windows hard", "line": " Installing LibreOffice, then creating a macro to ping us"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "windows hard", "line": " Obfuscating the macro by placing it over multiple lines (do LOLBINS at end of video)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "windows hard", "line": " Converting our obfuscated macro to a powershell cradle/one lienr (iconv to make it UTF-16LE)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "windows hard", "line": " Reverse Shell returned as LUKE, showing a way to get a logged in users hash and attempting to crack"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 26, "seconds": 25}, "tag": "windows hard", "line": " Running WinPEAS.bat (will do EXE at the end of the video)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "windows hard", "line": " Going over the process_sample.ps1 script to discover a potential WinRAR Vulnerability"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 38, "seconds": 9}, "tag": "windows hard", "line": " Using evilWinRAR to generate a ZipSlip like file, forget a trailing slash and do quite a bit of troubleshooting"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "windows hard", "line": " Switching up the ASPX Shell by using one from the TennC Repository"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 52, "seconds": 35}, "tag": "windows hard", "line": " Reverse shell as the IIS User"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "windows hard", "line": " Doing a Ghidra XXE Vulnerability to steal the users hash"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "windows hard", "line": " Copying the XXE Vulnerability in POC"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 64, "seconds": 45}, "tag": "windows hard", "line": " Lol. Found what out i was zipping the file incorrectly"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 67, "seconds": 30}, "tag": "windows hard", "line": " Cracking the new hash we just got"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 69, "seconds": 20}, "tag": "windows hard", "line": " Using Powershell to Invoke-Command with a different user"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 72, "seconds": 55}, "tag": "windows hard", "line": " Begin of unattended route (Changing macro to be RevSvr32 with an SCT File instead of CMD /c)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 81, "seconds": 20}, "tag": "windows hard", "line": " Downloading SharpUp and WinPEAS to compile executables"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 87, "seconds": 30}, "tag": "windows hard", "line": " Using rlwrap for our reverse shell so we have a semi-proper TTY on Windows"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 88, "seconds": 45}, "tag": "windows hard", "line": " Running PowerUp to identify the bad service and playing with a few commands to show what is happening"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 93, "seconds": 10}, "tag": "windows hard", "line": " Running WinPEASEXE to show the output"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 95, "seconds": 30}, "tag": "windows hard", "line": " Enabling RDP so we can see the error message SharpUp threw"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 97, "seconds": 50}, "tag": "windows hard", "line": " Changing DotNet version in the project properties to get SharpUp working on the box"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux medium", "line": " Begin of Recon"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "linux medium", "line": " Taking a look at the page, noticing the site is PHP, running GoBuster to find other PHP Files."}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "linux medium", "line": " Playing with the File Upload, failing to identify how uploaded files are stored"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux medium", "line": " Investigating PHP Files that GoBuster found, discovering intelligence.php"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Searching for Text to Speach programs (create WAV Files)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux medium", "line": " The first program didn't do a good job saving WAV Files, Downloading Festival"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 9, "seconds": 17}, "tag": "linux medium", "line": " Installing apt-file so we can use apt to search for what package contains a file (like yum whatprovides)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 11, "seconds": 5}, "tag": "linux medium", "line": " Using text2wave to create wav files and upload them, then discover a SQL Injection over voice"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 14, "seconds": 4}, "tag": "linux medium", "line": " Having trouble getting the voice recognition to recognize the word union. Using \"intelligence.php\" to discover alternative words."}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "linux medium", "line": " Extracting the username and password out of the database, then logging in via SSH"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux medium", "line": " Investigating how the file upload script works, turns out to be a dead end"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux medium", "line": " Running linPEAS to check other privesc paths (see JDWP)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "linux medium", "line": " Enumerating the local MySQL Database to get other credentials"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "linux medium", "line": " Starting to investigate the Tomcat ports (8000, 8009, and 8080)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux medium", "line": " Doing SSH Tunnels via the SSH Binary to forward 8080/8009 to our box then looking at Tomcat"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "linux medium", "line": " Doing SSH Tunnels from within a SSH Session (~c) to forward port 8000 without reconnecting to SSH"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 32, "seconds": 10}, "tag": "linux medium", "line": " Manually using JDB to execute a command via java.lang.Runtime"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux medium", "line": " Manually debugging JDWP is a bad idea, doing it the better way with jdwp-shellifier"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux hard", "line": " Begin of recon, wireshark nmap to see how it identified the hostname. The way this box is configured apache is placing the hostname when the \"Host: \" HTTP Header is not present."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Starting a bunch of automated tools. Nmap all ports, and gobuster to discover VHOST (virtual hosts) and files."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 9, "seconds": 55}, "tag": "linux hard", "line": " Checking dev.player.htb and identify the framework (Codiad) is being leaked in some javascript"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 12, "seconds": 25}, "tag": "linux hard", "line": " Checking chat.player.htb, nothing really here just hints at source code disclosure on other domains"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 14, "seconds": 5}, "tag": "linux hard", "line": " Checking staging.player.htb, sending an email leaks some interesting files"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux hard", "line": " Checking player.htb/launcher, entering an email leaks some other PHP Files along with a JWT Token"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux hard", "line": " Discovering backup files, showing BurpSutie Pro can do it but I had added this feature in GoBuster"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "linux hard", "line": " Going over exactly what I did in GoBuster to add the DiscoverBackup feature"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 27, "seconds": 35}, "tag": "linux hard", "line": " Using GoBuster with the new feature to discover some PHP Source that leaks the JWT Secret"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "linux hard", "line": " Using JWT.IO to create our forged JWT and discover a new page that proccesses Video Files"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 37, "seconds": 25}, "tag": "linux hard", "line": " Looking into FFMPEG Vulnerabilities to discover an LFI, using \"Payload All The Things\" to exploit this. Grab files Apache Config, Config files in web directories, /proc/net to see listening ports"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux hard", "line": " Trying the telegen credentials we retrieved from /var/www/backup/service_config with various services. See we can login to 6686 but are in a locked down shell"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 51, "seconds": 45}, "tag": "linux hard", "line": " Running searchsploit to see an XAUTH command injection that allows for reading/writing files. Failing to writefiles, but can now read .php files grab more source code to get another credential (Peter)"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 55, "seconds": 45}, "tag": "linux hard", "line": " Peter's creds work at dev.player.htb which allows for uploading files. Uploading a php reverse shell"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 60, "seconds": 40}, "tag": "linux hard", "line": " Reverse shell returned. Running su -s /bin/bash telegen to bypass the restricted shell"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 61, "seconds": 30}, "tag": "linux hard", "line": " Noticing the XAUTH command actually wrote a file! Going back to see why we failed to write to web directories. Trying it again but turns out quotes/spaces are bad chars which would make dropping a webshell tough."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 64, "seconds": 50}, "tag": "linux hard", "line": " Giving up with XAUTH, running pspy64 with our SSH Shell to see a PHP File is running every minute, checking it out to see it includes a file WWW-DATA can write to and that there is a unserialize vulnerability"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 67, "seconds": 40}, "tag": "linux hard", "line": " Exploiting the unserialize() vulnerability to write an SSH Key to /root/.ssh/authorized_keys"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 73, "seconds": 53}, "tag": "linux hard", "line": " UNINTENDED METHOD: Exploiting Codiad by using the installation scripts left behind to install it to chat.player.htb"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 76, "seconds": 45}, "tag": "linux hard", "line": " Stepping through the installation script to understand the vulnerability. Upon install it writes unsanitized user input to the config.php directory"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 89, "seconds": 30}, "tag": "linux hard", "line": " Reverse shell returned as www-data! "}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 90, "seconds": 45}, "tag": "linux hard", "line": " UNINTENDED METHOD 2: Performing the Authenticated Codiad RCE, stepping through it in BurpSuite to understand what the exploit does. At the very end of the video we will examine codiad source to understand the vuln."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 96, "seconds": 0}, "tag": "linux hard", "line": " Privesc from www-data by placing a PHP Rev Shell in the file the cron script included"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 98, "seconds": 35}, "tag": "linux hard", "line": " Analyzing the Source of Codiad to see why the CRLF Exploit worked."}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 1, "seconds": 58}, "tag": "", "line": " Taking a loot at the webserver and seeing a GitLab signin page"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 2, "seconds": 53}, "tag": "", "line": " Using wget and exiftool to check metadata on files on the server to see when stuff was uploaded"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Running gobuster, explaining why we need the Wildcard flag on this box for this tool to work"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "", "line": " Finding the /help directory which has some javascript that contains the password to GitLab"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 10, "seconds": 28}, "tag": "", "line": " Logging into Gitlab with creds from the bookmark.html"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 11, "seconds": 11}, "tag": "", "line": " Showing how to do GoBuster with a cookie (gets past the wildcard issue earlier in the video)"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "", "line": " Looking at snippets to see a Postgresql password"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "", "line": " Looking at Git Commit History of various files to see there's a post hook to upload merges to a webserver"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 16, "seconds": 10}, "tag": "", "line": " Creating a New Branch on Profile, adding a webshell, then merging it to trigger it to be uploaded to the server"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "", "line": " CMD PHP Shell is on the server, lets get a reverse shell."}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 20, "seconds": 5}, "tag": "", "line": " Reverse shell returned, setting up a proper pty with rows and cols"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ** BEGIN OF UNINTENDED WAY **"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " Checking sudo to see we can do a git pull as root, and explaining git hooks"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "", "line": " Copying the git repo to a different directory so we take ownership of every file"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "", "line": " Creating a Post-Merge script that gives us a shell, the running sudo git pull to execute it as root"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "", "line": " Explaining why the copied directory still pulled new version from the website"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " **END OF UNINTENDED WAY**"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "", "line": " Getting PostGres Creds"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " Creating a PHP Script to dump the PostGres database"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 31, "seconds": 7}, "tag": "", "line": " Clave's password was in the database, logging in as that user"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "", "line": " Initial analysis of the RemoteConnection.exe file (strings)"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "", "line": " Looking at the file in Ghidra"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "", "line": " Lets just do some dynamic analysis with x32debug, switching over to windows"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "", "line": " Setting breakpoints around interesting strings and running the program"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "", "line": " Stepping through the program and seeing a password on the stack"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "", "line": " Using this credential to SSH into the box"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 3, "seconds": 18}, "tag": "", "line": " Checking out the HTTPS Certificate for potential hostnames"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "", "line": " Looking at api.craft.htb, appears to be some type of Documentation for the REST API"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 6, "seconds": 40}, "tag": "", "line": " Looking at gogs.craft.htb, no known exploits but there is some source code!"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Checking out the Git Issues, seeing Dinesh put a JWT Token in a comment. Checking the token out"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "", "line": " Attempting to crack the JWT (fails)"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "", "line": " Going back to the issues to see there is an eval() on user input"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "", "line": " Installing Go and Pip3 on Kali 2019.4, so we can install GitLeaks and TruffleHog"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 18, "seconds": 57}, "tag": "", "line": " Running GitLeaks and TruffleHog (find nothing) then manually analyzing the git commits"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " Discovering Dinesh's credentials in an old git commit"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 25, "seconds": 5}, "tag": "", "line": " Logging into GOGS with Dinesh, then showing adding an SSH Key for potential port forwarding"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 28, "seconds": 28}, "tag": "", "line": " Testing Code Execution from the previous git issue, use the test.py script as a skeleton."}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "", "line": " Getting a reverse shell with this exploit using exec(base64)"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "", "line": " Grabbing settings.py on the server to get a bunch of credentials"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "", "line": " Fixing our terminal to have the correct rows/columns so we can use vi"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 40, "seconds": 18}, "tag": "", "line": " Editing dbtest.py to dump all users from the database"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "", "line": " Adding the JWT SECRET from settings.py to our hashcat wordlist to prove cracking would have worked if there was a weak secret"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 45, "seconds": 25}, "tag": "", "line": " Manually crafting a JWT in Python to show what to do if you are successful at cracking... Then trying to create a JWT that is not signed"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 49, "seconds": 10}, "tag": "", "line": " Logging into GOGS with the credentials we got from dumping the database"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "", "line": " Gilfoyle as a private repo, lets download it"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "", "line": " Running truffleHog and GitLeaks against Gilfoyle's craft-infra repo"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "", "line": " An SSH Key was found on Gilfoyle's repo, SSH in and run LinPEAS"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "", "line": " Bunch of references to Vault in LinPEAS, looking into what this is."}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 62, "seconds": 20}, "tag": "", "line": " The .vaulttoken file is saved creds, lets just use vault ssh to login to the box"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "linux insane", "line": " Begin of Recon"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux insane", "line": " Using Wireshark to see why Nmap said HTTP 403"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux insane", "line": " Running GoBuster to identify /backup"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "linux insane", "line": " Performing a DNZ Zone Transfer with dig axfr"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux insane", "line": " Manually playing with the login form to hunt for SQL Injection"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "linux insane", "line": " Downloading files out of /backup, opening auth.py with vim and ses.so with ghidra"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 16, "seconds": 42}, "tag": "linux insane", "line": " Examining /auth endpoint"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "linux insane", "line": " Examining ses.so in Ghidra"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 20, "seconds": 31}, "tag": "linux insane", "line": " Renaming variables from Ghidra's decompiler to try to make sense of the code"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux insane", "line": " Examining get_internal_usr and pwd to discover the bug"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "linux insane", "line": " Using GDB to debug python and step through ses.so, which makes analyzing decompiled code easier"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 36, "seconds": 50}, "tag": "linux insane", "line": " First time attaching the debugger - Seg faults for some reason."}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux insane", "line": " Attaching the debugger again, this time it works. Explaining important registers"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux insane", "line": " Stepping through the code trying to make sense of registers. This part may not make sense."}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " ### The RDI Value in the STRCMP was from my python script calling ses.so -- RSI is what the program thinks the password is. So if in the Python Script I used ippsec:ippsec, then it would be STRCMP('ippsec','ippsec')."}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 51, "seconds": 50}, "tag": "linux insane", "line": " Logging in with Administrator:Administrator and then looking at auth.py to see how the /api works"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 54, "seconds": 25}, "tag": "linux insane", "line": " Getting command execution"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 55, "seconds": 50}, "tag": "linux insane", "line": " Trying to get a Reverse Shell, discovering a WAF, identifying the bad characters"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 56, "seconds": 50}, "tag": "linux insane", "line": " Configuring burp to have a hotkey to \"Issue Repeater Request\" so we don't have to click send"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 57, "seconds": 18}, "tag": "linux insane", "line": " Tips to avoid a web filter/WAF ex: {echo,test}|{ba''se64,-''-d}"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 61, "seconds": 0}, "tag": "linux insane", "line": " Getting a reverse shell, then upgrading to a SSH Terminal by dropping SSH Key"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 65, "seconds": 5}, "tag": "linux insane", "line": " Running LinPEAS to identify paths to privesc"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 69, "seconds": 10}, "tag": "linux insane", "line": " Downloading the custom Linux Kernel Module: DHID then examine in Ghidra"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 72, "seconds": 0}, "tag": "linux insane", "line": " Looking at Snowscans blog to test the dev_read function"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 74, "seconds": 15}, "tag": "linux insane", "line": " Looking at the dev_mmap call"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 75, "seconds": 20}, "tag": "linux insane", "line": " Looking at MWR LAbs paper on insecure MMAP use in kernel modules"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 76, "seconds": 30}, "tag": "linux insane", "line": " Explaining what we are going to do - Rewrite credentials in memory"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 79, "seconds": 20}, "tag": "linux insane", "line": " Going over the first MMAP Call to map memory"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 81, "seconds": 5}, "tag": "linux insane", "line": " Setting a SSH CONFIG to make it easier to ssh and SCP into Smasher2"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 86, "seconds": 0}, "tag": "linux insane", "line": " Searching for a credential structure in memory"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 91, "seconds": 20}, "tag": "linux insane", "line": " Running GetUID to see if the cred structure we modified is ours, if not set it back"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 94, "seconds": 0}, "tag": "linux insane", "line": " Setting capabilities and running bash upon getting root"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 96, "seconds": 10}, "tag": "linux insane", "line": " Showing what would of happened if we did not revert credentials back to original."}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Previous Video: Intro to PHP Deserialization - https://youtu.be/HaW15aMzBUM"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 0, "seconds": 27}, "tag": "", "line": " Little bit of history about PHP Serialization"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 2, "seconds": 13}, "tag": "", "line": " Why is uploading Phar Files different than normal file upload vulns?"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 2, "seconds": 42}, "tag": "", "line": " What are Phar Files?"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 3, "seconds": 38}, "tag": "", "line": " Prevention by disabling the phar stream wrapper"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Going over the PHP Upload script created for this video"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "", "line": " Reviewing a PHP Script to generate malicious PHAR Files"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Setting our PHP Config to allow PHAR to operate in Read/Write mode"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "", "line": " Showing we can control the beginning bytes of the PHAR File to trick magic byte checks"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "", "line": " Copying the logging class from the intro to deserialization video into our upload script"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 9, "seconds": 35}, "tag": "", "line": " Adding the PHP Object/POP Chain to our PHAR Generation Script"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Starting a PHP Webserver so we can upload our image"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Explaining why the existing image upload script, isn't vulnerable."}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Creating a seperate script which performs the file operation unlink() against user input"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Trying to trigger this vulnerability via Curl (doesn't work yet, forgot to include our PHP Class)"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Adding the PHP Object to our script"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 17, "seconds": 17}, "tag": "", "line": " Begin of adding a phar file to a legitimate image"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Modifying our PHAR File to also be a valid image"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 20, "seconds": 12}, "tag": "", "line": " Triggering the PHAR Unserialize with our image, but this time with a different file operation (md5_file)"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "", "line": " Mentioning PHPGGC which is handy to utilize with this exploit"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 22, "seconds": 13}, "tag": "", "line": " Showing how to unregister PHP Stream wrappers to prevent this attack"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "", "line": " Background information, showing variables are point in time"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "", "line": " Creating a PHP Class and Object"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Serializing the Object and going over the format"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "", "line": " Converting the script to accept a PHP Object via WebRequest"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Explaining PHP Desesrialization Gadgets"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 10, "seconds": 5}, "tag": "", "line": " Creating Attack.php in order to quickly generate PHP Objects"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Creating exploit.sh which will just send our malicious object to the webserver"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "", "line": " Going over PHP Magic Methods"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "", "line": " Adding the __toString class that we can create a gadget to get to in order to read files"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "", "line": " Adding the new class to our attack script and reading /etc/passwd"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "", "line": " Demonstrating \"Class Path\" by creating an __destruct() method in another php file and including it"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Adding the LogFile to our class path and using it to drop a file"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "", "line": " Didn't work! Our script errored and PHP never destroyed our object so code didn't run"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Moving the LogFile gadget to our isAdmin check, which works"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 21, "seconds": 35}, "tag": "", "line": " Demonstrating a way to do Fast Destruct, to immediately destroy the object... I hope I'm right, this may be wrong read PHPGGC Source to see how it works"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 25, "seconds": 14}, "tag": "", "line": " Showing if an function is called from another functions magic method, we can craft a gadget to get to it"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 25, "seconds": 41}, "tag": "", "line": " Adding pwned function to attack. This is prior to us having a magic method call pwned, just to demonstrate you can't call any function."}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "", "line": " Making ReadFile() call pwn when destroyed"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "", "line": " Start of recon"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Running GoBuster to discover the /monitoring directory"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Running hydra to try to brute force the HTTP Authentication (Does not work due to it being a secure password)"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "", "line": " Bypassing the AUTH Request by changing to a POST \u2014 Explain why this works later"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Looking at the Centreon Changelog to look for any exploits"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "", "line": " There aren\u2019t any unauthenticated exploited, lets brute force a login. The main way uses a CSRF Token."}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " Bypassing the CSRF by using the Centreon API"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Using wfuzz to brute force the API Login and get admin:Password1"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 14, "seconds": 15}, "tag": "", "line": " Changing the Monitoring Engine Binary under Configure Pollers to get code execution"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "", "line": " Trying to ping ourselves, find out we can\u2019t use space"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "", "line": " Using IFS to instead of space"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 20, "seconds": 11}, "tag": "", "line": " Ping worked, trying to do a Reverse Shell"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "", "line": " The reverse shell didn\u2019t work lets do some debugging"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 25, "seconds": 55}, "tag": "", "line": " Adding a semicolon at the end of the script and getting a reverse shell"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "", "line": " Reverse shell returned, lets build a proper TTY with ROWS and COLUMNS so we can do things like vi"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "", "line": " Searching for files between two dates"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "", "line": " Discovering backup which is a PYC File, using uncompyle to decompile it"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 34, "seconds": 55}, "tag": "", "line": " Getting Shelby\u2019s password out of the backup script"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "", "line": " Using LinPEAS instead of LinEnum to look for privescs"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "", "line": " Exploiting Screen-4.5.0 to get root"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ## Extra"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 46, "seconds": 30}, "tag": "", "line": " Static Code Analysis tip, looking for dangerous functions"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows easy", "line": " Begin of recon\r"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "windows easy", "line": " Logging into the webpage as guest and viewing attachments"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "windows easy", "line": " Examining the cisco type 7 passwords, using ciscot7"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "windows easy", "line": " Decrypting the MD5Crypt password using Hashcat"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "windows easy", "line": " Using CrackMapExec to perform a SMB password spray with users/credentials we have"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "windows easy", "line": " Using Metasploit to do the same thing (smb_login), to show it keeps tracks of creds. Then doing a WinRM Login"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "windows easy", "line": " WinRM Login was unsuccessful. Lets see if we can enumerate users with Impacket's lookupsid"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "windows easy", "line": " Using RPCClient to replicate how LookupSID did the RID/SID Bruteforce, so we can understand it"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "windows easy", "line": " Doing the Winrm_Login again with new usernames and see Chase can login"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 20, "seconds": 25}, "tag": "windows easy", "line": " Using Evil WinRM to login to the box"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "windows easy", "line": " Low Priv shell returned"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "windows easy", "line": " Examining wwwroot, and sourcecode to see if we can get a shell as the IIS User (cannot)"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "windows easy", "line": " See firefox running with Get-Process"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows easy", "line": " Upload procdump64.exe to dump firefox's memory"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows easy", "line": " Running strings against the binary and finding the administrator password"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 34, "seconds": 35}, "tag": "windows easy", "line": " Testing logins with WinRM and CME, to see Administrator could PSEXEC or WinRM"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "", "line": " Downloading and analyzing the files off the anonymous FTP Directory"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " Looking into solidity to see what these files are about"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " The full portscan finished, trying to find out what port 9810"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "", "line": " Recommended reading to understand blockchain fundamentals"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "", "line": " Begin writing the script to interact with the smart contract"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Calling the getDomain function, then setting the domain to our IP and seeing the ping"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Command injection found, getting a reverse shell via bash"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "", "line": " Checking the source code to see why this worked"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "", "line": " Looking into what IPFS is (found in administrators home directory)"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 21, "seconds": 33}, "tag": "", "line": " Running ipfs refs local to list all files"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "", "line": " Dropping a SSH Key so we can get off this reverse shell"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 23, "seconds": 15}, "tag": "", "line": " Writing a loop around ipfs refs local to list all the files, then cat the emails."}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "", "line": " Cracking the SSH Key with sshng2john and john"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 29, "seconds": 27}, "tag": "", "line": " Exploiting the ChainsawClub via path injection and the program executing sudo via a non-absolute path"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "", "line": " Explaining the package managers place things in */local/* directories."}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "", "line": " Writing a loop around dpkg --search to find binaries in the path that the systems package manager doesn't know about"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 36, "seconds": 11}, "tag": "", "line": " Explaining file blocks and slack space"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 37, "seconds": 25}, "tag": "", "line": " Using bmap to extract data out of slack space"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "", "line": " Exploiting ChainsawClub the intended way by playing with the smart contract"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "", "line": " Calling setUsername to create ippsec, then setPassword to create a password"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 51, "seconds": 20}, "tag": "", "line": " Running setApprove and transfer to satisfy the other things, then logging into the ChainsawClub"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux easy", "line": " Looking at the website, checking source, robots.txt, etc"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Using GoBuster with PHP Extensions as HTTP Header said it had PHP Enabled"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "linux easy", "line": " Writing a simple PHP Code Execution script and trying to upload it"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux easy", "line": " Discovery of backup.tar, examining timestamps between downloading with wget/firefox"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux easy", "line": " Searching php scripts for superglobals as that will show user-input"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 11, "seconds": 10}, "tag": "linux easy", "line": " Explaining what magic bytes are"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux easy", "line": " Using PHP interactive mode to demonstrate what is happening"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "linux easy", "line": " Showing error codes are different based upon where image validation failed"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux easy", "line": " Uploading a malicious PHP Shell"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 18, "seconds": 40}, "tag": "linux easy", "line": " Navigating to our php shell and getting a reverse shell"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "linux easy", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux easy", "line": " Examining check_attack.php to discover vulnerability when doing exec() to escalate to guly"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux easy", "line": " Explaining the code execution vulnerability of creating a malicious file"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux easy", "line": " Creating the malicious file"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 31, "seconds": 57}, "tag": "linux easy", "line": " Shell returned as Guly, checking sudo list"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 33, "seconds": 9}, "tag": "linux easy", "line": " Examining the changename.sh script (guly can run it as root)"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux easy", "line": " Exploiting the script by inserting a command into a network configuration file"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "linux easy", "line": " Explaining why Apache executed PHP when files did not have the PHP Extension"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 39, "seconds": 8}, "tag": "linux easy", "line": " Checking php.conf to see it was user created"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 41, "seconds": 15}, "tag": "linux easy", "line": " Modifying php.conf to include \"FilesMatch .php$\", so it only executes php when the name ends in .php"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Running Gobuster and examining the web page"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "", "line": " Room.php is the only page that accepts user input, basic testing for SQL Injection"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Using wfuzz to fuzz for special characters then getting our IP Banned :("}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Unbanned, running wfuzz again and examining unique responses"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Showing several ways to test for SQL Injection (subtraction and hex())"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Examining the MySQL Query Structure"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "", "line": " Explaining Union Injection"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "", "line": " Nested queries with union statements"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "", "line": " Extracting information out of Information_Schema to databases, tables, columns"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 24, "seconds": 8}, "tag": "", "line": " Using LIMIT to ensure only one row is returned"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 25, "seconds": 25}, "tag": "", "line": " Using GROUP_CONCAT to allow us to return multiple rows within union"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "", "line": " Extracting Mysql users/passwords then cracking MySQL (mode 300)"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "", "line": " Another way to get the password, LOAD_FILE() to view PHP Source Code"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "", "line": " PHPMyAdmin 4.8.0 RCE (LFI + Tainted PHP Cookie)"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 57, "seconds": 40}, "tag": "", "line": " Dropping a shell via the PHPMyAdmin exploit"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 59, "seconds": 30}, "tag": "", "line": " ALTERNATE Way to get Shell:Dropping a file from the SQL Injection"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 63, "seconds": 52}, "tag": "", "line": " Examining the PHP Cookie to see what happened with the PHPMyAdmin stuff"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 65, "seconds": 45}, "tag": "", "line": " Examing the Python Script we can execute as pepper with sudo"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 70, "seconds": 40}, "tag": "", "line": " We can execute code with $() but theres bad characters, so drop a bash script to disk"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 75, "seconds": 0}, "tag": "", "line": " Running find to look for setuid binaries, discover systemctl then check GTFO Bins"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 81, "seconds": 15}, "tag": "", "line": " Copying our Sysmctl Scripts out of /tmp then creating our malicious service"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "linux easy", "line": " Begin of Recon find Elastic Search on 9200"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux easy", "line": " Checking the exif data in the image, nothing interesting, but showing FF changes some metadata when downloading (foresnic tip)"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 3, "seconds": 55}, "tag": "linux easy", "line": " Navigating to port 9200 and seeing the Elastic Search JSON Response"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 4, "seconds": 48}, "tag": "linux easy", "line": " Searching Elastic Search Documentation to see how to make queries"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Using /_cat/indices to see the \"tables\" withing ES"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 7, "seconds": 37}, "tag": "linux easy", "line": " Using /quotes/_search to dump the Quotes indicy, then using jq to extract desired data"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux easy", "line": " Lets switch over to Python to extract this data so we can translate this into English"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux easy", "line": " Installing googletrans, so our script can translate this. Using python3 cli to test this out"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 20, "seconds": 10}, "tag": "linux easy", "line": " Adding googletrans to our script"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 21, "seconds": 10}, "tag": "linux easy", "line": " Running our script to translate everything and then using grep to \"find the needle\""}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "linux easy", "line": " SSH'ing to the box with the security user"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux easy", "line": " Running LinEnum, noticing kibana listening on 5601"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux easy", "line": " Creating a Local Port forward so we can access kibana from out box"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "linux easy", "line": " Checking Kibana's version to see there are known exploits for it"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux easy", "line": " Getting a reverse shell as the Kibana user"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux easy", "line": " Using find to see what files the kibana user can write to"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux easy", "line": " Going into the Logstash directory to see that it will execute code with a specific log message"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 38, "seconds": 45}, "tag": "linux easy", "line": " Explaining the logstash pipeline of how it gets data"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 39, "seconds": 33}, "tag": "linux easy", "line": " Getting a reverse shell as the LogStash user (root)"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux easy", "line": " Reverse shell returned, but we screwed up creating a file -- figuring out what we did wrong"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "linux easy", "line": " Begin of nmap"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 2, "seconds": 31}, "tag": "linux easy", "line": " Discovering MyApp in the HTML Source"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux easy", "line": " Examining MyApp on port 1337"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux easy", "line": " Opening myapp up in Ghidra"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux easy", "line": " Testing out the buffer overflow"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux easy", "line": " Using pattern search to see where we can overwrite RSP"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux easy", "line": " Create a PwnTool Skeleton and having it call main instead of crashing"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux easy", "line": " Testing calling main (error: need to do recvline to send text)"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "linux easy", "line": " Explaining hijacking the SYSTEM() call"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 17, "seconds": 11}, "tag": "linux easy", "line": " Finding a way to put user input into RDI "}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux easy", "line": " Examining the Test Function which places RSP to RDI"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux easy", "line": " Finding a pop r13 as the Test Function jumps to r13"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Putting the gadget togather for code execution"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux easy", "line": " Setting pwntools to exploit the remote host"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux easy", "line": " Shell on the box"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 29, "seconds": 15}, "tag": "linux easy", "line": " Dropping SSH Key to get a normal shell and copying keepass files"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 31, "seconds": 40}, "tag": "linux easy", "line": " Using keepass2john to create hashes to crack"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux easy", "line": " Cracking keepass hashes with hashcat"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "linux easy", "line": " Using kpcli to export the root password"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 39, "seconds": 20}, "tag": "linux easy", "line": " Using the root password to su to the root user"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 1, "seconds": 12}, "tag": "linux hard", "line": " Begin of recon, examining website seeing the \"Hackers\" Theme"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux hard", "line": " Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux hard", "line": " Demoing how this is fixed now, with Werkzeug requiring a pin code"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Testing if we can connect back to our host with ping or curl (cannot)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux hard", "line": " Dropping a SSH Key via python since we cannot reverse shell"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " SSH into the box as the HAL User and clean up the authorized_key file"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "linux hard", "line": " Using xclip to copy and run LinEnum due to a firewall preventing us from curling it"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux hard", "line": " Discovering why the WERKZEUG PIN Code was disabled (Environment Variable)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 22, "seconds": 27}, "tag": "linux hard", "line": " Checking out the Garbage SetUID Binary as HAL to discover he cannot run it"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "linux hard", "line": " Using Ghidra to verify we are not missing any functionality"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux hard", "line": " Using find to discover what files the adm group is an owner of"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux hard", "line": " Displaying exact modify times with ls using time-style argument, then checking logs to see what users changed their password after the shadow backup"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "linux hard", "line": " Cracking the Sha512Crypt (1800) hashes with Hashcat (Discovering Margo's password)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "linux hard", "line": " Using Ghidra to discover the hardcoded password in the garbage binary"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux hard", "line": " Exploring the binary, using Ghidra to see if there are any hidden menu options"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux hard", "line": " Installing GDB Enhanced Features (GEF) and pwntools for python3"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "linux hard", "line": " Poorly explaining leaking memory addresses by creating a ROP Chain with puts"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "linux hard", "line": " Begin of Buffer Overflow ROP Chain - leak libc address, call main, overflow password with system(/bin/sh)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 49, "seconds": 20}, "tag": "linux hard", "line": " Using pattern create and offset/search within gef to RSP Overwrite Location"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "linux hard", "line": " Using ropper to discover a pop rdi gadget"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 53, "seconds": 40}, "tag": "linux hard", "line": " Beging creating the pwntools skelton exploit, using objdump to get PLT/GOT location of PUTS and performing the memory leak."}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 66, "seconds": 30}, "tag": "linux hard", "line": " Using Readelf to get important locations in libc and strings to get location of /bin/sh. Then performing all the calculations based upon memory leak"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 75, "seconds": 41}, "tag": "linux hard", "line": " Putting it all togather to create a gadget chain to get a shell"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 80, "seconds": 0}, "tag": "linux hard", "line": " Replacing libc memory locations with the ones installed on ellingson"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 82, "seconds": 30}, "tag": "linux hard", "line": " Running the exploit, getting a root shell, then documenting the code"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "linux easy", "line": " Start of recon identifying a debian box based upon banners"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Taking a look at the website, has warnings about DOS type attacks."}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 3, "seconds": 17}, "tag": "linux easy", "line": " Discovering the /writeup/ directory in robots.txt"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 4, "seconds": 18}, "tag": "linux easy", "line": " Checking the HTML Source to see if there's any information about what generated this page. Discover CMS Made Simple"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "linux easy", "line": " CMS Made Simple is an opensource product. Search through the source code to discover a way to identify version information."}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux easy", "line": " Using SearchSploit to find an exploit"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 9, "seconds": 5}, "tag": "linux easy", "line": " Running the exploit script with a bad URL and triggering the servers anti-DOS protection"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux easy", "line": " Running the exploit script with correct URL and analyze the HTTP Requests it makes via Wireshark to see how the SQL Injection works"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "linux easy", "line": " Explaining how password salts work"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux easy", "line": " Using Hashcat to crack a salted md5sum"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "linux easy", "line": " Demonstrating the --username flag in hashcat, this allows you to associate cracked passwords to users"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 24, "seconds": 14}, "tag": "linux easy", "line": " Begin of low-priv shell, running LinEnum to discover we are a member of staff"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 27, "seconds": 58}, "tag": "linux easy", "line": " Using google to see what the Staff group can do (edit /usr/local/bin)"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 28, "seconds": 40}, "tag": "linux easy", "line": " Explaining path injection"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux easy", "line": " Using PSPY to display all the processes that start on linux, useful for finding crons or short-running processes"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 31, "seconds": 58}, "tag": "linux easy", "line": " Running PSPY to see run-parts is called without an absolute path upon user login"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 33, "seconds": 13}, "tag": "linux easy", "line": " Performing the relative path injection by creating the file /usr/local/bin/run-parts which will drop our SSH Key"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 1, "seconds": 29}, "tag": "linux hard", "line": " Begin of Recon, notice multiple SSH Host Keys"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux hard", "line": " Discovering the HTTPD Website has a PHP Script, Run SQLMap and update gobuster to find PHP"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux hard", "line": " Moving onto enumerating TOMCAT, default password (admin:admin) logs in and attempting to discover framework via google images"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux hard", "line": " Discovering that this TOMCAT page allows the ability to upload images and zips"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "linux hard", "line": " Explaining the ZipSlip Vulnerability"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux hard", "line": " Walking through how ZipSlip Works"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux hard", "line": " Start of using EvilArc with a PHP-Reverse-Shell to perform ZipSlip"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux hard", "line": " Reverse Shell Returned "}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 18, "seconds": 51}, "tag": "linux hard", "line": " Looking at Secret.php to get potential usernames and passwords"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "linux hard", "line": " Discovering tomcat listens on port 8080 then use that to drop SSH Key to get root (Unintended Path)"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 25, "seconds": 55}, "tag": "linux hard", "line": " Enumerating HTTPD PHP Scripts and TOMCAT Config to find some usernames and passwords"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux hard", "line": " Using find to list files modified between two dates"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux hard", "line": " Copying SSH Keys back to our box"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux hard", "line": " Logging into SSH over port 22 with Kaneki and SSH Key"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux hard", "line": " Creating a bash script to perform a ping scan to discover other hosts"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 49, "seconds": 55}, "tag": "linux hard", "line": " Extracting additional usernames from ~/.ssh/authorized_keys file and SSH Into the host"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 52, "seconds": 12}, "tag": "linux hard", "line": " Running the HostScan utility again to find another host, then modifying script to do a portscan"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux hard", "line": " Tunneling to the GOGS Box via SSH Tunnels"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "linux hard", "line": " Verifying the tunnel works by going to the GOGS HomePage and then searching for exploits"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 59, "seconds": 15}, "tag": "linux hard", "line": " SearchSploit turned up nothing, lets search for CVE's and hunt for a POC (CVE-2018-18925)"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 60, "seconds": 25}, "tag": "linux hard", "line": " Copying the GOGS Exploit, and logging in with a password we previously found. Note: There is a tool called gogsownz, but it automates so much you don't really learn anything."}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "linux hard", "line": " Creating a Repository in GOGS then dropping a file to the box"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "linux hard", "line": " Uploading the file to the repo, then modifying our i_like_gogs cookie to load it via an LFI and becoming admin"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 66, "seconds": 38}, "tag": "linux hard", "line": " As an Admin now we can create a Git Hook to execute code upon updating and get a shell "}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 71, "seconds": 50}, "tag": "linux hard", "line": " Searching for what the gosu binary does, finding out it lets us privesc to root"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 78, "seconds": 15}, "tag": "linux hard", "line": " Examining the git history (git reflog) of the aogiri-chatapp found in the root directory to find credentials"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 82, "seconds": 0}, "tag": "linux hard", "line": " Escalating to root on kaneki-pc (second docker box) via password found"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 85, "seconds": 0}, "tag": "linux hard", "line": " Abusing SSH Agents to intercept the \"SSO Like Token\" and swim upstream to the Host OS"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 1, "seconds": 36}, "tag": "linux easy", "line": " Examining the web page to find Magento, noticing /index.php/ mod-rewrite misconfig and old copyright"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux easy", "line": " Whoops should of done apt search magescan, either way this package is not in Kali"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux easy", "line": " Running MageScan to scan the website"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux easy", "line": " Finding an open configuration file (app/etc/local.xml)"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux easy", "line": " Running searchsploit to identify public exploits"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux easy", "line": " Examining an exploit that will add an administrative user via SQL Injection"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux easy", "line": " Running the exploit out of the box didn't work, send it through burp in order to debug it"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux easy", "line": " Exploit needed to be modified to include index.php due to mod-rewrite misconfig"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "linux easy", "line": " Going back to SearchSploit and using the Authenticated RCE Exploit"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux easy", "line": " Making the obvious changes to fix the exploit script"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 24, "seconds": 17}, "tag": "linux easy", "line": " Debugging the exploit by running it through burpsuite, find out we need to use an login page"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux easy", "line": " Bit more in-depth debugging by setting a breakpoint with pdb"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "linux easy", "line": " The regex is failing due to page not returning anything, the URL has a time span lets increase that"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "linux easy", "line": " Finally fixed this exploit! Reverse Shell Returned"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "linux easy", "line": " Noticing we can exec vim with sudo, lets privesc"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux easy", "line": " Mentioning GTFOBins which helps find privesc paths from privileged programs"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 38, "seconds": 15}, "tag": "linux easy", "line": " EXTRA: Examining the PHP Object Injection RCE Exploit"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux insane", "line": " Begin of Recon"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux insane", "line": " Examining login request while GoBuster runs"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 5, "seconds": 35}, "tag": "linux insane", "line": " Noticing weird behavior by modifying db parameter in login request"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux insane", "line": " Finding what the Error numbers mean. (SQL Error Codes)"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux insane", "line": " Testing if we can trick the application into authentication against us"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux insane", "line": " Starting up metasploit to steal the login hash of a MYSQL Login"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux insane", "line": " Cracking the MySQL Hash with Hashcat"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux insane", "line": " Creating a databse locally for the application to authenticate to"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux insane", "line": " Examining what MySQL Does after authentication in Wireshark"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux insane", "line": " Creating the database structure so the application will authenticate against our database"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux insane", "line": " Begin of the File Encryptor PHP App"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux insane", "line": " Performing a Known Plaintext attack against the RC4 Encryption"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux insane", "line": " Explaining the Known Plaintext"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux insane", "line": " Creating a Python Script to perform a SSRF attack and decrypt content"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 54, "seconds": 25}, "tag": "linux insane", "line": " Script done, discovering a LFI Exploit in /dev/"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "linux insane", "line": " Using PHP Filters to convert LFI to source code disclosure"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "linux insane", "line": " Extracting sqlite_test_page.php source code"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 61, "seconds": 0}, "tag": "linux insane", "line": " Manually analyzing the source code to discover a way to write files"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 63, "seconds": 0}, "tag": "linux insane", "line": " Checking PayloadAllTheThings to get a payload for dropping files"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 75, "seconds": 38}, "tag": "linux insane", "line": " Testing dropping a php script for code execution"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 78, "seconds": 0}, "tag": "linux insane", "line": " Using Chankro to bypass PHP Disabled functions"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 80, "seconds": 45}, "tag": "linux insane", "line": " Creating a PHP Script to download Chankro Script to avoid bad characters in the RCE"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 84, "seconds": 50}, "tag": "linux insane", "line": " Reverse shell returned, finding a VIMCrypted file in Rijndael Home"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 85, "seconds": 35}, "tag": "linux insane", "line": " Decrypting Creds.txt with a known plaintext attack in VimCrypt 02 (Blowfish)"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 88, "seconds": 20}, "tag": "linux insane", "line": " Downloading the files to our local box and explaining the attack"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 90, "seconds": 30}, "tag": "linux insane", "line": " Copying our Python Script from earlier and modify it to work with our VIM File"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 98, "seconds": 20}, "tag": "linux insane", "line": " Decrypted the creds and use them to SSH"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 99, "seconds": 10}, "tag": "linux insane", "line": " Analyzing the kryptos.py file"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 101, "seconds": 0}, "tag": "linux insane", "line": " Testing how random the random is"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 106, "seconds": 0}, "tag": "linux insane", "line": " Creating a python script to bruteforce the key as we know the randomness is broken"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 117, "seconds": 0}, "tag": "linux insane", "line": " Script to brute force signing key done"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 118, "seconds": 45}, "tag": "linux insane", "line": " Getting code execution within the eval statement"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 124, "seconds": 30}, "tag": "linux insane", "line": " Extra content, showing by using the encrypt method twice early on \u2014 you can decrypt pages"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "", "line": " Checking FTP to get a note"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 3, "seconds": 38}, "tag": "", "line": " Going to each of the three websites"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Running Gobuster on port 80/3000"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Taking notes of all the login pages (forgot Ajenti)"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "", "line": " config.php found which has a password"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Discovering /login on port 3000 accepts username=&password= "}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "", "line": " Successful login! JWT Token returned"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Using curl to add the JWT Token in the header to access other api endpoints"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "", "line": " Using BurpSuite to add headers"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "", "line": " Navigating the Rest API to dump the usernames and passwords"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Attempting logins on other services"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "", "line": " Derry can login to /management"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "", "line": " Ajenti Password! Lets try logging in"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Ajenti has a virtual terminal that is running as root!"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "", "line": " Extra Content - Getting a reverse shell"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "", "line": " Grabbing the JWT Secret, so we can forge our own tokens!"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "", "line": " Creating a python script to generate JWT Tokens"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "", "line": " This token has no expiration time, and is assigned at 0. Should never expire!"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "", "line": " Adding Requests to our script, so the script can make web requests"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "", "line": " Lets try removing all signing algorithms from the token and see if server accepts it"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 34, "seconds": 40}, "tag": "", "line": " Cracking the JWT Token Signing key with Hashcat"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 1, "seconds": 33}, "tag": "windows easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "windows easy", "line": " Using SMBClient to view open shares, discover /Backups"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows easy", "line": " Mount the SMB Share "}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "windows easy", "line": " Playing with SMBMap which is a bit more automated but write files!"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 5, "seconds": 22}, "tag": "windows easy", "line": " Checking out files in the /Backups share"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows easy", "line": " Using 7zip to view files in a VHD file"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "windows easy", "line": " Installing libguestfs-tools in order to use guestmount"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "windows easy", "line": " Mounting the VHD with guestmount"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "windows easy", "line": " Extracting local passwords from SAM and SYSTEM with secretsdump"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "windows easy", "line": " Cracking the hash and then using SSH to login to the box"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "windows easy", "line": " Viewing local adminstrators and seeing administrators is not actually disabled (backup indicated it was)"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "windows easy", "line": " Running JAWS"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows easy", "line": " Discovering mRemoteNG installed"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "windows easy", "line": " Looks like there is a way to decrypt passwords stored in mRemoteNG"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "windows easy", "line": " Installing mRemoteNG-Decrypt then decrypting the passwords in the config"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "windows easy", "line": " Using PSEXEC or SSH to remote in as administrator"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 0, "seconds": 42}, "tag": "linux hard", "line": " Begin of recon"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "linux hard", "line": " Examining the webpage "}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 4, "seconds": 28}, "tag": "linux hard", "line": " Discoving SFTP Credentials on the web page"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux hard", "line": " Playing with the SFTP Server"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux hard", "line": " Discoving the SymLink command to break out of home directory"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 9, "seconds": 40}, "tag": "linux hard", "line": " Symlinking the root directory to find the source of login.php through VIM SWP Files."}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Second way to get source code, symlink with a file naming ending in not PHP"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux hard", "line": " Examining the source code to login.php and getting a hard coded username"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "linux hard", "line": " Examining index.php to see how to access a login portal (admin)"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "linux hard", "line": " Using SSH to do port forwarding (Reddish)"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "linux hard", "line": " Examinig the admin web page"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 24, "seconds": 13}, "tag": "linux hard", "line": " Examing the Apache Rewrite Engine Rules"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "linux hard", "line": " Checking the source code to addon-manager to identify how upload/download features work"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux hard", "line": " Explaining the Rewrite attack"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 30, "seconds": 40}, "tag": "linux hard", "line": " Uploading a reverse shell, then executing"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux hard", "line": " Can sudo with apt, checking GTFO Bins"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Looks like we can MITM Apt due to passing a proxy through sudo"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux hard", "line": " Configuring Burp to act as an HTTP Proxy and pass it to Python"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 40, "seconds": 50}, "tag": "linux hard", "line": " Creating the Malicious APT Repo"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "linux hard", "line": " Creating the Malicious Deb File"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "linux hard", "line": " Getting the Root Shell"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Running GoBuster to discover /dev and index.php"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Checking out the web application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "", "line": " Discovering SQL Injection in ID and playing with it"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "", "line": " Running SQLMap to dump pieces of the database"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 14, "seconds": 55}, "tag": "", "line": " Nginx Misconfiguration, missing trailing slash"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "", "line": " Downloading source code of the application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " Exploring the source of the application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 25, "seconds": 47}, "tag": "", "line": " Specifying an error string in SQLMap to have it do boolean logic versus time-based"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "", "line": " Installing a Docker LAMP Server to run the web application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 45, "seconds": 40}, "tag": "", "line": " Finally got the application running locally (Missed a comma which created a lot more work)"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 46, "seconds": 15}, "tag": "", "line": " Analyzing the SQL Injection with Debug turned on to see how it works"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " Explanation of gaining code execution through an LFI + PHP Cookies"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "", "line": " Exploring the cookie"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "", "line": " Have code execution on our docker, lets exploit the server"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "", "line": " Reverse Shell returned"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 62, "seconds": 35}, "tag": "", "line": " Exploring MySQL database and escalating to GULY"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 68, "seconds": 30}, "tag": "", "line": " Running LinEnum as Guly and going through the results"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 72, "seconds": 0}, "tag": "", "line": " Exploring files Guly can access due to Grub Group, downloading initrd"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 74, "seconds": 10}, "tag": "", "line": " Decompressing initrd.img and looking for the file GULY modified"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 81, "seconds": 20}, "tag": "", "line": " Running STRACE to see what uinitrd does"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 84, "seconds": 20}, "tag": "", "line": " Running uinitrd after modifying /etc/hosts and /boot/guid"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 86, "seconds": 20}, "tag": "", "line": " Extra Content: If you had trouble with TTY, SSH is accessible via IPv6"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 90, "seconds": 50}, "tag": "", "line": " Extra Content: Runing GIXY to analyze the NGINX Configuration"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 95, "seconds": 20}, "tag": "", "line": " Extra Content: Looking at uinitrd in Ghidra"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 0, "seconds": 35}, "tag": "windows hard", "line": " Begin of Recon"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 1, "seconds": 42}, "tag": "windows hard", "line": " Checking the ManageEngine Page"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 2, "seconds": 23}, "tag": "windows hard", "line": " Running Searchsploit to see potential exploits"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "windows hard", "line": " Enumerating valid usernames via AjaxDomainServlet"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "windows hard", "line": " Logging in with guest:guest"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "windows hard", "line": " Running the privilege escalation script to get Administrator access"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "windows hard", "line": " Searching for information on this exploit"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows hard", "line": " Blog post missing... Searching Archive.org and Google Cache for a mirror"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows hard", "line": " Making curl go through burp to step through the exploit in BurpSuite"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "windows hard", "line": " Copying the admin cookies into FireFox "}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "windows hard", "line": " Going to Admin then Custom Triggers to execute code on the server"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "windows hard", "line": " Getting a reverse shell via Nishang"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "windows hard", "line": " Using iconv to create UTF-16LE encoded Base64 for use with \"-EncodedCommand\" option"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 25, "seconds": 45}, "tag": "windows hard", "line": " Reverse Shell as System returned, but EFS Protects the flags"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "windows hard", "line": " Finding interesting files with get-childitem -recurse . | select FullName"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "windows hard", "line": " Copying mimikatz over to the box to steal NTLM Hashes"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows hard", "line": " Defender blocked us. Disable defender with Set-MpPreference -DisableRealtimeMonitoring $true"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 32, "seconds": 50}, "tag": "windows hard", "line": " Using hashes.org to view password of Zachary, checking his groups to see he can view event logs"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "windows hard", "line": " Doing some powershell goodness to search event logs!"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 40, "seconds": 50}, "tag": "windows hard", "line": " Extracting ProcessCommandLine from the logs (Tolu Password), its a shame Nishang screws with how some commands output to stdout. This could of been a lot cleaner."}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "windows hard", "line": " Using Mimikatz to decrypt the EFS Protected file with Tolu's password"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 57, "seconds": 25}, "tag": "windows hard", "line": " Need to read Leo's admin-pass.xml, load meterpreter and migrate into his namespace"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 60, "seconds": 20}, "tag": "windows hard", "line": " admin-pass is the output of SecureString, lets decrypt it to get the admin password"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 62, "seconds": 20}, "tag": "windows hard", "line": " Using Invoke-Command with the credential object created to execute commands as administrator"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "windows hard", "line": " Cannot read root.txt because of \"Double Hop Problem\" (how PowerShell Authenticates), using CredSSP Authentication to fix this."}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "windows medium", "line": " Begin of Recon "}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "windows medium", "line": " Checking the WebPages"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "windows medium", "line": " Examining /userSubscribe.faces, to discover potential deserialization"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "windows medium", "line": " Exploring javax.faces.ViewState"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "windows medium", "line": " Googling around to see what an unencrypted serialized object should look like"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "windows medium", "line": " Checking out SMB to discover an openshare"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "windows medium", "line": " Downloading appserver.zip from batshare via smbclient"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "windows medium", "line": " Cracking a luks encrypted file with dd and hashcat"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "windows medium", "line": " Luks cracked, mounting the disk with luksOpen"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "windows medium", "line": " Discovery of the secret used to encrypt the java object"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "windows medium", "line": " Creating a python script to decrypt the ViewState to verify we have correct crypto settings"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "windows medium", "line": " Script completed, lets test the decryption!"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "windows medium", "line": " Downloading ysoserial to create a deserialization CommonCollections gadget"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows medium", "line": " Creating a python script to exploit the deserialization vuln"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows medium", "line": " Script complete! We got a ping, testing the MyFaces serialization objects (did not work)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "windows medium", "line": " Modifying the script to run commands other than what ySoSerial provided"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 41, "seconds": 10}, "tag": "windows medium", "line": " Script updates finished, trying to get a reverse shell via nishang (did not work)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 42, "seconds": 40}, "tag": "windows medium", "line": " Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for constrained mode)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "windows medium", "line": " Downloading netcat to upload to the box"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "windows medium", "line": " Netcat returned a powershell reverse shell "}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "windows medium", "line": " Discovering Backup.zip, downloading, using readpst to convert it to a plaintext mbox file"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "windows medium", "line": " Using evolution to view mbox file and find Batman's password"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 52, "seconds": 45}, "tag": "windows medium", "line": " Using Powershell's Invoke-Command to execute commands as Batman (like runas)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "windows medium", "line": " Reverse shell as batman returned! Running a few commands to find out he is localadmin but needs to break out of UAC"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 58, "seconds": 10}, "tag": "windows medium", "line": " Unintended: Using net use to mount c$ and view the flag"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 59, "seconds": 30}, "tag": "windows medium", "line": " Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HTB Member"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 62, "seconds": 10}, "tag": "windows medium", "line": " Using GreatSCT/MSBuild to launch Meterpreter"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 62, "seconds": 45}, "tag": "windows medium", "line": " While GreatSCT installs, create a DLL to return a reverse shell"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "windows medium", "line": " copying the DLL into c:\\users\\batman\\appdata\\local\\microsoft\\windowsapps"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 68, "seconds": 30}, "tag": "windows medium", "line": " Using GreatSCT to generate payloads"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 71, "seconds": 50}, "tag": "windows medium", "line": " Getting a Meterpreter Session then migrating into an interactive process"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 77, "seconds": 45}, "tag": "windows medium", "line": " Running SystemPropertiesAdvanced.exe, which elevates and executes our dll"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "linux insane", "line": " Begin of recon"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 4, "seconds": 41}, "tag": "linux insane", "line": " Exploring the web page on port 80"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 6, "seconds": 2}, "tag": "linux insane", "line": " Using wfuzz to do a special character fuzz to identify odd behavior and discover command injection"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 11, "seconds": 6}, "tag": "linux insane", "line": " Creating a hotkey in Burpsuite to send requests in repeater pane"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux insane", "line": " Start of creating a python program to automate this"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux insane", "line": " Script finished"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux insane", "line": " Exploring /var/appsrv "}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "linux insane", "line": " Exploring authpf"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux insane", "line": " Hunting for the signing key for the CA to view HTTPS"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "linux insane", "line": " Copying the certificates to our box"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux insane", "line": " Creating and signing a Client Certificate"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux insane", "line": " Importing the certificate into FireFox"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 30, "seconds": 49}, "tag": "linux insane", "line": " Discovering the reason our certificate isn't working (time of server is behind)"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "linux insane", "line": " Accessing the HTTPS Website to get a SSH key for NFSUSER"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux insane", "line": " Discovering additional ports are open after using SSH with NFSUSER"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 34, "seconds": 45}, "tag": "linux insane", "line": " Installing the NFS-COMMON package to get the showmount binary"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "linux insane", "line": " Mounting a NFS Share with Version 2"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux insane", "line": " Editing our User ID on our box to gain access to the NFS Directories"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux insane", "line": " Reading mail to discover that the root password is set to the Postgres databases root pw"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux insane", "line": " Testing if we could setup a SetUID Binary with this NFS (Check Jail Video for this being successful)"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 40, "seconds": 20}, "tag": "linux insane", "line": " SSH into the box as Charlie and dumping the database"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "linux insane", "line": " Exploring the source code to the web application"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux insane", "line": " Copying the crypto python script to our box, which will let us decrypt it"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 47, "seconds": 40}, "tag": "linux insane", "line": " Copying the secrets into the crypto python script and decrypting the password"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "", "line": " Attempting to execute an VSFTPD Backdoor via MSF"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "", "line": " Discovering the backdoor opened 6200, discovering a weird shell"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "", "line": " Lets figure out what just happened"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Triggering the backdoor without Metasploit"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 9, "seconds": 5}, "tag": "", "line": " Exploring the Psy PHP Shell opened up by the backdoor"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "", "line": " Several functions for executing bash aren't working, checking disable_functions"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "", "line": " Attempting to bypass disabled_functions (does not work)"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Using ScanDir() and File_Get_Contents(), to explore the filesystem"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "", "line": " Identifying we are probably running as the Dali User (Unintended Path)"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " Downloading CA.KEY, which is a private key to a webserver"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "", "line": " Using the CA.KEY to generate client certificates to access the HTTPS Page"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 30, "seconds": 25}, "tag": "", "line": " Weird it didn't work, lets just verify all our certificates are good"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 32, "seconds": 28}, "tag": "", "line": " This time it worked! We connected to the server"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "", "line": " Failing to add the certificate to BurpSuite"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "", "line": " Discovering File Traversal by editing the PATH variable"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 36, "seconds": 38}, "tag": "", "line": " Discovering the LFI just puts the path as Base64 Encoded"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 37, "seconds": 15}, "tag": "", "line": " Using the LFI to download the SSH Private Key"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 38, "seconds": 45}, "tag": "", "line": " Testing SSH Key against users on the box to gain access!"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 39, "seconds": 13}, "tag": "", "line": " UNINTENDED: Skipping the HTTPS Certificate - Generating SSH Keys to upload via PHP Shell"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "", "line": " UNINTENDED: Using file_put_contents() to append our public key to authorized_keys"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "", "line": " UNINTENDED: Using SSH to tunnel through Dali (SOCKS Proxy)"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "", "line": " UNINTENDED: Scanning ports on Dali that are listening on LocalHost"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 43, "seconds": 8}, "tag": "", "line": " UNINTENDED: Port 8000 is open, and its one step after the Reverse_Proxy that performs SSL Authentication!"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 45, "seconds": 35}, "tag": "", "line": " Running PSPY and LinEnum"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "", "line": " Using PSPY to view FileSystem Events which will show the cron"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "", "line": " Taking control of ~/memcached.ini because we own the folder!"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 54, "seconds": 45}, "tag": "", "line": " Exploiting the cron that utilizes memcached.ini to get a root shell"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " -- Bonus"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 55, "seconds": 55}, "tag": "", "line": " Exploring how the SSL Authentication is working"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "", "line": " Exploring how the VSFTPD Backdoor was modified."}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " Support me on Patreon! https://patreon.com/ippsec"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 0, "seconds": 52}, "tag": "linux insane", "line": " Start of Recon, discovering CentOS Version via HTTPD Version"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "linux insane", "line": " Checking out the HTTP Page"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 3, "seconds": 32}, "tag": "linux insane", "line": " Checking out login.php"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "linux insane", "line": " Identifying a Secure Token is used, most likely STOKEN"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "linux insane", "line": " Failing to enumerate usernames through BruteForce"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux insane", "line": " Fuzzing the login form with special characters to identify a blacklist"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "linux insane", "line": " Trying Double URL Encoding to bypass the BlackList"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 12, "seconds": 55}, "tag": "linux insane", "line": " Explaining Double URL Encoding"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "linux insane", "line": " Discovering this is most likely a LDAP Injection"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux insane", "line": " Explaining how a LDAP Query Works"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 19, "seconds": 15}, "tag": "linux insane", "line": " Identifying the LDAP Query Structure with a Null Byte"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "linux insane", "line": " Injecting the WildCard (*) to enumerate usernames"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux insane", "line": " Using Wfuzz to extract the username"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux insane", "line": " Enumerating LDAP Attributes that are utilized"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 30, "seconds": 26}, "tag": "linux insane", "line": " Creating a python script to extract the Pager Attribute"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 41, "seconds": 38}, "tag": "linux insane", "line": " Script complete, lets extract the token"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 43, "seconds": 45}, "tag": "linux insane", "line": " Using STOKEN to generate the OTP and logging in"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux insane", "line": " Disabling NTP so we can math the server time"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 46, "seconds": 44}, "tag": "linux insane", "line": " Discovery of that second half of the original LDAP Query at 16 minutes."}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 47, "seconds": 33}, "tag": "linux insane", "line": " Using a Null Byte to remove the GROUP Check."}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 50, "seconds": 33}, "tag": "linux insane", "line": " Running Commands"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 50, "seconds": 25}, "tag": "linux insane", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 53, "seconds": 17}, "tag": "linux insane", "line": " Checking for the LDAP Bind password, then SSHing into the box"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux insane", "line": " Going over the /backup directory"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 58, "seconds": 20}, "tag": "linux insane", "line": " Using ListFiles to have 7za print our the contents of root.txt"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "", "line": " Running SMBMap to identify and crawl file shares"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " Downloading creds.txt from an smb share and checking FTP/SMB"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Checking the webpage and grabbing potential DNS Names for the box"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "", "line": " Using dig to perform a DNS Zone Transfer to obtain additional host names"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Adding all hostnames to /etc/hosts"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 12, "seconds": 55}, "tag": "", "line": " Running Aquatone to take screenshots of all the pages for quick examination"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "", "line": " Testing Uploads.Friendzone.red"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Testing admin.friendzone.red"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " Testing administrator1.friendzone.red, logging in with creds found from SMB"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 18, "seconds": 35}, "tag": "", "line": " Found an LFI in the Dashboard.PHP script (PageName Variable)"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "", "line": " Using PHP Wrappers with the LFI To obtain PHP Script Source"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Revisiting recon to find ways to upload files, end up using SMBClient"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "", "line": " Gaining code execution through the LFI Exploit and SMB File Share"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "", "line": " Exploring /var/www/html to see if any troll directories had useful files in them, find creds to Friend user"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "", "line": " Running PSPY to identify cron jobs we don't have permission to see"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "", "line": " Running LinEnum.sh to enumerate the box and discover the Python OS Library is writeable"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 38, "seconds": 20}, "tag": "", "line": " Fixing our reverse shell by setting ROWS and COLUMNS of our terminal so we can use Vi"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 40, "seconds": 45}, "tag": "", "line": " Placing a reverse shell in the Python OS library"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "windows insane", "line": " Begin of Recon, discovery of an HTTP API that has a few commands"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows insane", "line": " Using JQ to parse json output, use NetStat/Proc to find GoPhish"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "windows insane", "line": " Logging into GoPhish with default creds admin:gophish, finding DNS Names"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "windows insane", "line": " Discovery of Obfuscated JavaScript Deobfuscating it to find a hidden section"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "windows insane", "line": " Using wfuzz to bruteforce the password for webadmin.php"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "windows insane", "line": " Finding Code Execution in WebAdmin.php"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "windows insane", "line": " Creating a Python Script to give a pseudo shell to cat, ls, and upload"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 70, "seconds": 45}, "tag": "windows insane", "line": " Script finished, uploading reGeorg to create a proxy onto the box to bypass FW"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 76, "seconds": 20}, "tag": "windows insane", "line": " Using WinRM to access low privilege shell as Simple User"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 85, "seconds": 8}, "tag": "windows insane", "line": " Exploring /Util/Scripts to find a way to privesc to Hacker"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 90, "seconds": 29}, "tag": "windows insane", "line": " Exploring GetSystem functionality of meterpreter"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 97, "seconds": 20}, "tag": "windows insane", "line": " Starting to create program to steal a token from NamedPipe Clients"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 101, "seconds": 0}, "tag": "windows insane", "line": " Creating XOR Encrypter for payloads in C (There is a bug used & instead of %)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 108, "seconds": 20}, "tag": "windows insane", "line": " Using MSFVenom to generate raw payload to XOR then generate in C Format"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 111, "seconds": 38}, "tag": "windows insane", "line": " Creating the Stager to execute meterpreter, with some fun old AV Evasion tactics"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " (Testing/Bug Hunting)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 123, "seconds": 45}, "tag": "windows insane", "line": " Found the issue, AND'd the payload instead of XOR'd in encrypt.c"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 128, "seconds": 30}, "tag": "windows insane", "line": " Creating the NamedPipe portion of code"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 148, "seconds": 30}, "tag": "windows insane", "line": " Creating the Pipe Impersonation part of the code"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 163, "seconds": 16}, "tag": "windows insane", "line": " Had some weird errors, adding the ability to enable token privileges"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " (more troubleshooting....)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 181, "seconds": 0}, "tag": "windows insane", "line": " Editing the /util/scripts/clean.ini to execute our NamedPipe Creation File"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 186, "seconds": 10}, "tag": "windows insane", "line": " Meterpreter Session Loaded. Unfortunately it grab the impersonation token, more troubleshooting."}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 188, "seconds": 20}, "tag": "windows insane", "line": " Found the bug that caused us to not pass the token"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 189, "seconds": 45}, "tag": "windows insane", "line": " Re-Explaining all the code"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 194, "seconds": 57}, "tag": "windows insane", "line": " Meterpreter loaded, using incognito to grab our impersonation token for HACKER user"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " - https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 210, "seconds": 15}, "tag": "windows insane", "line": " Creating a bat file to run NetCat and upload into /util/scripts/spool which gets executed"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 215, "seconds": 50}, "tag": "windows insane", "line": " Start of looking at UserLogger Service, download it, un-UPX it"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 221, "seconds": 30}, "tag": "windows insane", "line": " Using ProcessMonitor to Dynamically Analyze the UserLogger binary (think of strace on windows)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 229, "seconds": 40}, "tag": "windows insane", "line": " UserLogger lets us write binaries as SYSTEM with 777 permissions! Lets chain Diagnostic Hub Exploit"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 232, "seconds": 0}, "tag": "windows insane", "line": " Changing CMDLine in FakeDLL and valid_dir in Diaghub_exploit.cpp"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " (Tons of trouble shooting)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 258, "seconds": 5}, "tag": "windows insane", "line": " Changing from DEBUG mode to RELEASE mode for compiling. Which fixes it."}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 265, "seconds": 15}, "tag": "windows insane", "line": " Root.txt is hidden behind alternate data streams."}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 267, "seconds": 39}, "tag": "windows insane", "line": " ALTERNATE PATH THAT LETS YOU SKIP NAMEDPIPE STUFF"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows easy", "line": " Begin of Recon"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "windows easy", "line": " Searching for good files to view via FTP"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "windows easy", "line": " Nothing really found, searching for where PRTG creation file is"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 14, "seconds": 34}, "tag": "windows easy", "line": " Backup configuration found!"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "windows easy", "line": " Logging in by incrementing the password from 2018 to 2019"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 17, "seconds": 55}, "tag": "windows easy", "line": " Searching for CVE's"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 19, "seconds": 45}, "tag": "windows easy", "line": " Searching for where to send notification emails like CVE Said"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "windows easy", "line": " Testing for Command Injection via Cmd"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "windows easy", "line": " Testing for Command Injection via Powershell"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "windows easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 26, "seconds": 55}, "tag": "windows easy", "line": " Encoding powershell in Base64 to eliminate potential bad characters"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "windows easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "windows medium", "line": " Begin of Reocn"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "windows medium", "line": " Using SMBMap to enumerate fileshares"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows medium", "line": " Discovering an Excel Macro File"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "windows medium", "line": " Using olevba to extract macro from the document to discover credentials"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "windows medium", "line": " Using MSSQLClient.py from Impacket to log into the SQL Server"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "windows medium", "line": " Doing the SQL CMD:XP_DIRTREE to read a file off a UNC Share to steal the hash with Responder"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "windows medium", "line": " Cracking the NetNTLMv2 Hash"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 14, "seconds": 11}, "tag": "windows medium", "line": " Explaining the Responder Database file to view previously captured hashes"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "windows medium", "line": " Logging into the SQL Server with the cracked account, then doing XP_CMDSHELL to run commands"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "windows medium", "line": " Getting a Nishang Reverse Shell"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "windows medium", "line": " Running PowerUp, doing Invoke-ServiceAbuse and discovering creds in an old Group Policy Object"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ** For some reason the user created with Invoke-ServiceAbuse cannot write to C$ so no psexec :("}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "windows medium", "line": " Going back to the password disclosed via Group Policy and discovering they are an administrator"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "windows medium", "line": " Explaining how the PowerUp module decrypted a password out of Group Policy"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "windows medium", "line": " Getting VIM to highlight the syntax of Powershell"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "windows medium", "line": " Rooting the box with Invoke-ServiceAbuse"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux hard", "line": " Begin of Recon"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux hard", "line": " Adding DNS Names to /etc/hosts"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux hard", "line": " Using Aquatone to take HTTP Screenshots of a bunch of pages"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux hard", "line": " Start of looking at FreeFlujab.htb"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux hard", "line": " Looking at HTTP Cookies we send"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "linux hard", "line": " Editing Cookies in Firefox"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux hard", "line": " Discovering SMTP_CONFIG, which lets us change where the mail server is"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "linux hard", "line": " Using FireFox to remove character restrictions on a page"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "linux hard", "line": " The WebPage kept resetting our cookie, using Burp to auto replace"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux hard", "line": " Standing up a SMTP Server in python to read mail"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "linux hard", "line": " Discovering SQL Injection"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux hard", "line": " SQL Injection confirmed, testing Union Injections"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux hard", "line": " Creating a Python Script to aid us in running SQL Injections"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux hard", "line": " Script: Running a SMTP Server in background thread"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 41, "seconds": 35}, "tag": "linux hard", "line": " Script: Adding ability to use arrow keys to go to previous command"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 46, "seconds": 42}, "tag": "linux hard", "line": " Script: Making our command prompt send HTTP Requests"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 52, "seconds": 40}, "tag": "linux hard", "line": " Dumping database structure from INFORMATION_SCHEMA"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 65, "seconds": 0}, "tag": "linux hard", "line": " Dumping information out of the VACCINATIONS Table"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 67, "seconds": 50}, "tag": "linux hard", "line": " User information dumped, cracking a sha256 hash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 71, "seconds": 0}, "tag": "linux hard", "line": " Accessing a new HOSTNAME from the database (sysadmin-console-01)"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 76, "seconds": 0}, "tag": "linux hard", "line": " Logging into Ajenti"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 77, "seconds": 0}, "tag": "linux hard", "line": " Discovering Notepad can read files from the server"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 84, "seconds": 10}, "tag": "linux hard", "line": " Looks like there was a SSH Key Compromise on the box from a README File"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 87, "seconds": 40}, "tag": "linux hard", "line": " Searching the compromised debian keys for one on the box"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 89, "seconds": 48}, "tag": "linux hard", "line": " Able to SSH Into the box with the Key! However we are in restricted bash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 90, "seconds": 30}, "tag": "linux hard", "line": " rBash escape 1: Using GTFOBins to find a way to escape restricted bash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 92, "seconds": 30}, "tag": "linux hard", "line": " rBash escape 2: Using -t bash argument in SSH to escape restricted bash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 93, "seconds": 30}, "tag": "linux hard", "line": " Exploiting an old version of Screen to PrivEsc!"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " * Second way to get a shell on the box *"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 103, "seconds": 40}, "tag": "linux hard", "line": " Creating files in /home/sysadm"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 106, "seconds": 40}, "tag": "linux hard", "line": " SSH is configured to allow public keys to also be placed in ~/access "}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 108, "seconds": 0}, "tag": "linux hard", "line": " Reading Ajenti Documentation to see API lets us change file permissions"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 110, "seconds": 0}, "tag": "linux hard", "line": " Ajenti wants the CHMOD Number to be in a weird format"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 0, "seconds": 49}, "tag": "linux easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux easy", "line": " Running gobuster to find /support"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux easy", "line": " Searching for a way to find version of HelpdeskZ"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 3, "seconds": 35}, "tag": "linux easy", "line": " Reading over the File Upload exploit script to see it requires server time"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux easy", "line": " Uploading a PHP Reverse Shell Script"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux easy", "line": " Going back to GitHub to find where uploads are saved"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "linux easy", "line": " Begin of modifying the script to pull the server time out of HTTP Headers"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux easy", "line": " Figuring out the python to pull the \"Date\" HTTP Header"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux easy", "line": " Getting the Time Format right with STRFTIME.COM"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux easy", "line": " Testing out the exploit and getting a shell"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux easy", "line": " Discovery of an old kernel, looking for an exploit"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux easy", "line": " Copying the exploit, compiling, and privesc!"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux easy", "line": " Looking into port 3000"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux easy", "line": " /graphql discovered"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 27, "seconds": 42}, "tag": "linux easy", "line": " Dumping the schema to discover what data is inside"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 30, "seconds": 15}, "tag": "linux easy", "line": " Dumping username, password from the database"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 32, "seconds": 12}, "tag": "linux easy", "line": " Logging into HelpdeskZ"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux easy", "line": " Discovering the Boolean SQL Injection"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux easy", "line": " Running SQLMap"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux easy", "line": " Explaining the Injection"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux easy", "line": " Begin of creating a python script to exploit this"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "windows insane", "line": " Begin of Recon"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "windows insane", "line": " Checking the web interfaces"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "windows insane", "line": " Discovering there is a Certificate Authority"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "windows insane", "line": " Taking a look at LDAP"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "windows insane", "line": " Examining SMB to find shares"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows insane", "line": " Searching the Operations and Department Shares"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "windows insane", "line": " Viewing permissions of a SMB Share with SMBCACLS"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "windows insane", "line": " Discovering a writeable share, dropping a SCF File to get a hash"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 22, "seconds": 4}, "tag": "windows insane", "line": " Using Hashcat to crack NetNTLMv2"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "windows insane", "line": " Using SMBMap to identify if this user has access to anything extra"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "windows insane", "line": " Discovering the CertSRV Directory "}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "windows insane", "line": " Discovering Powershell Remoting"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows insane", "line": " Error from WinRM (Need SSL)"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows insane", "line": " Using openSSL to generate a private key"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 31, "seconds": 52}, "tag": "windows insane", "line": " Going to /CertSRV to sign our certificate as Amanda"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "windows insane", "line": " Adding the SSL Authentication to WinrM"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "windows insane", "line": " Playing with LDAP Again (with the Amanda Creds)"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "windows insane", "line": " Shell on the box with WinRM as Amanda"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 38, "seconds": 15}, "tag": "windows insane", "line": " Running SharpHound to enumerate Active Directory"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 40, "seconds": 29}, "tag": "windows insane", "line": " Applocker is on the box, lets move it in the windows directory "}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "windows insane", "line": " Trying to get the bloodhound data off the box."}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "windows insane", "line": " Starting bloodhound "}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 45, "seconds": 27}, "tag": "windows insane", "line": " File didn't copy lets load up Covenant"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "windows insane", "line": " Covenant is up and running - Create a HTTP Listener"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 50, "seconds": 30}, "tag": "windows insane", "line": " Hosting a Launcher"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "windows insane", "line": " Getting a grunt"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 54, "seconds": 40}, "tag": "windows insane", "line": " Running SeatBelt"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "windows insane", "line": " Running SharpHound"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "windows insane", "line": " Finally uploading the bloodhound data"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 61, "seconds": 18}, "tag": "windows insane", "line": " Running Bloodhound with all Collection Methods"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 65, "seconds": 15}, "tag": "windows insane", "line": " Discovering the MRLKY can DCSYNC"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 67, "seconds": 25}, "tag": "windows insane", "line": " Cannot kerberoast because of the Double Hop Problem, create token with MakeToken"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 72, "seconds": 30}, "tag": "windows insane", "line": " Cracked the Kerberoasted Hash, doing maketoken with mrlky and running DCSYnc"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 74, "seconds": 40}, "tag": "windows insane", "line": " Running WMIExec to get Administrator"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 82, "seconds": 0}, "tag": "windows insane", "line": " UNINTENDED Method 1: Amanda can write to Clean.bat"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 84, "seconds": 30}, "tag": "windows insane", "line": " UNINTENDED Method 2: Forensic artifacts leave MRKLY Hash in C:\\windows\\system32\\file.txt"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Starting up GoBuster then editing /etc/hosts to add the hosts in nmap"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "", "line": " Going over the website"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "", "line": " Discovering a wordpress instance (/wp/ form goBuster)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "", "line": " Finding webmail credentials from a wordpress Protected Post"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "", "line": " Discovering webmail.chaos.htb (Method 1)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Testing IMAP, then configuring Evolution to login to the mail server (Method 2)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 16, "seconds": 40}, "tag": "", "line": " Decrypting the message that was in the draft."}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 22, "seconds": 55}, "tag": "", "line": " Message decrypted, new page discovered"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 23, "seconds": 11}, "tag": "", "line": " Discovering a webpage for creating pdfs"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "", "line": " Searching for a code injection path for LaTex"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "", "line": " Discovering the blacklist is on \"input\""}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "", "line": " Testing for blind command execution via ping"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 27, "seconds": 43}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 28, "seconds": 10}, "tag": "", "line": " Enumerating the web directory to find passwords"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 29, "seconds": 11}, "tag": "", "line": " Switching to the \"Ayush\" user with mail password, discover we are in rBash"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 29, "seconds": 45}, "tag": "", "line": " Escaping rBash by via tar (Method 1: GTFOBins)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "", "line": " Escaping rBash by editing path (Method 2)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 32, "seconds": 55}, "tag": "", "line": " Discovering a mozilla user configuration directory, copying it off to export passwords"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "", "line": " Using firefox_decrypt to export root password"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "", "line": " Logging into webmin with credentials from firefox"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "", "line": " Privesc via switching to root user with known password (Method 1)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 38, "seconds": 10}, "tag": "", "line": " Using webmin to execute commands as root (Method 2)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "windows hard", "line": " Begin of recon"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 2, "seconds": 54}, "tag": "windows hard", "line": " Checking SNMP with snmpwalk"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 3, "seconds": 29}, "tag": "windows hard", "line": " Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decrypted value"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 4, "seconds": 18}, "tag": "windows hard", "line": " Getting more SNMP Information with snmp-check"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 7, "seconds": 35}, "tag": "windows hard", "line": " Going over UDP Ports discovered by snmp-check"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "windows hard", "line": " Running ike-scan"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 11, "seconds": 55}, "tag": "windows hard", "line": " Examining ike-scan results to build a IPSEC Config"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "windows hard", "line": " Installing Strongswan (IPSEC/VPN Program)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 14, "seconds": 19}, "tag": "windows hard", "line": " Adding the PSK Found earlier to /etc/ipsec.secrets"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "windows hard", "line": " Begin configuring /etc/ipsec.conf"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 20, "seconds": 8}, "tag": "windows hard", "line": " Starting and debugging ipsec"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 21, "seconds": 55}, "tag": "windows hard", "line": " Explaining why we add TCP to strongswan config"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "windows hard", "line": " Starting IPSEC, then using NMAP through IPSEC."}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows hard", "line": " (You may want to run WireShark here and see all traffic is encrypted thanks to ipsec)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 25, "seconds": 55}, "tag": "windows hard", "line": " Enumerating SMB Quickly (SMBMap/cme)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "windows hard", "line": " Enumerating FTP, discovering we can upload files"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "windows hard", "line": " Checking HTTP, hunting for our uploaded file. Then uploading files that may lead to code execution"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 29, "seconds": 44}, "tag": "windows hard", "line": " Grabbing an ASP Webshell from Github/tennc/webshell"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 32, "seconds": 8}, "tag": "windows hard", "line": " Webshell has been uploaded"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "windows hard", "line": " Explaining a weird MTU Issue you *may* run into due to the nested VPN's"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "windows hard", "line": " Back to playing with the web shell, getting a reverse shell with Nishang"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 38, "seconds": 3}, "tag": "windows hard", "line": " Explaining RLWRAP"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "windows hard", "line": " whoami /all shows SEImpersonation, so we run JuicyPotato to privesc"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 44, "seconds": 35}, "tag": "windows hard", "line": " JuicyPotato fails with the default CLSID, changing it up to get it working."}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 46, "seconds": 30}, "tag": "windows hard", "line": " Doing the box again with Windows"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 47, "seconds": 15}, "tag": "windows hard", "line": " Setting up the IPSEC Connection through Windows Firewall"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "windows hard", "line": " Installing a DotNet C2 (The Covenant)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 54, "seconds": 20}, "tag": "windows hard", "line": " Covenant/Elite open, starting a Listener then a Powershell Launcher"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 60, "seconds": 10}, "tag": "windows hard", "line": " Grunt activated. Running Seatbelt, then compiling Watson and reflectively running it"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 65, "seconds": 0}, "tag": "windows hard", "line": " Grabbing the Sandbox Escaper ALPC Privesc"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 68, "seconds": 3}, "tag": "windows hard", "line": " Being lazy and compiling a CPP Rev Shell in Linux because it wasn't installed on Windows"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows hard", "line": " (bunch of flailing, then reverting the machine)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 85, "seconds": 35}, "tag": "windows hard", "line": " Box is reverted, trying the ALPC Exploit again"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Begin of recon, Nmap"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Taking the CentOS Apache Version to find major version"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "", "line": " Running GoBuster with a Common-PHP-Files wordlist."}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "", "line": " Enumerating Ldap with ldapsearch"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " Discovery of Password Hashes within ldap information"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "", "line": " Attempting to crack the hashes. (does not crack)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "", "line": " Back to the web page"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "", "line": " Page says to login with ip@Lightweight with the password of your ip"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 15, "seconds": 35}, "tag": "", "line": " Running LinEnum"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "", "line": " Discovery of Extended Capabilities set on tcpdump"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "", "line": " Performing a packet capture over SSH without touching disk"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "", "line": " Examining the pcap created, don't see anything on ens33"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "", "line": " Performing a packet capture through SSH and piping live results to WireShark"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "", "line": " Discovery of LDAP Traffic, ldapuser2 password passed in clear-text"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "", "line": " Using bash to exfil a file over the network (backup.7z)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 29, "seconds": 25}, "tag": "", "line": " Using 7z2john and hashcat to crack a 7zip file"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 32, "seconds": 5}, "tag": "", "line": " Examining extracted files to discover a new credential (ldapuser1)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "", "line": " The openssl binary in ldapuser1 has an empty capability (which is all)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Using GTFOBins to see what we can do with openssl"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 37, "seconds": 11}, "tag": "", "line": " Reading /etc/shadow with openssl"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 37, "seconds": 35}, "tag": "", "line": " Adding an entry into /etc/sudoers to allow us to escalate to root"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "windows insane", "line": " Begin of Nmap"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "windows insane", "line": " Pulling important information from the website"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows insane", "line": " Discovering DNS Names, adding stuff to /etc/hosts"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "windows insane", "line": " Odd behavior with code.bighead.htb, redirects us to 127.0.0.1; change that with Burp"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "windows insane", "line": " Using wfuzz to dirbust, with the ability to see HTTP Codes (hunting for 418)"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "windows insane", "line": " Found BigHead Web Server on Github, pulling Zips and cracking"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "windows insane", "line": " Before reversing the binary, keep hunting for information about the OS"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "windows insane", "line": " Discovering PHPInfo within the PhpMyAdmin directory, has OS."}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "windows insane", "line": " Installing Immunity and Mona"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "windows insane", "line": " Grabbing MinGW so we can run the Bighead Webserver"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "windows insane", "line": " Crashing the webserver, seeing we have"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "windows insane", "line": " Sending a pattern to the box and examining the stack to see where our overwrites are"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 66, "seconds": 15}, "tag": "windows insane", "line": " Validating we know where all our overwrites are (EAX,EBX,EIP,ESP)"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 70, "seconds": 6}, "tag": "windows insane", "line": " Explanation of EggHunters"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 76, "seconds": 5}, "tag": "windows insane", "line": " Grabbing the shellcode we want, then adding it to our exploit script"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 84, "seconds": 50}, "tag": "windows insane", "line": " Validating our exploit is working as we intended by setting a break point on JMP ESP"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "windows insane", "line": " Our box complains about DEP, lets disable that on our OS and hope its disabled on target"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 90, "seconds": 0}, "tag": "windows insane", "line": " Running the exploit against the target and getting a shell back!"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 95, "seconds": 0}, "tag": "windows insane", "line": " Searching the registry (HKLM) for \"password\""}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 97, "seconds": 0}, "tag": "windows insane", "line": " Dumping information about services on the box (HKLM\\System\\CurrentControlSet\\Services)"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 98, "seconds": 15}, "tag": "windows insane", "line": " Discovery of NGINX password, then looking at ports listening on localhost"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 101, "seconds": 8}, "tag": "windows insane", "line": " Found SSH Listening on 127.0.0.1:2020, Setting up a reverse tunnel with Chisel"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 105, "seconds": 10}, "tag": "windows insane", "line": " SSH into nginx@Bighead over port 2020, land in an extremely restricted shell"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 110, "seconds": 30}, "tag": "windows insane", "line": " Searching for vulnerable PHP Code, discovering testlink"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 122, "seconds": 55}, "tag": "windows insane", "line": " Exploiting an LFI Vulnerability"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 127, "seconds": 0}, "tag": "windows insane", "line": " Using Netcat to get a reverse shell"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 136, "seconds": 10}, "tag": "windows insane", "line": " Looking at the KeePass Configuration File to see where the KDBX and Key is"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 138, "seconds": 55}, "tag": "windows insane", "line": " A bunch of pain trying to get data off the Alternate Data Stream."}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 151, "seconds": 30}, "tag": "windows insane", "line": " Finally got the KDBX back to my box, then crack the KeePass file"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " Last video was missing about 2 minutes and cut off at 31:35. Sorry, was an extremely busy week and didn't get to verify everything was good."}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 0, "seconds": 39}, "tag": "linux easy", "line": " Begin on Recon"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 1, "seconds": 39}, "tag": "linux easy", "line": " Starting a full nmap scan "}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux easy", "line": " Discovery of IRC"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 4, "seconds": 35}, "tag": "linux easy", "line": " Manually looking at IRC"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Looking at the IRC to understand how to connect to an IRC Server"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux easy", "line": " Pulling the IRC Version and discovering the exploit"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux easy", "line": " Going into the history of the IRC Backdoor"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux easy", "line": " Manually exploiting the IRC Server"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "linux easy", "line": " Shell returned on the server"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux easy", "line": " Discovery of .backup which gives a steg password"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux easy", "line": " Logging in with djmardov"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "linux easy", "line": " Discovery of SetUID enabled custom binary, viewuser"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 23, "seconds": 25}, "tag": "linux easy", "line": " Using ltrace to see what the binary does, executes the file /tmp/listusers"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux easy", "line": " Getting a root shell"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux easy", "line": " Testing exploiting the binary with \"who\", fails due to no setuid"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux easy", "line": " Looking at the binary within Ghidra"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "linux easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux easy", "line": " Poking around at the website to identify what techologies it utilizes"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Discovering something odd about images/5.png"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "linux easy", "line": " Downloading 5.png to discover it is a text file with a portion of a password"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Finding a place to login (/moodle), attempt to enumerate valid usernames"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux easy", "line": " Using wfuzz to bruteforce the password"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux easy", "line": " Looking for a way to enumerate Moodle Versions"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux easy", "line": " Searching for exploits for this version and finding \"Bad Teacher\""}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "linux easy", "line": " Start of manually exploiting this vulnerability"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " Adding a \"Calculated Question\" which has the formula (vulnerable) parameter"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 20, "seconds": 16}, "tag": "linux easy", "line": " Finding artifacts of creating/testing the machine which spoils what we are supposed to do"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 24, "seconds": 21}, "tag": "linux easy", "line": " Fixing our forumla to allow for code execution"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux easy", "line": " Looking around the MySQL Database to discover hashes of other users"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 31, "seconds": 52}, "tag": "linux easy", "line": " The account Giovannibak stands out due to the hash being just MD5"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "linux easy", "line": " Attempting the password (expelled) of the MD5 hash above to login to \"Su\" to Giovannibak"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "linux easy", "line": " Grabbing and compiling pspy to find a cronjob"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux easy", "line": " Running PSPY to discover /usr/bin/backup.sh"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux easy", "line": " Abusing the backup cron to have it chmod 777 /etc/shadow (could do anything, sudoers is a bit less noisy)"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " More detailed notes: https://gist.github.com/IppSec/137a9f8870bed2763048072f321073e5"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "", "line": " My Vulnerability Assessment methodology"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " Starting a Nessus Scan to see what it thinks"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "", "line": " Running nmap and deciding what ports are needed"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 9, "seconds": 35}, "tag": "", "line": " Reviewing the Nessus Scan"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 12, "seconds": 2}, "tag": "", "line": " Examining what leaving KSQL/Kafka (8088) open can do"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 13, "seconds": 58}, "tag": "", "line": " Using iptables to block ports that don't need to be routable"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 15, "seconds": 53}, "tag": "", "line": " Preventing NMAP from detecting the port as filtered, doing REJECT --reject-with tcp-reset"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "", "line": " Using Draw.io to explain what we are doing with a Reverse Proxy"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "", "line": " Installing Apache2"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 21, "seconds": 33}, "tag": "", "line": " Creating the reverse proxy HTTPS Configuration, then enabling modules ssl, proxy, proxy_http"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "", "line": " Our Apache Server doesn't like self-signed certificate of remote server adding:"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " -- SSLProxyVerify, SSLProxyCheckPeerCN, SSLProxyCheckPeerName, SSLProxyCheckPeerExpire"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 28, "seconds": 44}, "tag": "", "line": " Enabling Universe Repo then installing mod-security"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "", "line": " Briefly going over the mod-security configuration file"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 32, "seconds": 35}, "tag": "", "line": " Setting ModSecurity to blocking mode then modifying the rules to allow Kibana to work"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 36, "seconds": 25}, "tag": "", "line": " ModSecurity doesn't like \"application/x-ndjson\", adding this to the allowed content types"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 40, "seconds": 13}, "tag": "", "line": " Beginning of creating a Certificate Authority to handle Mutual SSL Authentication"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "", "line": " Creating the CA Private/Public Keys with OpenSSL"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 44, "seconds": 11}, "tag": "", "line": " Creating the WebServer's private key with OpenSSL, then signing"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "", "line": " Creating the users private key with OpenSSL, then signing"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "", "line": " Copying the Webserver's keys to the reverse proxy, then updating Apache2 to use the certs"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 49, "seconds": 50}, "tag": "", "line": " Showing the SSL is working by adding the CA to firefox and checking if cert warnings go away"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 51, "seconds": 10}, "tag": "", "line": " Configuring Apache to force SSL Client Authentication which requires user certificates"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "", "line": " Creating the PFX File in order to allow Firefox to import our user certificate"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "", "line": " Demonstrating SSL Mutual Authentication is working"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "", "line": " Modifying iptables on HELK to only allow HTTP/HTTPS Connections from the Reverse Proxy"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "", "line": " Making the iptable rules on HELK persistent"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 56, "seconds": 40}, "tag": "", "line": " Uh-oh we forgot to do rules on IPv6, which allows for a firewall bypass. Let's just disable IPv6."}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 20}, "tag": "", "line": " Flow chart of potential paths through this box"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 2, "seconds": 25}, "tag": "", "line": " Begin of recon, SSL Enumeration, examining PHP Behavior"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 6, "seconds": 23}, "tag": "", "line": " Using GoBuster to dicover directories, pdf's, and php scripts"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "", "line": " Using wfuzz to discover subdomains (virtual host routing)"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "", "line": " Guessing credential, logging in with guest:guest disover SQL Injection"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "", "line": " Manually doing an error-based SQL Injection with extractquery()"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ** Go watch the Enterprise Video if you want Double Query Based Errors **"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "", "line": " A good screenshot showing the SQL Inject Queries used, then cracking"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Doing the SQLInjection with SQLMap, needed the delay flag!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ** Going back to start of box"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "", "line": " Examining the account-signup.pdf to create a user"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "", "line": " Doing XSS (cross site scripting) to steal a cookie of the admin"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 43, "seconds": 15}, "tag": "", "line": " Going to admin.redcross.htb and showing that any way you got the PHPSESSID cookie would work"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 46, "seconds": 15}, "tag": "", "line": " Poking at admin.redcross.htb, creating a user that lands us in an SSH Jail"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 48, "seconds": 38}, "tag": "", "line": " Playing with the Firewall portion of the site, discover command injection in deleting rules!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 52, "seconds": 28}, "tag": "", "line": " Reverse shell as www-data"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 54, "seconds": 40}, "tag": "", "line": " Discover postgresql credentials in actions.php, this database lets you create users!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 60, "seconds": 21}, "tag": "", "line": " Inserting a user into the database, then logging in with SSH"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 62, "seconds": 40}, "tag": "", "line": " Examining /etc to discover a different postgresql account-signup"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 64, "seconds": 50}, "tag": "", "line": " Adding a root user with the new credentials, then sudo to root!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " *** Going back to just adding our IP to the whitelist in firewall"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 66, "seconds": 29}, "tag": "", "line": " Discovering Haraka running"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 69, "seconds": 10}, "tag": "", "line": " Using Metasploit to exploit haraka, get shell as penelope"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 72, "seconds": 26}, "tag": "", "line": " Doing the PG thing again but this time specify sudo group, so we don't need to use the other PG account."}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " *** Going back, lets do the overflow! No postgres at all"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " * Go watch Bitterman if this is confusing"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 75, "seconds": 50}, "tag": "", "line": " Examining iptctl.c"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 79, "seconds": 56}, "tag": "", "line": " Using Pattern_Create to discover where the RSP (RIP) Overwrite occours."}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 81, "seconds": 15}, "tag": "", "line": " Start of python script"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 84, "seconds": 11}, "tag": "", "line": " Dumping PLT Functions to use with our rop chain (no aslr on binary)"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 88, "seconds": 0}, "tag": "", "line": " Getting pop gadgets with radare"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 89, "seconds": 40}, "tag": "", "line": " Building our ROP Chain"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 94, "seconds": 28}, "tag": "", "line": " Exploiting the binary! To get root."}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Explaining the HELK Architecture"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "", "line": " Showing my VM's Spec's/build"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Installing HELK "}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Poking around HELK's Logstash container to see how it works"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "", "line": " Examining HELK Elastalert to view sigma rules"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 9, "seconds": 8}, "tag": "", "line": " The magic behind catching APT! (sorry did it for the keywords)"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 11, "seconds": 58}, "tag": "", "line": " The SafetyKeyz Sigma rule, could easily be avoided"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 12, "seconds": 58}, "tag": "", "line": " Start of Windows"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "", "line": " Building a Sysmon Config with Sysmon-Modular"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - https://github.com/olafhartong/sysmon-modular"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "", "line": " Enabling Other Logging"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "", "line": " Enabling Command Line Logging with arguments"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Computer/Windows/SecuritySettings/SecurityOptions/Audit: Force Audit policy"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Computer/Windows/SecuritySettings/AdvancedAudit/DetailedTracking/AuditProcessCreate"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Computer/AdminTemplates/System/AuditProcessCreation"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "", "line": " Enabling Powershell Module and Script Block Logging"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Computer/AdminTemplates/WindowsComponents/WindowsPowershell/"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Create Profile.ps1 in c:\\windows\\system32\\WindowsPowerShell\\v1.0"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " -- Variables: $LogCommandHealth and $LogCommandLifeCycleEvent = $true"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Enabling Task Scheduler History/Logging"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 23, "seconds": 25}, "tag": "", "line": " Downloading and installing WinLogBeat"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " (If you have issues, try version 6.7 of WinLogBeat, 7 is now out and HELK is not ingesting)"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 27, "seconds": 5}, "tag": "", "line": " Logging into HELK and start of searching the logs!"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 28, "seconds": 45}, "tag": "", "line": " Searching Process Create Events (4688) and finding the commands we ran earlier"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 29, "seconds": 53}, "tag": "", "line": " Testing the Powershell logging to detect downloading and executing a script"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "", "line": " Detecting mimikatz accessing LSASS"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 39, "seconds": 40}, "tag": "", "line": " Deep dive into Mimikatz to identify how it accesses LSASS.EXE to create a signature, what is 0x1010 process grant?"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "", "line": " Showing the Process Creation stuff in real time."}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 47, "seconds": 25}, "tag": "", "line": " Examining the SysMon Dashboard"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "", "line": " Viewing the SIGMA Rules and how to clean up noisy ones."}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ** Really good blog post: https://posts.specterops.io/what-the-helk-sigma-integration-via-elastalert-6edf1715b02 **"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " Deep dive into the SIGMA Rule setup"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - python -m elastalert.elastalert --debug --rule"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "", "line": " Discovering the mistake in the SIGMA to Elastalert conversion (realert:0)"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "", "line": " Debugging Elastalert Rules"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 3, "seconds": 8}, "tag": "", "line": " Begin of GoBustering"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "", "line": " Discovery of an image upload script"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 8, "seconds": 39}, "tag": "", "line": " Attempting to bypass the upload filter"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 12, "seconds": 46}, "tag": "", "line": " Reverse Shell to ubuntu Returned. Examining Web Source"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 15, "seconds": 28}, "tag": "", "line": " ALTERNATIVE: Checking out the host name pollution, setting host header to localhost"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 19, "seconds": 27}, "tag": "", "line": " Resume of poking around the host, discover passwords and other hosts in /home"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 23, "seconds": 14}, "tag": "", "line": " Uploading a static-compiled nmap to the box (static-binaries is a github repo)"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 24, "seconds": 57}, "tag": "", "line": " SSH Local Port Forward and Dynamic, to let our Kali box communicate with the next hop."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 27, "seconds": 27}, "tag": "", "line": " Discovery of a page that lets us create ovpn (openvpn) configs and test the VPN"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 28, "seconds": 45}, "tag": "", "line": " Think i broke the box here, sent unicode to the box.... It stops responding on web."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 32, "seconds": 55}, "tag": "", "line": " Machine reverted, getting back to where I started."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "", "line": " Trying this again, and get a shell on ubuntu -- Lets do a Reverse Port Forward to get a shell on our kali box."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 36, "seconds": 12}, "tag": "", "line": " Shell returned to Kali Box, explaining how to use socat if SSH Forward cannot listen on all ports."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 38, "seconds": 58}, "tag": "", "line": " Exploring the DNS Server box."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 39, "seconds": 26}, "tag": "", "line": " Finding a password in /home/dave/ssh"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "", "line": " Discovering Vault's IP Address in /etc/hosts"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 41, "seconds": 20}, "tag": "", "line": " Perfoming a NMAP on the vault box, discover two ports closed"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "", "line": " Doing a NMAP with the source port of one of the above ports to test for a lazy firewall, discover SSH on port 987"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 43, "seconds": 20}, "tag": "", "line": " ALTERNATIVE: Bypassing the firewall by using IPv6"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 49, "seconds": 47}, "tag": "", "line": " How to set the source port with SSH via ncat"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 50, "seconds": 45}, "tag": "", "line": " Discovering root.txt.gpg on Vault, it is encrypted with RSA Key D1EB1F03"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 51, "seconds": 35}, "tag": "", "line": " Dave has the above RSA Key, use SCP to send the file back to Ubuntu"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 54, "seconds": 45}, "tag": "", "line": " The file has been copied, using gpg to decrypt the file."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 55, "seconds": 39}, "tag": "", "line": " MAJOR UNINTENDED WAY: Discovering SPICE ports are listening on localhost:5900-5903, this is like VNC"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 57, "seconds": 5}, "tag": "", "line": " Using Remote-Viewer to connect to the SPICE Port and getting physical access to the machine."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 57, "seconds": 42}, "tag": "", "line": " Rebooting Vault by sending the Ctrl+Alt+delete key"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "", "line": " Editing grub to get a root shell without a password"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 58, "seconds": 56}, "tag": "", "line": " Changing the password to root, then rebooting again"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 59, "seconds": 30}, "tag": "", "line": " Logging in with the new password."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "", "line": " Installing FireEye Commando to help keep our development environments sync'd"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Using Git to download mimikatz, openifang with Visual Studio 2017 and installing dependencies"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " Verifying that we can compile mimikatz before we make any changes."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "", "line": " Creating an Antivirus Exception in Defender to ignore shared drive"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "", "line": " Remove String: mimikatz and then rename files with mimikatz in the name"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 13, "seconds": 45}, "tag": "", "line": " Remove String: all metadata by editing the RC File (accidentally wipe a quote)"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "", "line": " Replace Icon"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Test rebuilding after these changes."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "", "line": " Using \"head\" to split the binary in half to help identify where Defender is identifying mimikatz"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Tons of splitting."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " Found a rough location of a bad string, opening in a hex editor to identify the string."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Appears to flag on KiwiAndRegistryTools, lets verify"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "", "line": " Search and replace for \"mimi\" (whoops, should of done kiwi here!)"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Remove String: KiwiAndRegistryTools"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "", "line": " Decompressing the Defender Signature File, this should speed up finding bad strings but i still need to do more research here."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "", "line": " Verifying KiwiAndRegistryTools is removed by testing it against Defender"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "", "line": " From here on... Tons of repetitive stuff to find other strings."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 42, "seconds": 45}, "tag": "", "line": " wdigest.dll is a bad character, lets see if its in a DLL Import or Print Statement."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "", "line": " Remove String: wdigest.dll"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 46, "seconds": 25}, "tag": "", "line": " Remove String: isBase64InterceptOutput, isBase64InterceptInput"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 52, "seconds": 25}, "tag": "", "line": " Remove String: multirdp"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 57, "seconds": 20}, "tag": "", "line": " Wow. Just realized double clicking a program is a better way to test if an executable is malicious. Lol."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "", "line": " Remove String: logonPasswords "}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "", "line": " Remove String: credman"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 71, "seconds": 30}, "tag": "", "line": " Remove String: I_NetTrustPasswordsGet, this one is different due to being in the IMPORT table. Use dumpbin /exports to show ordinal addresses"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 75, "seconds": 30}, "tag": "", "line": " Ordinal loading explained, kind of"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 76, "seconds": 45}, "tag": "", "line": " Creating a new lib file to do ordinal loading of netapi32 functions. Create DEF file, then use lib to compile it."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 79, "seconds": 40}, "tag": "", "line": " Whoops, string isn't here because its I_NetTrust, not I_NetPass. After this mistake, mimikatz is ran"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 82, "seconds": 20}, "tag": "", "line": " Running Ghidra to view import tables to see how the ordinal loading works."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "", "line": " Lets just see what VirusTotal thinks of this binary."}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 1, "seconds": 12}, "tag": "linux easy", "line": " Begin of Recon"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 1, "seconds": 55}, "tag": "linux easy", "line": " Running Cewl to generate a wordlist"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux easy", "line": " Finding secret.txt in the HTML Source, which happens to be the password"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 3, "seconds": 28}, "tag": "linux easy", "line": " Runninh JoomScan so we have something running in the background"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux easy", "line": " Checking the manifest to get the Joomla Version"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux easy", "line": " Explaining what equals mean in base64"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux easy", "line": " Begin of hunting for Joomla Username"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux easy", "line": " BruteForcing Joomla Login with WFUZZ"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 10, "seconds": 35}, "tag": "linux easy", "line": " Troubleshooting by sending wfuzz through burp"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 12, "seconds": 25}, "tag": "linux easy", "line": " Turns out the CSRF Token is tied to cookie, adding that to the wfuzz command"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "linux easy", "line": " Success! Logged into Joomla"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 17, "seconds": 58}, "tag": "linux easy", "line": " Gaining code execution by modifying a template"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "linux easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux easy", "line": " Finding the file: password_backup which is encoded"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 23, "seconds": 55}, "tag": "linux easy", "line": " Extracting password_backup manually with xxd, zcat, bzcat, tar"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 25, "seconds": 43}, "tag": "linux easy", "line": " Extracting Password_Backup with CyberChef"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 27, "seconds": 35}, "tag": "linux easy", "line": " Logging in with Floris"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 28, "seconds": 17}, "tag": "linux easy", "line": " Looking at /home/floris/AdminArea"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux easy", "line": " Testing the input file by changing the url to us"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux easy", "line": " Getting LFI by using file:// within curl"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 30, "seconds": 38}, "tag": "linux easy", "line": " Pulling the cron, to see what is going on"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 31, "seconds": 25}, "tag": "linux easy", "line": " Cron shows curl -K to use curl with a config file, checking man page."}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 32, "seconds": 5}, "tag": "linux easy", "line": " Changing where curl saves to, in order to gain a root shell"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 33, "seconds": 45}, "tag": "linux easy", "line": " Showing another good file to read with the LFI (logs)"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 34, "seconds": 18}, "tag": "linux easy", "line": " Using pspy to show when processes start/end, which shows the curl command with no exploits"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 1, "seconds": 16}, "tag": "linux easy", "line": " Begin of Recon, until around 13 minutes gathering information to avoid rabbit holes"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 4, "seconds": 4}, "tag": "linux easy", "line": " Using nc/ncat to verify a port is open (-zv)"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 11, "seconds": 17}, "tag": "linux easy", "line": " Doing gobuster across man of the sub directories"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 13, "seconds": 3}, "tag": "linux easy", "line": " Examining /admin/ - Examine the HTML Source because login is not sending any data"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 14, "seconds": 9}, "tag": "linux easy", "line": " Discover some weird text encoding (Ook), how I went about decoding it"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 15, "seconds": 44}, "tag": "linux easy", "line": " Decoded to base64 with some spaces, clean up the base64 and are left with a zip file"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 19, "seconds": 19}, "tag": "linux easy", "line": " After cracking the zip, there is another text encoding challenge (BrainF*)"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 25, "seconds": 11}, "tag": "linux easy", "line": " With potential information, return to our long running recon for more information"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 28, "seconds": 49}, "tag": "linux easy", "line": " Discovering /playsms"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux easy", "line": " Reading ExploitDB Articles and then attempting to manuall exploit PlaySMS via uploading a CSV"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 34, "seconds": 34}, "tag": "linux easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux easy", "line": " Running LinEnum.sh"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux easy", "line": " Finding the SetUID file: rop"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux easy", "line": " Exploiting ROP Program with ret2libc"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "linux easy", "line": " Getting offsets of system, exit, /bin/sh from libc using ldd, readelf, and strings"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 50, "seconds": 34}, "tag": "linux easy", "line": " Running our exploit to get root shell"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "linux easy", "line": " Begin of recovering rop.c source code"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 56, "seconds": 41}, "tag": "linux easy", "line": " Recreating rop.c then compiling"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 59, "seconds": 44}, "tag": "linux easy", "line": " Copying the physical disk to our local box via SSH and DD"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 61, "seconds": 44}, "tag": "linux easy", "line": " Using PhotoRec to restore files and finding rop.c"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 0, "seconds": 53}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Checking out the Web Page"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "", "line": " Doing UDP/GoBuster Scans"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Running SNMPWalk and then logging into web interface"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "", "line": " Reading the tickets on the web page"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Discovering code execution"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 23, "seconds": 15}, "tag": "", "line": " Discovering FTP Server 10.120.15.10"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "", "line": " Gaining access to a Router Interface"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " Using Draw.io to draw out the network"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "", "line": " Examining routing information"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "", "line": " Looking at BGP Information"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "", "line": " First attempt at BGP Hijack, advertising a route"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "", "line": " Did not work, examining routing loop."}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 50, "seconds": 50}, "tag": "", "line": " Blocking the routing advertisement to AS300"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 56, "seconds": 50}, "tag": "", "line": " Showing the new routing loop (AS300 sends to AS200)"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "", "line": " Telling AS200 not to advertise the route to AS300"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 64, "seconds": 0}, "tag": "", "line": " Grabbing FTP Traffic to get root password"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " -- Extra Content"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 67, "seconds": 0}, "tag": "", "line": " Logging into all 3 routers for some fun"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 68, "seconds": 50}, "tag": "", "line": " Hiding from TraceRoute by mucking with TTL's"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 73, "seconds": 20}, "tag": "", "line": " Redoing the attack, but showing routing tables on all routers"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 77, "seconds": 30}, "tag": "", "line": " Unintended route, Just adding an IP to eth2"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " This video didn't go quite as smooth as I expected. Still putting it here to show an unintended route for Ethereal. When I get more time, I'll probably redo this video, so don't be surprised if it disappears."}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 0, "seconds": 14}, "tag": "", "line": " Demo of this AppLocker Bypass"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " How this is different than LOLBINs"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Creating a Reverse Shell EXE"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Converting our Reverse Shell EXE to a DLL"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Performing this COR PROFILER bypass with our Reverse Shell DLL"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 11, "seconds": 21}, "tag": "", "line": " Trying to do this on the HackTheBox machine: Ethereal"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 18, "seconds": 43}, "tag": "", "line": " Creating a BAT file to set environment variables and execute TZSYNC"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "", "line": " Executing the BAT File and getting a meterpreter session!"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 22, "seconds": 3}, "tag": "", "line": " Doing JuicyPotato to privesc to SYSTEM"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " Migrating to a user to be able to read an EFS Protected file."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "windows insane", "line": " Begin of Recon, Downloading FTP and inspecting websites"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 10, "seconds": 23}, "tag": "windows insane", "line": " Recap of what we saw on the recon. Limited pages that provide paths for exploitation, Server Hostname, and FTP"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "windows insane", "line": " Sending MD5Hashes to VirusTotal to get file age"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "windows insane", "line": " Downloading PasswordBox sourcecode to examine pbox.dat and discover a password manager."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "windows insane", "line": " Use Hydra to try to bruteforce ethereal.htb:8080, find blind command injection in page by running various ping commands but no way to view output."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 25, "seconds": 45}, "tag": "windows insane", "line": " Using nslookup to exfil the results of commands executed."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "windows insane", "line": " Creating Python Script to automate exploitaiton of this program. Using Scapy, BeutifulSoup, and Requests."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 55, "seconds": 23}, "tag": "windows insane", "line": " Script working! Now to make the output a bit more pretty using tokens to sepereate spaces"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "windows insane", "line": " Running commands to get interesting information about the page"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 65, "seconds": 20}, "tag": "windows insane", "line": " Enumerating the Firewall via netsh"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 69, "seconds": 10}, "tag": "windows insane", "line": " Using OpenSSL to get a reverse shell on windows"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 77, "seconds": 25}, "tag": "windows insane", "line": " Reverse shell returned. "}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 79, "seconds": 40}, "tag": "windows insane", "line": " Creating a malicious shortcut via powershell"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 82, "seconds": 40}, "tag": "windows insane", "line": " Using OpenSSL To transfer files"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 88, "seconds": 0}, "tag": "windows insane", "line": " Getting reverse shell as Alan, then using OpenSSL to convert files to base64 to make exfil easier"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 92, "seconds": 30}, "tag": "windows insane", "line": " Creating and signing a malicious MSI with WiX."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 108, "seconds": 15}, "tag": "windows insane", "line": " First attempt failed, creating a less complicated MSI File by just having it execute our shortcut"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 113, "seconds": 0}, "tag": "windows insane", "line": " Getting reverse shell as SYSTEM - Cannot read EFS Files"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 115, "seconds": 20}, "tag": "windows insane", "line": " Having our MSI not run as SYSTEM by changing impersonation in WiX"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 118, "seconds": 30}, "tag": "windows insane", "line": " Shell as Rupal returned."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "windows easy", "line": " Begin of recon: ftp, telnet, IIS 7.5"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows easy", "line": " Downloading all files off an FTP Server with WGET"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "windows easy", "line": " Examining the \"Access Control.zip\" file."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows easy", "line": " Cracking a zip file with John"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "windows easy", "line": " Creating a wordlist for cracking the zip (strings of the mdb file)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows easy", "line": " Exploring the MDB Files (Access Database) with MDBTools (mdb-sql and mdb-tables)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "windows easy", "line": " Grabbing the same password we cracked by checking the auth_user table"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 13, "seconds": 35}, "tag": "windows easy", "line": " Converting the PST File (Outlook Email) to PlainText via readpst"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "windows easy", "line": " Logging into telnet with the credentials from the email"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "windows easy", "line": " Switching to a Nishang Shell to execute powershell"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "windows easy", "line": " Running JAWS (Just Another Windows Scanner)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 23, "seconds": 34}, "tag": "windows easy", "line": " Discovering Stored Credentials on the box for ACCESS\\Administrator "}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 25, "seconds": 11}, "tag": "windows easy", "line": " Examining the Shortcut on PUBLIC\\DESKTOP which shows us how the \"Stored Credential\" is used."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 25, "seconds": 58}, "tag": "windows easy", "line": " Using powershell to view information of a Shortcut"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 27, "seconds": 25}, "tag": "windows easy", "line": " Using the Stored Credential via runas /savecred"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " (some flailing around, darn windows quotes)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 30, "seconds": 31}, "tag": "windows easy", "line": " Creating Base64 (UTF-16LE) on linux to use in as a Powershell EncodedCommand"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 31, "seconds": 54}, "tag": "windows easy", "line": " Box done, Administrator returned."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " (Flailing around until 54:20)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 32, "seconds": 38}, "tag": "windows easy", "line": " Begin of decrypting the Stored Credential, uploading Mimikatz"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "windows easy", "line": " Using powershell to download files"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 36, "seconds": 36}, "tag": "windows easy", "line": " Discovering that I was trying to save mimikatz to a directory i cannot write to :("}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 37, "seconds": 15}, "tag": "windows easy", "line": " Testing Applocker methods to bypass the Software Restriction Policy (Give up on this one)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "windows easy", "line": " Trying to get Meterpreter shell via Unicorn (Fails, unknown reason)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 41, "seconds": 28}, "tag": "windows easy", "line": " Getting a Empire Agent running"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 43, "seconds": 35}, "tag": "windows easy", "line": " Empire Agent Returned, Injecting meterpreter shellcode."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 45, "seconds": 46}, "tag": "windows easy", "line": " Attempting to use Mimikatz from within Meterpreter to decrypt dpapi::creds"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 46, "seconds": 52}, "tag": "windows easy", "line": " Explaining Mimikatz Arguments when in \"non-interactive\" mode"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 54, "seconds": 20}, "tag": "windows easy", "line": " Grabbing needed files to decrypt DPAPI::CREDS offline"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 56, "seconds": 9}, "tag": "windows easy", "line": " Switing to Windows to run Mimikatz"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 62, "seconds": 32}, "tag": "windows easy", "line": " Decrypting the Creds stored in DPAPI"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux hard", "line": " Start of NMAP"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "linux hard", "line": " Signing into Zabbix as Guest"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux hard", "line": " Getting potential usernames from inside Zabbix and guessing creds"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux hard", "line": " Running Searchsploit and looking for vulnerabilties"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux hard", "line": " Analyzing the \"API\" Script from SearchSploit as we have API Creds"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux hard", "line": " Modifying the \"API\" Script "}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux hard", "line": " Showing a shortcut to skip the Container to Host Lateral Movement."}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 15, "seconds": 35}, "tag": "linux hard", "line": " Shell on the Container."}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 17, "seconds": 25}, "tag": "linux hard", "line": " Searching for Zabbix MySQL Password "}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 18, "seconds": 35}, "tag": "linux hard", "line": " Dumping the Zabbix User Database"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux hard", "line": " Logging into Zabbix as Admin, discover ZBX Agent on Host. Testing if port is accessible"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux hard", "line": " Running commands on the Zabbix Agent (Host OS) from Zabbix Server (Guest OS)"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 29, "seconds": 53}, "tag": "linux hard", "line": " Getting a Reverse Shell on Zabbix (use nohup to fork)"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux hard", "line": " Running LinEnum on Zabbix Host"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "linux hard", "line": " Examining home directories to find Zapper Creds"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 36, "seconds": 42}, "tag": "linux hard", "line": " Examining the \"Zabbix-Service\" SetUID "}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux hard", "line": " PRIVESC #1: Running ltrace to discover it is vulnerable to $PATH Manipulation"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux hard", "line": " PRIVESC #2: Weak permissions on Purge-Backups Service"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "linux hard", "line": " Extra Content: Building a Zabbix API Client from Scratch!"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 48, "seconds": 55}, "tag": "linux hard", "line": " \"Pseudo Terminal\" Skeleton Script via Cmd module"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux hard", "line": " Adding Login Functionality"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 56, "seconds": 8}, "tag": "linux hard", "line": " Making the script login upon starting"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 57, "seconds": 50}, "tag": "linux hard", "line": " Adding functionality to dump users"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 64, "seconds": 0}, "tag": "linux hard", "line": " Adding functionality to dump groups"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 65, "seconds": 25}, "tag": "linux hard", "line": " Adding functionality to add users"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 70, "seconds": 45}, "tag": "linux hard", "line": " Adding functionality to modify users"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Begin of intro"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 2, "seconds": 17}, "tag": "windows medium", "line": " Examining port 80 and 443"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "windows medium", "line": " Using gobuster to discover directories"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "windows medium", "line": " /remote discovered, nothing to do here"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 5, "seconds": 25}, "tag": "windows medium", "line": " /mvc discovered"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "windows medium", "line": " SQL Injection everywhere"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "windows medium", "line": " Attempt to perform union injection on search"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "windows medium", "line": " Having trouble, send to SQLMap look at other places in the applicaiton"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "windows medium", "line": " SQLMap having trouble with search SQL, change to ITEM"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "windows medium", "line": " Attempting XP_CMDSHELL (Fails)"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "windows medium", "line": " Using XP_DIRTREE to read files off SMBShare"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "windows medium", "line": " Use Responder to steal the authentication attempt of XP_DIRTREE"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "windows medium", "line": " Cracking the NetNTLMv2 Hash"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows medium", "line": " Logging into /remote with cracked credentials"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "windows medium", "line": " Discovering unifi video is installed, this has a known privesc"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "windows medium", "line": " Attempting to use Meterpreter. (Fail: AV)"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "windows medium", "line": " Grabbing and compiling a DotNet Reverse Shell"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "windows medium", "line": " Actually compiling the reverse shell"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 38, "seconds": 58}, "tag": "windows medium", "line": " Using xcopy to copy our reverse shell to the victim"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "windows medium", "line": " Attempting to find Unifi Service name so we can restart it. End up searching registry due to permission issues."}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "windows medium", "line": " Restarting Unifi Service so it executes TaskKill.exe"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " # Box Done"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 44, "seconds": 25}, "tag": "windows medium", "line": " Start of Bypassing AppLocker Bypass by copying executable into a directory under Windows"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "windows medium", "line": " Escaping powershell constrained mode with PSBypassCLM"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 60, "seconds": 25}, "tag": "windows medium", "line": " Showing the Powershell History file which contained a hint at Unifi"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Want the WireShark Sticker? http://weirdstuffis.online "}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 2, "seconds": 25}, "tag": "", "line": " Enumerating OpenBSD Patch Date via SSH Version"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Examining port 80... Use Wireshark to see why NMAP gets a response but firefox does not"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Invalid Requests, will cause HTTP Service to send error message"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Using ldapsearch to enumerate ldap, use wireshark to see how the nmap script works"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "", "line": " Using SMBMap to PassTheHash and enumerate fileshares and download Putty Key"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "", "line": " Using PuttyGen to convert Putty Key to an RSA Key"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 24, "seconds": 55}, "tag": "", "line": " Testing out ssh_enumusers to see if that would have worked to get valid usernames"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "", "line": " Logged in as Alice, use LinEnum"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 28, "seconds": 40}, "tag": "", "line": " Examining doas configuration (like Sudo -l)"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "", "line": " Examining HTTPD Configuration to see why we couldn't hit the webserver earlier"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "", "line": " Examining SSHD Configuration to see SSH is configured to allow CA Signed Keys"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 34, "seconds": 40}, "tag": "", "line": " Getting hashes from SSH Keys to know what publics go to which privates"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "", "line": " Playing with the SSHAUTH webservice to enumerate what principals go to which users"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 41, "seconds": 45}, "tag": "", "line": " Signing a SSH Key using DoAs to sign a key with the root Principal"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "", "line": " Testing the key, explaining how this all works"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "", "line": " Unintended privesc, Xorg exploit"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "linux hard", "line": " Begin of the box"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux hard", "line": " Checking the HTTP Ports out"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 4, "seconds": 38}, "tag": "linux hard", "line": " Using wfuzz to bruteforce a login on port 80"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux hard", "line": " Begin examining port 8080, use wfuzz to bruteforce a cookie"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Using wfuzz to enumerate the WAF and determine bad characters"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "linux hard", "line": " Doing a SSRF Like attack with wfuzz and enumerating open ports on localhost."}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux hard", "line": " Begin examining port 11211 (MemCache)"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux hard", "line": " Dumping data from Memcache"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux hard", "line": " Using CVE-2018-15473 to enumerate valid users over SSH"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 27, "seconds": 35}, "tag": "linux hard", "line": " Cracking the users hash and logging into the box"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux hard", "line": " Using R2 to analyzing rabbit hole application \"try_harder\""}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux hard", "line": " Going through LinEnum"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux hard", "line": " Using r2 to examine myexec to find password"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 40, "seconds": 13}, "tag": "linux hard", "line": " Using r2 to examine libseclogin.so"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux hard", "line": " Examining ld.so.conf.d to identify if we can use ldconfig to hijack a library"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " Creating a malicious library to hijack seclogin()"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux hard", "line": " Lets bypass the login by hijacking printf()"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux insane", "line": " Begin of Recon (Port Scans)"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 4, "seconds": 9}, "tag": "linux insane", "line": " Reverse Image Searching an favicon to get application used"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux insane", "line": " NODE-RED: Reverse Shell Returned"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux insane", "line": " NODE-RED: Running IP and Port Scans to identify lateral movement targets"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 24, "seconds": 29}, "tag": "linux insane", "line": " Downloading Chisel (Go Program for Tunnels)."}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux insane", "line": " Shrinking Go Programs by using ldflags and upx packing from 10Mb to 3Mb!"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux insane", "line": " PowerPoint: Explaining Reverse Pivot Tunnel using Chisel"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 31, "seconds": 25}, "tag": "linux insane", "line": " WWW: Tunnel online, examining the website"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 34, "seconds": 23}, "tag": "linux insane", "line": " Full Port Scan to 172.19.0.2, discover REDIS"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "linux insane", "line": " Searching for ways to execute code against REDIS"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 38, "seconds": 7}, "tag": "linux insane", "line": " Using REDIS to create a PHP Shell"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 41, "seconds": 6}, "tag": "linux insane", "line": " PowerPoint: Explaining Local Pivot Tunnel using Chisel"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "linux insane", "line": " WWW: Reverse Shell Returned"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 45, "seconds": 45}, "tag": "linux insane", "line": " Notice wildcard used with RSYNC, go search GTFOBins"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 51, "seconds": 32}, "tag": "linux insane", "line": " Abusing the wildcard within RSYNC"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 57, "seconds": 23}, "tag": "linux insane", "line": " WWW: Got Root, but no flag... Lets go look at RSYNC again."}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 60, "seconds": 15}, "tag": "linux insane", "line": " Explaining how to tunnel from Backup - WWW - NODE-RED - Kali"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 77, "seconds": 50}, "tag": "linux insane", "line": " Getting reverse shell on BACKUP via uploading CronJob through rsync"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 80, "seconds": 30}, "tag": "linux insane", "line": " BACKUP: Reverse Shell Returned... No root.txt here either!?"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 86, "seconds": 30}, "tag": "linux insane", "line": " BACKUP: Noticing this is has /dev/sda*, where other dockers do not"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 88, "seconds": 15}, "tag": "linux insane", "line": " BACKUP: Dropping a cronjob on root disk to get shell on the host"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 90, "seconds": 45}, "tag": "linux insane", "line": " ExtraContent: PowerPoint Reverse SOCKS5 Proxy with Chisel"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows medium", "line": " Begin of recon"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "windows medium", "line": " Checking out the website"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "windows medium", "line": " Using wfuzz to enumerate usernames"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows medium", "line": " Logging in with an account we created"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 7, "seconds": 23}, "tag": "windows medium", "line": " Checking out Change Password and noticing it does this poorly"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "windows medium", "line": " Using the contact form, to see if tyler will follow links"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 14, "seconds": 14}, "tag": "windows medium", "line": " Changing Tyler's password by sending him to the ChangePassword Page"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "windows medium", "line": " Logged in and find SMB Share with credentials."}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "windows medium", "line": " Found a webshare but not sure the directory it executes from. Begin hunting for a different webserver."}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 17, "seconds": 48}, "tag": "windows medium", "line": " Port 8808 found via nmap'ing all ports. Creating a php script to gain code execution"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 19, "seconds": 15}, "tag": "windows medium", "line": " Downloading netcat for windows to use as a Reverse Shell"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 21, "seconds": 14}, "tag": "windows medium", "line": " Playing with Bash on Windows"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 22, "seconds": 35}, "tag": "windows medium", "line": " Finding the administrator password in ~/.bash_history"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " -- Box done"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "windows medium", "line": " Alternate way to find the .bash_history file"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 25, "seconds": 36}, "tag": "windows medium", "line": " Unintended way to bypass the CSRF. SQL Injection + bad Static Code analysis"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " In the Holiday video, I do a bit more that may be helpful with card type attacks "}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " : https://www.youtube.com/watch?v=FvHyt7KrsPE&app=desktop"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux hard", "line": " Start of the box"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux hard", "line": " Attempting GoBuster but wildcard response gives issue"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux hard", "line": " Start of doing wfuzz to find content"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 10, "seconds": 38}, "tag": "linux hard", "line": " Manually testing SQLInjection"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 13, "seconds": 7}, "tag": "linux hard", "line": " Running SQLMap and telling it exactly where the injection is"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 16, "seconds": 4}, "tag": "linux hard", "line": " Manually extracting files with the SQL Injection"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux hard", "line": " Cracking the hash with hashcat"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux hard", "line": " Start of examining the custom webapp, playing with Template Injection"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux hard", "line": " Explaining a way to enumerate language behind a webapp"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 35, "seconds": 17}, "tag": "linux hard", "line": " Reverse Shell returned on first Docker Container"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "linux hard", "line": " Examining SQL Database"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 39, "seconds": 40}, "tag": "linux hard", "line": " Doing the Port Knock to open up SSH"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "linux hard", "line": " Gain a foothold on the host of the docker container via ssh"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux hard", "line": " Identifying containers running"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "linux hard", "line": " Creating SSH Port Forwards without exiting SSH Session then NMAP through"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " SSH"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 55, "seconds": 11}, "tag": "linux hard", "line": " Begin looking into Portainer, finding a weak API Endpoint"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 59, "seconds": 0}, "tag": "linux hard", "line": " Start of creating a container in portainer that can access the root file"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " system"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 68, "seconds": 25}, "tag": "linux hard", "line": " Changing sudoers so dorthy can privesc to root"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 69, "seconds": 50}, "tag": "linux hard", "line": " Lets go back and create a python script to play with SQL Injection"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "linux insane", "line": " Begin of NMAP"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux insane", "line": " Extra nmaps, SNMP and AllPorts"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux insane", "line": " Playing with OneSixtyOne (SNMP BruteForce)"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux insane", "line": " Looking at SNMPWalk Output"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux insane", "line": " Installing SNMP Mibs so SMPWalk is readable"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 10, "seconds": 5}, "tag": "linux insane", "line": " Accessing the box over Link Local IPv6 Address"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux insane", "line": " Looking at Por 3366 (Website), getting PW from SNMP Info"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux insane", "line": " Getting IPv6 Routable Address via SNMP"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "linux insane", "line": " NMAP the IPv6 Address"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux insane", "line": " Accessing the page over IPv6"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux insane", "line": " Getting output from the command execution page"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 24, "seconds": 55}, "tag": "linux insane", "line": " Viewing Credentials Files and accessing the box via SSH"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux insane", "line": " Examining why loki cannot use /bin/su (getfacl)"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "linux insane", "line": " Getting a shell as www-data"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " 38;10 - Finding the root.txt file from using find command to search for files by"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " date"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "linux insane", "line": " Extra content, reading files via ICMP"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Looking at what Filtered means in Nmap"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " Start of looking at webpage (GoBuster)"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Manual HTTP Enumeration"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "", "line": " Start of exploiting with BurpSuite"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " SSH Key Found, logging in with nobody"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 19, "seconds": 12}, "tag": "", "line": " Discovering a second SSH Server"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 23, "seconds": 36}, "tag": "", "line": " Using the same SSH Key to login to the second SSH Server as monitor"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 24, "seconds": 38}, "tag": "", "line": " Escaping rBash by modifying an executable file in our current $PATH"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 28, "seconds": 13}, "tag": "", "line": " Running LinEnum.sh to search for PrivEscs"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "", "line": " Enabling ThoroughTests in LinEnum to see what else it will check"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "", "line": " Looking into capabilities permission sin linux"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "", "line": " Begin of second way to escape rBash and setup a SSH Tunnel for fun"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "windows easy", "line": " Begin of recon "}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows easy", "line": " Poking at DNS - Nothing really important."}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows easy", "line": " Examining what NMAP Scripts are ran. "}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 6, "seconds": 35}, "tag": "windows easy", "line": " Lets just try out smbclient to list shares available"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 7, "seconds": 25}, "tag": "windows easy", "line": " Using SMBMap to show the same thing, a great recon tool!"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "windows easy", "line": " Pillaging the Replication Share with SMBMap"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "windows easy", "line": " Discovering Groups.xml and then decrypting passwords from it"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "windows easy", "line": " Dumping Active Directory users from linux with Impacket GetADUsers"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 16, "seconds": 28}, "tag": "windows easy", "line": " Using SMBMap with our user credentials to look for more shares"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 18, "seconds": 25}, "tag": "windows easy", "line": " Switching to Windows to run BloodHound against the domain "}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows easy", "line": " Analyzing BloodHound Output to discover Kerberostable user"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 27, "seconds": 25}, "tag": "windows easy", "line": " Performing Kerberoast attack from linux with Impacket GetUsersSPNs"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows easy", "line": " Cracking tgs 23 with Hashcat"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows easy", "line": " Getting root on the box via PSEXEC"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Checking FTP Server for hidden files"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Creating a bunch of files varying in length to narrow likely ciphers down."}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 14, "seconds": 35}, "tag": "", "line": " Encrypting all of the above files and checking their file sizes"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "", "line": " Decrypting file, obtaining a password"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 24, "seconds": 25}, "tag": "", "line": " Begin looking at Drupal, running Droopescan"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 25, "seconds": 12}, "tag": "", "line": " Manually examining Drupal, finding a way to enumerate usernames"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Placing invalid emails in create account, is a semi-silent way to enumerate usernames"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "", "line": " Logging into Drupal with Admin. "}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 29, "seconds": 25}, "tag": "", "line": " Gaining code execution by enabling PHP Plugin, then previewing a page with php code"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 33, "seconds": 25}, "tag": "", "line": " Running LinEnum.sh - Discover H2 (Database) runs as root"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "", "line": " Hunting for passwords in Drupal Configuration"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 39, "seconds": 25}, "tag": "", "line": " Finding database connection settings. SSHing with daniel and the database password (not needed)"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "", "line": " Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk\u2019s Loopback. Only need to do one of those, just showing its possible without daniel"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "", "line": " Accessing Hawk\u2019s H2 Service (8082) via the loopback address"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console."}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 51, "seconds": 45}, "tag": "", "line": " Logging into H2 by using a non-existent database, then testing code execution"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 52, "seconds": 50}, "tag": "", "line": " Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service."}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "", "line": " Reverted box, cleaning up environment then getting reverse shell"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 62, "seconds": 45}, "tag": "", "line": " Discovering could have logged into the database with Drupal Database Creds."}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "windows easy", "line": " Introduction, nmap"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "windows easy", "line": " Clicking around in Tomcat"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "windows easy", "line": " Playing around with HTTP Authentication"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows easy", "line": " Bruteforcing tomcat default creds with Hydra and seclists"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows easy", "line": " Sending hydra through a proxy to examine what is happening"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "windows easy", "line": " Logging into tomcat and using msfvenom + metasploit to upload a malicious war file"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 22, "seconds": 42}, "tag": "windows easy", "line": " Begin of doing this box without MSF"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "windows easy", "line": " Downloading a cmd jsp shell and making a malicious war file"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 26, "seconds": 25}, "tag": "windows easy", "line": " WebShell returned"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "windows easy", "line": " Begin of installing SilentTrinity"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 30, "seconds": 55}, "tag": "windows easy", "line": " SilentyTrinity Started, starting listener and generating a payload"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "windows easy", "line": " Pasting the payload into the webshell"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "windows easy", "line": " Debugging SSL Handshake errors"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "windows easy", "line": " Starting SilentTrinity back up, how to use modules"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 39, "seconds": 10}, "tag": "windows easy", "line": " Start of Execute-Assembly, compiling Watson"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "windows easy", "line": " Running Watson"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "windows easy", "line": " Start of Seatbelt and debugging why some dotNet code may not run (versioning issues)"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " SilentTrinity Talk: https://www.youtube.com/watch?v=NaFiAx737qg"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 0, "seconds": 42}, "tag": "windows hard", "line": " Begin of Nmap"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 4, "seconds": 23}, "tag": "windows hard", "line": " Examining the anonymous FTP Directory and discovering email addresses in Meta Data"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "windows hard", "line": " Manually enumerating valid email addresses via SMTP"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "windows hard", "line": " Creating a \"Canary Document\" in Word to ping back to our server when a word document is opened"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 13, "seconds": 14}, "tag": "windows hard", "line": " Generating a malicious RTF Document (CVE-2017-0199)"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 26, "seconds": 28}, "tag": "windows hard", "line": " Shell Returned. Enumerating the AppLocker Policy"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 32, "seconds": 53}, "tag": "windows hard", "line": " Decrypting a PowerShell Secure String to reveal Tom's Password, Testing access with SSH"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 35, "seconds": 22}, "tag": "windows hard", "line": " Lets forget we had Tom and run Bloodhound from Nico!"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "windows hard", "line": " First time opening BloodHound on this box."}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 49, "seconds": 45}, "tag": "windows hard", "line": " Lets update Bloodhound, looks like some data is missing and there were errors when running it"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 53, "seconds": 25}, "tag": "windows hard", "line": " Finding a path from Nico to BACKUP_ADMINS and explaining Active Directory (AD) Security Objects (GenericWrite, WriteOwner,etc)"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 58, "seconds": 23}, "tag": "windows hard", "line": " Taking Ownership over Herman then allowing Nico to change his password and examining bloodhound"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 61, "seconds": 40}, "tag": "windows hard", "line": " Adding Herman to the Backup_Admins group"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "windows hard", "line": " Finding the Administrator Password within backup scripts."}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 67, "seconds": 0}, "tag": "windows hard", "line": " Attempting to run Watson (ends up not working)"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 83, "seconds": 22}, "tag": "windows hard", "line": " Using Metasploit to do the box"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 85, "seconds": 42}, "tag": "windows hard", "line": " Since Watson failed, lets just look at last patch times on the box to get an idea whats vulnerable."}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 87, "seconds": 19}, "tag": "windows hard", "line": " Attempting to do the ALPC Exploit within Metasploit"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 91, "seconds": 0}, "tag": "windows hard", "line": " That failed - Lets just prove the box is vulnerable, by overwriting a DLL"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows hard", "line": " Start of Recon"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "windows hard", "line": " TFTP Enumeration - Identifying configuration and OS information"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 6, "seconds": 32}, "tag": "windows hard", "line": " Finding a path to code execution"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 7, "seconds": 17}, "tag": "windows hard", "line": " Examining PSExec Metasploit Module"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 8, "seconds": 55}, "tag": "windows hard", "line": " Using irb within metasploit to print a powershell payload"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "windows hard", "line": " Examining PsExec()"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "windows hard", "line": " Examining native_upload"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "windows hard", "line": " Examining mof_upload"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 20, "seconds": 34}, "tag": "windows hard", "line": " Using irb within metasploit to print the MOF File"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 22, "seconds": 35}, "tag": "windows hard", "line": " Quick explanation of MOF Files"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 25, "seconds": 5}, "tag": "windows hard", "line": " Modifying the MOF to run NetCat"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "windows hard", "line": " Uploading nc to the target"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "windows hard", "line": " Uploading the malicious MOF File and getting a shell!"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "windows hard", "line": " Using Streams to view Hidden text within ADS"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows hard", "line": " ==== Box Done, Lets play with MSF"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 33, "seconds": 8}, "tag": "windows hard", "line": " Start of Bonus Content, finging a TFTP Exploit that uses MOF"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 35, "seconds": 5}, "tag": "windows hard", "line": " Attempting to use distrinct_ftp_traversal against DropZone"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "windows hard", "line": " Installing pry.byebug in order to allow us to drop to a debug console and step through metasploit modules"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 40, "seconds": 50}, "tag": "windows hard", "line": " Testing out pry.byebug"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "windows hard", "line": " Finding why the exploit module didn't work"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 44, "seconds": 50}, "tag": "windows hard", "line": " Module still doesn't work, TFTP Stopping mid transfer"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "windows hard", "line": " Whoops, changed the delay on the wrong timeout "}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "windows hard", "line": " Meterpreter Shell returned, showing off the extended API and some WMI Commands."}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 0, "seconds": 38}, "tag": "windows easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 1, "seconds": 48}, "tag": "windows easy", "line": " Gobuster, using -x aspx to find aspx pages"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 3, "seconds": 16}, "tag": "windows easy", "line": " Playing with a file upload form, seeing what can be uploaded"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "windows easy", "line": " Using Burp Intruder to automate checking file extensions"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "windows easy", "line": " Finding a way to execute code from file upload in ASPX (web.config)"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "windows easy", "line": " Executing code via web.config file upload"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 13, "seconds": 8}, "tag": "windows easy", "line": " Installing Merlin to be our C2"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 15, "seconds": 25}, "tag": "windows easy", "line": " Compiling the Merlin Windows Agent"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 18, "seconds": 37}, "tag": "windows easy", "line": " Modifying web.config to upload and execute merlin"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 21, "seconds": 14}, "tag": "windows easy", "line": " Merlin Shell returned!"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 24, "seconds": 18}, "tag": "windows easy", "line": " Checking for SEImpersonatePrivilege Token then doing Juicy Potato"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 27, "seconds": 44}, "tag": "windows easy", "line": " Getting Admin via Juicy Potato"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 29, "seconds": 44}, "tag": "windows easy", "line": " Box completed"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows easy", "line": " Start of doing this box again, with Metasploit! Creating a payload with Unicorn"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "windows easy", "line": " Having troubles getting the server call back to us, trying Ping to see if the exploit is still working"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 34, "seconds": 17}, "tag": "windows easy", "line": " Reverted box. Have to update our payload with some updated VIEWSTATE parameters"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 36, "seconds": 45}, "tag": "windows easy", "line": " Metasploit Session Returned! Checking local_exploit_suggester"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 40, "seconds": 1}, "tag": "windows easy", "line": " Comparing local_exploit_suggester on x32 and x64 meterpreter sessions"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "windows easy", "line": " Getting Admin via MS10-092"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 42, "seconds": 5}, "tag": "windows easy", "line": " Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host #PivotProblems)"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "windows easy", "line": " Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " Discovery of Wordpress and fixing broken links with burp"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Start of WPScan"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 7, "seconds": 14}, "tag": "", "line": " Start of poking at Monstra, (Rabbit Hole)"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 13, "seconds": 5}, "tag": "", "line": " Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Reverse shell returned as www-data"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 18, "seconds": 8}, "tag": "", "line": " Confirming monstra was read-only"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "", "line": " Running LinEnum.sh to see www-data can run tar via sudo"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Use GTFOBins to find a way to execute code with Tar"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "", "line": " Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "", "line": " Examining backuperer script"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "", "line": " Hunting for vulnerabilities in Backuperer"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "", "line": " Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "", "line": " Begin of exploiting the backuperer service by exploiting intregrity check"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "", "line": " Creating our 32-bit setuid binary"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 39, "seconds": 16}, "tag": "", "line": " Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 40, "seconds": 54}, "tag": "", "line": " Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "", "line": " Exploiting the Backuperer Service via SetUID!"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "", "line": " Unintended Exploit: Using SymLinks to read files via backuperer service"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "", "line": " Start of Recon"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "", "line": " Start of GoBuster"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Looking at /upload, testing with a normal XML File"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "", "line": " Valid XML File created, begin of looking for XML Entity Injection XXE"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " XXE Returns a a local file off the server"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "", "line": " Grabbing the source code to the webserver to find newpost function."}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "", "line": " Discovery of vulnerability due to user data being passed to pickle"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 12, "seconds": 44}, "tag": "", "line": " Creating the script to exploit pickle"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 16, "seconds": 38}, "tag": "", "line": " Reverse shell returns!"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 19, "seconds": 55}, "tag": "", "line": " Poking around at Source Code"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "", "line": " Discover of an SSH Key within deployment stuff."}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "", "line": " Trying SSH Key for other users on the box to see if it is valid"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 22, "seconds": 57}, "tag": "", "line": " Hunting for git filers, the boxes name is \"Gitter\" and we have an SSH Key that goes nowhere. "}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Discovery ~roosa/work is the same as ~roosa/deploy but there's a .git repo in this one!"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "", "line": " Examining Git Log to see the SSH Key has changed!"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "", "line": " SSH'ing with the old key, to see it's root's key."}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 25, "seconds": 58}, "tag": "", "line": " The webserver could read Roosa's SSH Key. Could bypass the entire pickle portion"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "", "line": " Start of \"Extra Practice\""}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 27, "seconds": 40}, "tag": "", "line": " Creating a Python Script to automate the LFI With XXE"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " == Note this piece leads to failure. However, if we could convert the output to a more friendly format such as Base64 it would of worked. This is likely in PHP WebServers due to \"PHP Wrappers\", perhaps it is with python too but I don't know a way =="}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "", "line": " Script completed, lets improve it to try to download an exposed git repo"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "windows insane", "line": " Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 2, "seconds": 53}, "tag": "windows insane", "line": " Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and members.streetfighterclub.htb/old/login.asp"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows insane", "line": " Begin poking around the members.streetfighterclub.htb page - Find SQL Injection"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows insane", "line": " Boolean injection to force the query to return \"valid login\". Play with logins to find it always returns to \"Service not available\""}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 14, "seconds": 25}, "tag": "windows insane", "line": " Testing Union Injections for easy exfil of data"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "windows insane", "line": " Examining Stacked Queries to make running our own SQL Statements easy. Then bunch of injections to run Xp_CMDShell and get output."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows insane", "line": " Some valuable recon/information in debugging our SQL queries. Noticing small things really helps."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 34, "seconds": 40}, "tag": "windows insane", "line": " Start of making a program to give us a command shell."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 69, "seconds": 40}, "tag": "windows insane", "line": " Explaining the program we just created. Then fix a small bug."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 72, "seconds": 45}, "tag": "windows insane", "line": " Begin of popping the box the intended way. Finding powershell is blocked but specifying the 32-bit version is not"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 77, "seconds": 10}, "tag": "windows insane", "line": " Return of 32-bit PowerShell... Identifying we can append data to c:\\users\\decoder\\clean.bat -- That's odd lets try to place a shell in it to see if it is being ran."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 92, "seconds": 40}, "tag": "windows insane", "line": " Found the issue! Powershell is encoding in UTF-16 which is confusing cmd prompt. 64-bit Shell as Decoder returned!"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 95, "seconds": 30}, "tag": "windows insane", "line": " Exploiting Capcom Driver to gain root shell, this post is super helpful: http://www.fuzzysecurity.com/tutorials/28.html"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 102, "seconds": 18}, "tag": "windows insane", "line": " Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dll to our box so we can reverse it."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 107, "seconds": 25}, "tag": "windows insane", "line": " Looking at the binaries in Ida64 Free"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 111, "seconds": 14}, "tag": "windows insane", "line": " Explaining what's happening and then writing a script to bypass the password check."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 115, "seconds": 35}, "tag": "windows insane", "line": " Start of unintended way (Juicy Potato)"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 118, "seconds": 10}, "tag": "windows insane", "line": " Finding a world write-able spot under System32 for AppLocker Bypass, thanks @Bufferov3rride -- Then uploading JuicyPotato"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 126, "seconds": 10}, "tag": "windows insane", "line": " Start of modifying JuicyPotato to accept uppercase arguments."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 130, "seconds": 14}, "tag": "windows insane", "line": " Finding a vulnerable CLSID to get JuicyPotato working"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 148, "seconds": 25}, "tag": "windows insane", "line": " Running JuicyPotato with a vulnerable CLSID to gain a SYSTEM Shell, then create our own DLL to bypass the check."}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 0, "seconds": 48}, "tag": "linux easy", "line": " Begin of NMAP Discovery of Finger"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 3, "seconds": 36}, "tag": "linux easy", "line": " Enumerating Finger with Finger-User-Enum"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux easy", "line": " Nmap'ing all port quickly by lowering max-retries"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux easy", "line": " Adding an old Key Exchange Alogorithm to SSH"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux easy", "line": " Showing Hydra doesn't work, then using Patator"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " (Patator also can do Finger Enum! Try it out)"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 11, "seconds": 19}, "tag": "linux easy", "line": " Using find to count lines in all wordlist files"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 14, "seconds": 7}, "tag": "linux easy", "line": " Logged in with sunny:sunday"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "linux easy", "line": " Grabbing /backup/shadow.backup and cracking sha256crypt with Hashcat"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 16, "seconds": 46}, "tag": "linux easy", "line": " Just noticed this box is oooooold, try to privesc with sudo and ShellShock (Fail)"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 18, "seconds": 53}, "tag": "linux easy", "line": " Privesc by overwriting the /root/troll binary"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " == Box Done"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Using wget to exfil files quickly"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "linux easy", "line": " Viewing what wget --post-file looks like"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux easy", "line": " Creating a PHP Script to accept uploaded files"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux easy", "line": " Hardening our upload location to prevent executing PHP Files and/or reading what was uploaded"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "linux easy", "line": " Starting a php webserver with php -S (ip):(port) -t ."}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 31, "seconds": 10}, "tag": "linux easy", "line": " Replacing the root password by changing the shadow file"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux easy", "line": " Demoing a way to create directories and upload files!"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Begin of Recon, nmap filtered explanation"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Begin of initial DNSRecon, hunting for a domain name"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 6, "seconds": 4}, "tag": "", "line": " Web page enumeration, finding xdebug in header"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 9, "seconds": 47}, "tag": "", "line": " Installing xdebug plugin in Chrome to show its use"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Getting a reverse shell on the first docker (Icarus)"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "", "line": " Setting up nginx to accept files uploaded over HTTP / WebDav"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Examining the Wireless Capture from Icarus"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "", "line": " Cracking WPA with aircrack / hashcat"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "", "line": " Decrypting WPA traffic in Wireshark"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "", "line": " Enumerating valid usernames via SSH (CVE-2018-15473)"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "", "line": " SSH into port 2222 with information from Wireless Capture"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 34, "seconds": 40}, "tag": "", "line": " Domain Name found! Time to do a DNS Zone Transfer"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "", "line": " Port Knocking to open up port 22"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 40, "seconds": 5}, "tag": "", "line": " PrivEsc to root via being a member of the Docker Group"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 43}, "tag": "", "line": " Start of Recon, nmap and poking around the website"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Dirbusting a site that always respond 200"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 9, "seconds": 43}, "tag": "", "line": " Switching to a different Wordlist (SecLists/Discovery/Web/Common)"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 10, "seconds": 48}, "tag": "", "line": " Discovery of .git - Poking around to clone it and download"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "", "line": " Downloaded .git, examining commit history"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "", "line": " Start of Pickle Talk"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 21, "seconds": 25}, "tag": "", "line": " Begin writing of the pickle exploit"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 28, "seconds": 45}, "tag": "", "line": " Return of Reverse Shell as www-data"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "", "line": " Begin looking into CouchDB"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "", "line": " Poking around at documents within CouchDB"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "", "line": " Examining first exploit with creating a CouchDB User"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "", "line": " Exploring the passwords database with our newly created admin user and finding Homers Password."}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "", "line": " Getting root with sudo pip install"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 45, "seconds": 55}, "tag": "", "line": " Box Done. Begin second unintended way to get to Homer User"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 47, "seconds": 3}, "tag": "", "line": " Playing with the public RCE Exploit for CouchDB "}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "", "line": " Running the exploit"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 49, "seconds": 36}, "tag": "", "line": " Examining the exploit, doing each step manually to see where it fails"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 54, "seconds": 30}, "tag": "", "line": " Searching on how to create a new CouchDB Cluster, maybe it will allow this work?"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 55, "seconds": 55}, "tag": "", "line": " Digging into how erlang works"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "", "line": " Finding default CouchDB Cookie"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 59, "seconds": 10}, "tag": "", "line": " Connecting to the Erlang pool then searching for how to run commands."}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 61, "seconds": 54}, "tag": "", "line": " Exploring how to send long commands as distributed task"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "", "line": " Getting reverse shell"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Extra Links"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://malicious.link/post/2018/erlang-arce/"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Blackhat 2011 - Sour Pickles - https://www.youtube.com/watch?v=HsZWFMKsM08"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 0, "seconds": 56}, "tag": "", "line": " Start of recon, use Bootstrap XSL Script to make nmap pretty"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "", "line": " Looking at nmap in web browser "}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 3, "seconds": 52}, "tag": "", "line": " Navigating to the web page, and testing all the pages."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 6, "seconds": 25}, "tag": "", "line": " Testing for LFI"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Using PHP Filters to view the contents of php file through LFI (Local File Inclusion)"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "", "line": " Testing for RFI (Remote File Inclusion) [not vuln]"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Code Execution via LFI + phpinfo()"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Modifying the PHP-LFI Script code to get it working"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "", "line": " Debugging the script to see why tmp_name couldn't be found"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 20, "seconds": 12}, "tag": "", "line": " Shell returned!"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 21, "seconds": 25}, "tag": "", "line": " Looking at pwdbackup.txt and decoding 13 times to get password."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 23, "seconds": 37}, "tag": "", "line": " SSH into the box (Do not privesc right away!)"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 24, "seconds": 29}, "tag": "", "line": " Getting shell via Log Poisoning"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 26, "seconds": 39}, "tag": "", "line": " Whoops. Broke the exploit, because of bad PHP Code... We'll come back to this! (42:50)"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 28, "seconds": 47}, "tag": "", "line": " Begin of PrivEsc, grabbing secret.zip off"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 32, "seconds": 38}, "tag": "", "line": " Searching for processes running as root, find VNC"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 33, "seconds": 49}, "tag": "", "line": " Setting up SSH Tunnels without exiting SSH Session."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 37, "seconds": 43}, "tag": "", "line": " Something weird happend... Setting up SSH Tunnels manually."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "", "line": " PrivEsc: VNC through the SSH Tunnel, passing the encrypted VNC Password"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "", "line": " Decrypting the VNC Password because we can."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "", "line": " Examining the log file to see why our Log Poison Failed, then doing the Log Poison"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 1, "seconds": 11}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 3, "seconds": 48}, "tag": "", "line": " Manually checking the page out"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Discovering the webserver is java/tomcact"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 5, "seconds": 35}, "tag": "", "line": " Starting up GoBuster / Hydra"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 9, "seconds": 40}, "tag": "", "line": " The Directory /Monitoring was found - Discovering its Struts because of .action"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "", "line": " Stumbling upon an exploit trying to find out how to enumerate Struts Versions"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "", "line": " Searching Github for CVE-2017-5638 exploit script, exploiting the box to find out its firewalled off"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 21, "seconds": 10}, "tag": "", "line": " Using a HTTP Forward Shell to get around the strict firewall"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " # Sokar Video Explaining it: https://www.youtube.com/watch?v=k6ri-LFWEj4"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " # Inception - Another box where i modify the FWD Shell POC: https://www.youtube.com/watch?v=J2I-5xPgyXk&t=3s"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 22, "seconds": 40}, "tag": "", "line": " Go here if you want to start copying the Forward Shell Script"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 23, "seconds": 34}, "tag": "", "line": " Explaining how it works"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "", "line": " Explaining the code"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 31, "seconds": 6}, "tag": "", "line": " Forward Shell Returned - Enumerating Database to find creds"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 37, "seconds": 29}, "tag": "", "line": " Examining User.py"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "", "line": " Privesc: Abusing Python's Path to load a malicious library and sudo user.py"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " Looking at the web application and finding the Serialized Cookie"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 4, "seconds": 38}, "tag": "", "line": " Googling for Node JS Deserialization Exploits"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Start of building our payload"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "", "line": " Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "", "line": " Moving our serialized object to \"Name\", hoping to get to read stdout"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE)"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 13, "seconds": 25}, "tag": "", "line": " Failing to convert an object (stdout) to string."}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 14, "seconds": 2}, "tag": "", "line": " Verifying code execution via ping"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 15, "seconds": 32}, "tag": "", "line": " Code execution verified, gaining a shell"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " (Get a shell via NodeJSShell at end of video)"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 18, "seconds": 49}, "tag": "", "line": " Reverse shell returned, running LinEnum.sh"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 21, "seconds": 26}, "tag": "", "line": " Examining logs to find the Cron Job running as root"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 22, "seconds": 9}, "tag": "", "line": " Privesc by placing a python root shell in script.py"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "", "line": " Going back and getting a shell with NodeJSShell"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 1, "seconds": 40}, "tag": "windows insane", "line": " Begin of Recon (nmap, setting hostname, dns, nmap, ipv6)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows insane", "line": " Checking websites (80,443,8080)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "windows insane", "line": " Attempting to enumerate users of OWA-2010 (Fails)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "windows insane", "line": " Checking out Joomla Version (/administrator/manifets/files/joomla.xml)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "windows insane", "line": " Using SearchSploit with (Complain Management System)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 19, "seconds": 38}, "tag": "windows insane", "line": " Register Account, Login, Verify/Play with SQL Union Injection"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "windows insane", "line": " Enumerating SQL Injection with SQLMap"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 29, "seconds": 18}, "tag": "windows insane", "line": " Going back to MSF/OWA_LOGIN and testing credentials."}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "windows insane", "line": " Logging into OWA and reading email to find out OpenOFfice, Defender, and Powershell Constain Mode is installed"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "windows insane", "line": " Creating a malicious OpenOffice macro with LibreOffice + Downloading an Executing a file without Powershell (certutil ftw)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 40, "seconds": 18}, "tag": "windows insane", "line": " Compiling Merlin (like MSF/Empire)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "windows insane", "line": " Sending the email and waiting."}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "windows insane", "line": " Merlin call back, Switch to Powershell Nishang to get a interactive shell"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 54, "seconds": 30}, "tag": "windows insane", "line": " Running PowerUp to find we are an Administrator"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 56, "seconds": 56}, "tag": "windows insane", "line": " Running JAWS to do some more Windows Enumeration"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 63, "seconds": 4}, "tag": "windows insane", "line": " Found an odd scheduled task \"System Maintenance\""}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 66, "seconds": 3}, "tag": "windows insane", "line": " Attempting to write a php shell to HTTPD"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " * Begin of weird issue with File Encoding breaking something *"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 72, "seconds": 30}, "tag": "windows insane", "line": " Frusterated creating a PHP Script... Switch to the SCHTask Privesc"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 78, "seconds": 20}, "tag": "windows insane", "line": " Uhh. Testing if echo is somehow breaking .bat/.php files"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " * Wth. That was actually the issue!?"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 81, "seconds": 50}, "tag": "windows insane", "line": " Going back to test PHP to verify it just didn't like echo."}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " Videos mentioned:"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " Charon - Exploring Union Injection: https://www.youtube.com/watch?v=_csbKuOlmdE"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " Enterprise - Exploring Double Union Injection - https://www.youtube.com/watch?v=NWVJ2b0D1r8"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "windows medium", "line": " Begin of recon"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "windows medium", "line": " Begin of installing SQLPlus and ODAT (Oracle Database Attack Tool)"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows medium", "line": " Bruteforcing the SID with ODAT"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "windows medium", "line": " Holy crap, this is slow lets also do it with Metasploit"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "windows medium", "line": " Bruteforcing valid logins with ODAT"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "windows medium", "line": " Credentials returned, logging into Oracle with SQLPlus as SysDBA"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "windows medium", "line": " Reading files from disk via Oracle"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "windows medium", "line": " Writing files to disk from Oracle. Testing it in WebRoot Directory"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 25, "seconds": 52}, "tag": "windows medium", "line": " File Written, lets write an ASPX WebShell to the Server"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "windows medium", "line": " WebShell Working! Lets get a Reverse Shell"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 31, "seconds": 28}, "tag": "windows medium", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 32, "seconds": 24}, "tag": "windows medium", "line": " Finding a DropBox link, but password doesn't display well."}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 33, "seconds": 55}, "tag": "windows medium", "line": " Attempting to copy file via SMB to view UTF8 Text"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 35, "seconds": 18}, "tag": "windows medium", "line": " That didn't work, lets transfer the file by encoding it in Base64."}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 36, "seconds": 55}, "tag": "windows medium", "line": " Got the password lets download the dump!"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 39, "seconds": 10}, "tag": "windows medium", "line": " Begin of Volatility"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "windows medium", "line": " Running the HashDump plugin from volatilty then PassTheHash with Administrator's NTLM!"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### Box Done"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 47, "seconds": 35}, "tag": "windows medium", "line": " Begin of unintended way, examining odat and uploading an meterpreter exe"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 50, "seconds": 30}, "tag": "windows medium", "line": " Using odat externaltable to execute meterpreter and get a system shell!"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 52, "seconds": 20}, "tag": "windows medium", "line": " Examining odat verbosity flag to see what commands it runs and try to learn."}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 0, "seconds": 25}, "tag": "linux easy", "line": " Start of Recon, identifying end of life OS from nmap"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Running vulnerability scripts in nmap to discover heartbleed"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " (In video on Blue, I go a bit more in NMAP Scripts. https://www.youtube.com/watch?v=YRsfX6DW10E)"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 4, "seconds": 16}, "tag": "linux easy", "line": " Going to the HTTP Page to see what it looks like"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Begin of Heartbleed - Grabbing Python Module"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 7, "seconds": 13}, "tag": "linux easy", "line": " Explaining Heartbleed -- XKCD ftw"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux easy", "line": " Explaining and running the exploit"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux easy", "line": " Exporting large chunks of memory by running in a loop"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "linux easy", "line": " Finding an encrypted SSH Key on the server"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 15, "seconds": 35}, "tag": "linux easy", "line": " Examining heartbleed output to discover SSH Key Password"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 17, "seconds": 45}, "tag": "linux easy", "line": " SSH as low priv user returned"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 21, "seconds": 55}, "tag": "linux easy", "line": " Finding a writable tmux socket to hijack session and find a root shell"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux easy", "line": " Alternative Privesc, DirtyC0w"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 1, "seconds": 26}, "tag": "", "line": " Start of Recon"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "", "line": " Notice SSH configured for Pub Key Only. Hint at what to grab later!"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Grabbing test.txt off ftp server via anonymous auth"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 4, "seconds": 7}, "tag": "", "line": " Determining if I want to go down the \"Exploit VSFTPD\" rabbit hole"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 5, "seconds": 54}, "tag": "", "line": " Viewing test.txt and hosts.php"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 6, "seconds": 48}, "tag": "", "line": " Figuring out how hosts.php works and discovering XXE"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 8, "seconds": 58}, "tag": "", "line": " Start of XXE Discovery"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 10, "seconds": 16}, "tag": "", "line": " Making the XXE Output /etc/passwd"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 11, "seconds": 33}, "tag": "", "line": " Encoding output in Base64 in order to view PHP Files"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 12, "seconds": 58}, "tag": "", "line": " Using Burp Intruder to BruteForce Files"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "", "line": " Creating a program to bruteforce home directories"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 26, "seconds": 41}, "tag": "", "line": " Program Finished. Finding SSH ID_RSA Key"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "", "line": " Low Priv Access Granted"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 30, "seconds": 24}, "tag": "", "line": " LinEnum.sh shows Wordpress CHMOD'd to 777"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 31, "seconds": 5}, "tag": "", "line": " Examining Wordpress Site (big hint left by author)"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 32, "seconds": 10}, "tag": "", "line": " Enumerating MySQL Database"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "", "line": " Giving up on MySQL, lets edit PHP Files to dump passwords!"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 36, "seconds": 50}, "tag": "", "line": " Identifying the file we want to backdoor"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 37, "seconds": 51}, "tag": "", "line": " Placing our PHP Code"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 42, "seconds": 6}, "tag": "", "line": " Got the password!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 1, "seconds": 54}, "tag": "windows medium", "line": " Begin Recon, Windows IIS/OS Mapping and GoBuster"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows medium", "line": " Explanation of Virtual Host Routing"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "windows medium", "line": " Developers name exposed in HTML Source, also discover /monitor"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 11, "seconds": 10}, "tag": "windows medium", "line": " Enumerating Username in PHP Server Monitor: Challenge Watch Sense to und"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " erstand CSRF and write an automated bruteforcer"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 16, "seconds": 33}, "tag": "windows medium", "line": " Discover of Internal-01.bart.htb"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 19, "seconds": 17}, "tag": "windows medium", "line": " Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /Log/log.php)"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 29, "seconds": 34}, "tag": "windows medium", "line": " Finally got Hydra to return the password!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "windows medium", "line": " Log Poisoning + LFI = Remote Code Execution"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "windows medium", "line": " Return of Reverse Shell"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "windows medium", "line": " Why you should check if you're a 32-bit process on a 64-bit machine"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### Start of Failing attempting to do a RunAs... Lol."}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 48, "seconds": 35}, "tag": "windows medium", "line": " Attempting to use b33f/FuzzySecurity Invoke-RunAs"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "windows medium", "line": " Mistake with Invoke-RunAs is probably pointing it to the wrong port. D:"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 63, "seconds": 40}, "tag": "windows medium", "line": " ARGH! Lets try to use this account via Empire"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 71, "seconds": 0}, "tag": "windows medium", "line": " Bring out the big guns, it's Metasploit Time!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 78, "seconds": 10}, "tag": "windows medium", "line": " Alright, lets poke a hole in the firewall and connect over SMB!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 81, "seconds": 17}, "tag": "windows medium", "line": " Failed to PSExec in MSF"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### End of Failing!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 81, "seconds": 40}, "tag": "windows medium", "line": " Found Impacket-PSExec! And it works!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### Box Done"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 83, "seconds": 45}, "tag": "windows medium", "line": " Lets go hunt for creds!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 95, "seconds": 23}, "tag": "windows medium", "line": " Cracking Salted Hashes with Hashcat (Sha265.Salt)"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " Original Video with In-Depth Explanations of Intended Solution: https://youtu.be/frh-jYaUvrU"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux insane", "line": " End of intro, Start of nmap"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 2, "seconds": 47}, "tag": "linux insane", "line": " Playing with Second-Order Union Injection"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 5, "seconds": 44}, "tag": "linux insane", "line": " Dumping all users"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux insane", "line": " Converting SFTP Exploit from 64bit to 32bit"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 13, "seconds": 27}, "tag": "linux insane", "line": " Reversing SLS Binary"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 15, "seconds": 19}, "tag": "linux insane", "line": " Kernel Exploit"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 22, "seconds": 31}, "tag": "linux insane", "line": " First Method - Executing ELF Binaries from memory (Reflective loading elf)"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 35, "seconds": 57}, "tag": "linux insane", "line": " Second Method - Crashing a program to create a write-able file."}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " Edit: Whoops forgot @stefano_118 helped create this machine! "}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "linux insane", "line": " Start of Recon"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 4, "seconds": 58}, "tag": "linux insane", "line": " /documents and /secret rabbit hole enumeration"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 8, "seconds": 13}, "tag": "linux insane", "line": " Using wfuzz on the /secret rabbit hole to find argument for download.php"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux insane", "line": " Begin of Web Application Enumeration, some XSS Found"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 18, "seconds": 23}, "tag": "linux insane", "line": " Throwing bad characters in username and finding Second-Order SQL Injection."}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux insane", "line": " Begin of Union Injection to dump the database via second order sql injection"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 39, "seconds": 36}, "tag": "linux insane", "line": " Dumping users and passwords from SysAdmin table and using Hydra to bruteforce SSH"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 43, "seconds": 54}, "tag": "linux insane", "line": " Enumerating SFTP (Using SSHFS to Dump a File Listing)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "linux insane", "line": " Converting 64-Bit SFTP Exploit to 32-Bit"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 71, "seconds": 46}, "tag": "linux insane", "line": " Reverse Shell Returned, some stuff and finding Set-GID Binary"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 82, "seconds": 55}, "tag": "linux insane", "line": " Reversing SLS binary with Radare2 (r2)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 107, "seconds": 53}, "tag": "linux insane", "line": " Exploiting SLS Binary with new line character (Get to Decoder User)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 111, "seconds": 47}, "tag": "linux insane", "line": " Begin of Kernel Exploitation (CVE-2017-1000112)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 116, "seconds": 0}, "tag": "linux insane", "line": " Kernel Exploit Compiled (silly mistake before)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 119, "seconds": 52}, "tag": "linux insane", "line": " Creating a new lsb-release file so exploit can identify kernel"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 127, "seconds": 3}, "tag": "linux insane", "line": " Recap of Box"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 129, "seconds": 56}, "tag": "linux insane", "line": " Creating a Tamper Script to do Second-Order SQL Injection"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " ###"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " #Referenced Videos:"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " ## Holiday Hack Analytics - https://www.youtube.com/watch?v=zcJyhDC9kgo/watch?v=zcJyhDC9kgo"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " ## Charon (Union Injection) - https://www.youtube.com/watch?v=_csbKuOlmdE"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Testing out a new microphone, enjoy the random video."}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 1, "seconds": 18}, "tag": "", "line": " Downloading Empire + PowerShell Port Forward"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 2, "seconds": 13}, "tag": "", "line": " Explaining Empire Directory Structure"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 3, "seconds": 28}, "tag": "", "line": " Copying the PowerShell Template (Empire Module) to a working directory"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Creating the Empire Module"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "", "line": " Converting PowerShell Port Forward Script to an Empire Friendly Format"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 14, "seconds": 54}, "tag": "", "line": " Starting Empire"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 16, "seconds": 58}, "tag": "", "line": " Empire Agent Active"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "", "line": " Checking if the module worked. It did not, begin troubleshooting!"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "", "line": " Found the Error! Huzzah!"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "", "line": " Reloading the module"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 26, "seconds": 4}, "tag": "", "line": " Executing the module again, this time it works."}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 0, "seconds": 18}, "tag": "linux easy", "line": " Start of Recon"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux easy", "line": " Finding hidden directory via Source"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "linux easy", "line": " Downloading NibbleBlog to help us with finding version information"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 3, "seconds": 59}, "tag": "linux easy", "line": " Identifying what vresion of NibblesBlog is running"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 4, "seconds": 42}, "tag": "linux easy", "line": " Using SearchSploit to find vulnerabilities"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 5, "seconds": 36}, "tag": "linux easy", "line": " Examining the Exploit"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 6, "seconds": 8}, "tag": "linux easy", "line": " Explanation of exploit"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 7, "seconds": 25}, "tag": "linux easy", "line": " Attempting to find valid usernames for NibblesBlog"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 9, "seconds": 13}, "tag": "linux easy", "line": " Finding usernames in /content/private"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux easy", "line": " Using Hydra to attempt to bruteforce"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 14, "seconds": 8}, "tag": "linux easy", "line": " Oh crap. Hydra not good idea we're blocked..."}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " -- Some minor panicing about how to continue"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux easy", "line": " Using SSH Proxies to hit nibbles from another box (Falafel)"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux easy", "line": " Guessing the password"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 20, "seconds": 10}, "tag": "linux easy", "line": " Logged in, lets attempt our exploit!"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 22, "seconds": 46}, "tag": "linux easy", "line": " Code Execution achieved. Lets get a reverse shell"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 24, "seconds": 53}, "tag": "linux easy", "line": " Reverse shell returned."}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux easy", "line": " Running sudo -l examine sudoer, then finding out why sudo took forever to return"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "linux easy", "line": " Privesc via bad sudo rules"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 32, "seconds": 10}, "tag": "linux easy", "line": " Alternative PrivEsc via RationalLove"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " *Note: RationalLove was patched after I did this box. So mistakenly thought it was still vulnerable. Enjoy the fails/confusion!"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux hard", "line": " Begin of Recon"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux hard", "line": " Bruteforcing valid users"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux hard", "line": " Manually finding SQL Injection"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 13, "seconds": 13}, "tag": "linux hard", "line": " Using --string with SQLMap to aid Boolean Detection"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 15, "seconds": 41}, "tag": "linux hard", "line": " PHP Type Confusion ( == vs === with 0e12345) [Type Juggling]"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 18, "seconds": 35}, "tag": "linux hard", "line": " Attempting Wget Exploit with FTP Redirection (failed)"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 26, "seconds": 39}, "tag": "linux hard", "line": " Exploiting wget's maximum file length"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux hard", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 36, "seconds": 19}, "tag": "linux hard", "line": " Linux Priv Checking Enum"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux hard", "line": " Checking web crap for passwords"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux hard", "line": " Grabbing the screenshot of tty"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux hard", "line": " Privesc via Yossi being in Disk Group (debugfs)"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 50, "seconds": 15}, "tag": "linux hard", "line": " Grabbing ssh root key off /dev/sda1"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 52, "seconds": 15}, "tag": "linux hard", "line": " Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll)"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 67, "seconds": 42}, "tag": "linux hard", "line": " Manually exploiting the SQL Injection! with Python"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 1, "seconds": 18}, "tag": "windows medium", "line": " Begin of Recon"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 4, "seconds": 55}, "tag": "windows medium", "line": " Start of aChat buffer Overflow: Finding the exploit script with Searchsploit"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 7, "seconds": 24}, "tag": "windows medium", "line": " Begin of replacing POC's Calc Shellcode with what is generated from MSFVenom"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 9, "seconds": 42}, "tag": "windows medium", "line": " Correction: Payload Size wrong, should be 3,xxx -- look at \"Payload Size\" I accidentally highlighted the size of the python file."}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "windows medium", "line": " Whoops, erased too much out of POC. Lets correctly replace the shellcode this time and get a shell."}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "windows medium", "line": " Running PowerUp to find AutoLogon Credentials"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 20, "seconds": 5}, "tag": "windows medium", "line": " Running Code as Administrator"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 24, "seconds": 18}, "tag": "windows medium", "line": " First Privesc Method: Using Start-Process to execute commands as a different user because Invoke-Command did not work. "}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "windows medium", "line": " Alternate way to read root.txt -- Alfred owns root.txt, so he can edit the files access list. Get-ACL to view access list and cacls to modify"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 33, "seconds": 12}, "tag": "windows medium", "line": " Summary of the box"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### BOX DONE"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 34, "seconds": 37}, "tag": "windows medium", "line": " Doing the box with Metasaploit, Warning: Lots of fails."}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "windows medium", "line": " Using meterpreters PortFwd to bypass ChatterBox's firewall and access port 445"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 51, "seconds": 25}, "tag": "windows medium", "line": " Doing the box with Empire !"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 58, "seconds": 20}, "tag": "windows medium", "line": " Using Empire's Run_As module to execute commands as Administrator"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 2, "seconds": 8}, "tag": "linux insane", "line": " Begin of Recon"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux insane", "line": " XXE Detection on Fulcrum API"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "linux insane", "line": " XXE Get Files"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux insane", "line": " XXE File Retrieval Working"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux insane", "line": " Lets Code a Python WebServer to Aid in XXE Exploitation"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "linux insane", "line": " Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 47, "seconds": 28}, "tag": "linux insane", "line": " Shell Returned + Go Over LinEnum"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 56, "seconds": 49}, "tag": "linux insane", "line": " Finding WebUser's Password and using WinRM to pivot"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "linux insane", "line": " Getting Shell via WinRM, finding LDAP Credentials"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 74, "seconds": 0}, "tag": "linux insane", "line": " Using PowerView to Enumerate AD Users"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 87, "seconds": 6}, "tag": "linux insane", "line": " Start of getting a Shell on FILE (TroubleShooting FW)"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 95, "seconds": 35}, "tag": "linux insane", "line": " Getting shell over TCP/53 on FILE"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 97, "seconds": 58}, "tag": "linux insane", "line": " Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 118, "seconds": 10}, "tag": "linux insane", "line": " Troubleshooting the error correctly and getting Domain Admin!"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 123, "seconds": 54}, "tag": "linux insane", "line": " Begin of unintended method (Rooting the initial Linux Hop)"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 129, "seconds": 54}, "tag": "linux insane", "line": " Root Exploit Found"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 132, "seconds": 25}, "tag": "linux insane", "line": " Mounting the VMDK Files and accessing AD."}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 1, "seconds": 18}, "tag": "linux hard", "line": " Begin of Recon: Getting ubuntu version"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux hard", "line": " Navigating to the CrimeStoppers Page"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "linux hard", "line": " First Hint - Read The Source!"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux hard", "line": " 2nd Hint - No SQL Databases and playing with the upload form"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux hard", "line": " 3rd Hint - Setting Admin cookie to 1 to see whiterose.txt"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux hard", "line": " Explanation of PHP App and why I went down testing $op parameter"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "linux hard", "line": " Testing $op parameter, another hint what year is it?"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux hard", "line": " Finding out $op appends .php"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 13, "seconds": 5}, "tag": "linux hard", "line": " Using php b64 filter to view php files (\"Read the source luke\")"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "linux hard", "line": " Looking into PHP Wrappers to try to gain code execution"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "linux hard", "line": " Placing our PHP Script in a zip so we can reference it with zip://, also improperly upload it to the server"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "linux hard", "line": " Attempting to use the zip:// wrapper to execute our php script, then troubleshooting the bad upload."}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "linux hard", "line": " Easy way to copy binary data into BurpSuite (Base64)"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 34, "seconds": 10}, "tag": "linux hard", "line": " Getting a shell"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 37, "seconds": 18}, "tag": "linux hard", "line": " Downloading ThunderBird Directory and reading email + getting dom's password"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 46, "seconds": 20}, "tag": "linux hard", "line": " Begin of looking into Apache Rootkit (mod_rootme)"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 48, "seconds": 4}, "tag": "linux hard", "line": " Begin of using r2 (Radare) to analyze rootkit, basic intro"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 50, "seconds": 55}, "tag": "linux hard", "line": " Analyzing DarkArmy Function"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "linux hard", "line": " Grabbing the strings and using python to XOR them to get secret that allows root"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 58, "seconds": 35}, "tag": "linux hard", "line": " Get Root "}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " ##### BOX DONE"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 59, "seconds": 10}, "tag": "linux hard", "line": " Potential rabbit hole in the binary /var/www/html/whiterose.txt in the binary"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 64, "seconds": 20}, "tag": "linux hard", "line": " Second way to get root, looking around at file modification times to find FunSociety in logs"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "windows hard", "line": " Start of NMAP"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 4, "seconds": 17}, "tag": "windows hard", "line": " Begin of Sharepoint/GoBuster (Special Sharepoint List)"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 6, "seconds": 32}, "tag": "windows hard", "line": " Manually browsing to Sitecontent (Get FTP Creds)"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 10, "seconds": 18}, "tag": "windows hard", "line": " Mirror FTP + Pillage for information, Find keypass in Tim's directory and crack it."}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 18, "seconds": 22}, "tag": "windows hard", "line": " Mounting/Mirroring ACCT Share with found Creds and finding hardcoded SQL Creds"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 25, "seconds": 24}, "tag": "windows hard", "line": " Logging into MSSQL with SQSH, enabling xp_cmdshell and getting a Nishang Rev Shell"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 34, "seconds": 35}, "tag": "windows hard", "line": " Finding SPBestWarmUp.ps1 Scheduled Task that runs as Administrator"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "windows hard", "line": " Begin of RottenPotato without MSF (Decoder's Lonely Potato)"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 45, "seconds": 56}, "tag": "windows hard", "line": " Using Ebowla Encoding for AV Evasion to create an exe for use with Lonely Potato"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "windows hard", "line": " Lonely Potato Running to return a Admin Shell"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows hard", "line": " ### BOX DONE"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 64, "seconds": 22}, "tag": "windows hard", "line": " Finding CVE-2017-0213"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 68, "seconds": 33}, "tag": "windows hard", "line": " Installing Visual Studio 2015 && Compiling the exploit"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 75, "seconds": 50}, "tag": "windows hard", "line": " Exploit Compiled, trying to get it to work...."}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 78, "seconds": 11}, "tag": "windows hard", "line": " Just noticed the SPBestWarmUp.ps1 executed and gave us a shell!"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 88, "seconds": 37}, "tag": "windows hard", "line": " Found the issue, exploit seems to require interactive process"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 90, "seconds": 0}, "tag": "windows hard", "line": " Begin of Firefox Exploit Cluster (Not recommended to watch lol). It's a second unreliable way to get user"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 1, "seconds": 19}, "tag": "windows medium", "line": " Begin of Enumeration"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "windows medium", "line": " Avoiding the Rabbit Hole on port 80 (IIS)"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows medium", "line": " Begin of Jenkins"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "windows medium", "line": " Using Jenkins Script Console (Groovy) to gain code execution"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows medium", "line": " Reverse TCP Shell via Nishang"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "windows medium", "line": " Reverse Shell returned. PowerSplit dev branch to find unintended privesc (Tokens)"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "windows medium", "line": " Powersploit's Invoke-AllChecks completes"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "windows medium", "line": " Finding Keepass Database using Impack-SMBServer to transfer files"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "windows medium", "line": " Cracking the KeePass Database"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "windows medium", "line": " Using KeePass2 to open database"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 34, "seconds": 25}, "tag": "windows medium", "line": " PassTheHash via pth-winexe to gain administrator shell"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "windows medium", "line": " Grabbing root.txt that is hidden via Alternate Data Streams (ADS)"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### BOX DONE"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "windows medium", "line": " Using RottenPotato to escalate to root via MSF"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "windows medium", "line": " Using Unicorn to gain a reverse MSF SHell"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "windows medium", "line": " Performing the attack"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "windows medium", "line": " Impersonating Token to gain root"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### Unintended Done. Rest of video is me failing around, may be useful?"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " Good Read: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " If you want to try Rotten Potato without MSF Read this: https://decoder.cloud/2017/12/23/the-lonely-potato/"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 1, "seconds": 25}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Wiresharking NMAP to identify fingerprint"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 5, "seconds": 53}, "tag": "", "line": " Checking the WebPage"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "", "line": " Finding /sync and why web browser has a 403"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "", "line": " Using wfuzz to find what arguments /sync takes"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "", "line": " The actual wfuzz command"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Finding Bad Characters with wfuzz"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 24, "seconds": 51}, "tag": "", "line": " Getting command execution"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "", "line": " Privesc to root abusing custom script"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " #### Box Done"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 47, "seconds": 48}, "tag": "", "line": " Examining how NGINX/OpenResty was configured"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 0, "seconds": 23}, "tag": "linux insane", "line": " Explaining VM Layout"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 1, "seconds": 47}, "tag": "linux insane", "line": " Nmap Start"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux insane", "line": " Poking at Virtual Host Routing (Beehive & Calvin)"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 10, "seconds": 25}, "tag": "linux insane", "line": " Fixing GoBuster to find /cgi-bin/"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 11, "seconds": 48}, "tag": "linux insane", "line": " Enumerating WAF (Web Application Firewall), to see how it detects Shellshock"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 15, "seconds": 8}, "tag": "linux insane", "line": " Using VirtualHostRouting to navigate to Calvin.htb.htb"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux insane", "line": " Using ImageTragick to exploit Calvin"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux insane", "line": " Calvin Reverse shell returned"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 31, "seconds": 35}, "tag": "linux insane", "line": " Poking at /common, which allows pivot to Bastion Host"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "linux insane", "line": " SSH into the Bastion Host"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 38, "seconds": 45}, "tag": "linux insane", "line": " Explain SSH Local and Remote Port Forwarding"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux insane", "line": " Beehive Reverse Shell Returned"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux insane", "line": " Finding the root password via /common/containers/bastion-live/Dockerfile"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 54, "seconds": 50}, "tag": "linux insane", "line": " PrivEsc via Docker (much like the LXC shown in Calamity)"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 57, "seconds": 5}, "tag": "linux insane", "line": " Getting root access to filesystem"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " ==== BOX DONE."}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 58, "seconds": 10}, "tag": "linux insane", "line": " Failing to get root shell via Crontab"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 66, "seconds": 20}, "tag": "linux insane", "line": " Yeah screw crontab, lets just create an ssh key."}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " The CSRF Video I refer to is here: https://www.youtube.com/watch?v=d2nVDoVr0jE at 42m"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "", "line": " Start of Recon, nmap + dump web users"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 3, "seconds": 35}, "tag": "", "line": " Writing Python Program to dump uers."}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Dumping Users/Group done. Now to dump PW Hints"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "", "line": " Python coding done."}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 24, "seconds": 57}, "tag": "", "line": " Examining the PW Reset Functionality, reset King (Unintended)"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "", "line": " Start of examining File Upload"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 33, "seconds": 37}, "tag": "", "line": " Finding local user + Exploiting File Upload"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "", "line": " Unintended Privilege Kernel Escalation (CVE-2017-16995)"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ----- Box Done, Rest is extra content -----"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 41, "seconds": 45}, "tag": "", "line": " Stealing CoolDude89's Cookie to gain Moderator Access"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 61, "seconds": 0}, "tag": "", "line": " Playing with moderator function to promote user to Admin"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 69, "seconds": 50}, "tag": "", "line": " Using Admin Permission to unmod admin and gain access to PM's"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 74, "seconds": 50}, "tag": "", "line": " Poking around the box looking for intended PrivEsc"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 82, "seconds": 50}, "tag": "", "line": " Exploiting Calc NodeJS App on Port 88"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 96, "seconds": 45}, "tag": "", "line": " Final Exploits of Calc App"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Troll Cave VM Download: https://www.vulnhub.com/entry/trollcave-12,230/"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Start of Recon + Finding dompdf"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "", "line": " PHP Wrappers + Failed testing for RCE"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "", "line": " Writing Python Program to automate file disclosure bug"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 18, "seconds": 40}, "tag": "", "line": " Finding WebDav Configuration + Uploading Files for RCE"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Modifying Sokar's Forward Shell (PTY over HTTP)"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 33, "seconds": 55}, "tag": "", "line": " Forward shell returned"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "", "line": " Using Squid to pivot to ports listening locally + NMAP via ProxyChains"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 47, "seconds": 48}, "tag": "", "line": " Getting nmap on Inception to speed up scanning private network"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 59, "seconds": 16}, "tag": "", "line": " Nmap results returned for 192.168.0.1, FTP Anonymous Login"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 61, "seconds": 15}, "tag": "", "line": " Finding TFTP as a Running Service"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 66, "seconds": 35}, "tag": "", "line": " Using TFTP to grab crontab & creating a pre-invoke apt script"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://www.vulnhub.com/entry/pinkys-palace-v2,229/"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 0, "seconds": 47}, "tag": "", "line": " Start of Recon, get debian rev from apache header."}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "", "line": " Explanation of NMAP Filtered // TCPWrapped"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "", "line": " Enumerating Wordpress"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 9, "seconds": 58}, "tag": "", "line": " Finding /secret folder with Port Knock Ports"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 10, "seconds": 42}, "tag": "", "line": " Trying to take advantage of open wordpress installer (Rabbit Hole)"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "", "line": " Writing port knock script"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 34, "seconds": 10}, "tag": "", "line": " Finally successful port knock, lets see what ports are open"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "", "line": " Using Cewl to build a wordlist, then using Hydra to bruteforce HTTP Post Login"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 44, "seconds": 57}, "tag": "", "line": " Login, ignoring an SSH Key :( and instead playing with an LFI!"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "", "line": " Reverse Shell via LFI + Log Poisoning"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 67, "seconds": 50}, "tag": "", "line": " Enough playing, lets crack SSH Key with John + sshng2john"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 73, "seconds": 35}, "tag": "", "line": " Analyzing qsub binary with radare2"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 84, "seconds": 0}, "tag": "", "line": " Finding the command injection in send function"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 86, "seconds": 14}, "tag": "", "line": " Exploiting command injection to setup SetUID Binary (Stefano - Pinky)"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 89, "seconds": 29}, "tag": "", "line": " Using SSH Keys to get proper session to pinky, then exploit cron script to get to demon"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 96, "seconds": 49}, "tag": "", "line": " Analyzing panel with Radare2"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 108, "seconds": 29}, "tag": "", "line": " Enough of me learning, lets just take the easy route and use GDB+PEDA"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 116, "seconds": 39}, "tag": "", "line": " Finishing up the exploit with some Shell Code"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "", "line": " Start of Recon (NetDiscover/Masscan/Nmap)"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 5, "seconds": 37}, "tag": "", "line": " Finding the CGI Script and using Shellshock"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Start creating ShellShock python script"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 16, "seconds": 8}, "tag": "", "line": " Converting script \"Forward Shell\" for FW Evasion with mkfifo"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "", "line": " Adding Threading (Background Task) to improve script"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "", "line": " Script completed - Attempt to enumerate FW Rules"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "", "line": " Fumbling around with IPv6 (Check out Sneaky Video for more)"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 53, "seconds": 25}, "tag": "", "line": " Reverse shell via IPv6 and ncat"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 65, "seconds": 0}, "tag": "", "line": " Reading Bynarr's mail to get password and PrivEsc via LIME/Memory Dum"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " p"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 67, "seconds": 20}, "tag": "", "line": " Unintended PrivEsc via ShellShock + Environment Variables"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 78, "seconds": 20}, "tag": "", "line": " Begin of MITM (Man in the Middle) First with Ettercap"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 84, "seconds": 19}, "tag": "", "line": " Installing Bettercap2 + Usage"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 93, "seconds": 40}, "tag": "", "line": " Spoofing ARP and DNS with BetterCap"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 101, "seconds": 11}, "tag": "", "line": " Privesc to root via Git on case-insensitive FS"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 113, "seconds": 30}, "tag": "", "line": " Woot root, lets take a look at the IPTable FW"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 116, "seconds": 0}, "tag": "", "line": " Explaining the exploit a bit better"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " Every time I saw CSRF, I means SSRF."}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "windows insane", "line": " Begin of Recon"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows insane", "line": " Start of GoBuster"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "windows insane", "line": " Finding a SSRF"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "windows insane", "line": " Passing arguments to cmd.aspx via SSRF"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 12, "seconds": 5}, "tag": "windows insane", "line": " Firewall Enumeration "}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 16, "seconds": 35}, "tag": "windows insane", "line": " Begin of setting up ICMP Reverse Shell"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 22, "seconds": 25}, "tag": "windows insane", "line": " Begin of sending ICMP Rev Shell to Server (Warning: Lots of Fail)"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 46, "seconds": 31}, "tag": "windows insane", "line": " Return of ICMP Rev Shell"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 52, "seconds": 20}, "tag": "windows insane", "line": " PrivEsc form IIS to Decoder"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 71, "seconds": 15}, "tag": "windows insane", "line": " Unzipping via Powershell"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 74, "seconds": 5}, "tag": "windows insane", "line": " Finding Administrator password hidden in NTFS File Stream"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 76, "seconds": 30}, "tag": "windows insane", "line": " Using Net Use to mount C: As Administrator"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 79, "seconds": 30}, "tag": "windows insane", "line": " Using IDA to analyze root.exe and grab the flag (Misses last character of hash)"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 84, "seconds": 15}, "tag": "windows insane", "line": " Using Invoke Command to execute root.exe as admin (Lots of Fail)"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 92, "seconds": 52}, "tag": "windows insane", "line": " Opening up the Firewall then just using RDP to gain access"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "linux easy", "line": " Star of Recon"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux easy", "line": " GoBuster"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "linux easy", "line": " Getting banned and Pivoting to verify"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "linux easy", "line": " Logging into PFSense"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux easy", "line": " Manually Exploiting PFsense "}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux easy", "line": " Using Metasploit to exploit"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux easy", "line": " Creating a Bruteforce Script in Python ( CSRF )"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Finding the vulnerable Wordpress Plugin"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "", "line": " Exploiting lcars plugin "}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "", "line": " Logging into WP and Getting Reverse Shell"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Wordpress RevShell Returned"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "", "line": " Using Meterpreter to pivot and provide access to MySQL"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " MySQL Shell Returned"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "", "line": " Logging into Joomla and Getting Reverse Shell"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 57, "seconds": 20}, "tag": "", "line": " Joomla Reverse Shell returned"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 59, "seconds": 0}, "tag": "", "line": " Getting Reverse Shell on Host OS (port 443)"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "", "line": " Shell Returned begin of local privesc recon"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 72, "seconds": 6}, "tag": "", "line": " Beginning of Binary Exploitation "}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 81, "seconds": 0}, "tag": "", "line": " Start writing exploit script "}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ===== Extra Content ======"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 88, "seconds": 30}, "tag": "", "line": " Analyzing the PHP SQL Injection Scripts"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 96, "seconds": 30}, "tag": "", "line": " Viewing what SQLMap does to exploit this"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 100, "seconds": 0}, "tag": "", "line": " Stepping through Double Query Injection"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 107, "seconds": 20}, "tag": "", "line": " Writing our own SQL Injection Exploit Script"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " For the unintentional method, I'm just downloading a file versus doing it live on the box because I wanted to save doing it live for another video. "}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " A really good SSRF Presentation: https://www.youtube.com/watch?v=D1S-G8rJrEk"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 1, "seconds": 38}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux hard", "line": " Accessing port 60000"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux hard", "line": " Manually enumerating ports on localhost via SSRF"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux hard", "line": " Using wfuzz to portscan localhost via SSRF"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux hard", "line": " Tomcat creds exposed & Uploading tomcat reverse shell"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux hard", "line": " Return of shell"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux hard", "line": " Extracting NTDS + SYSTEM Hive"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "linux hard", "line": " Using HashKiller to crack the hashes"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux hard", "line": " Escalating to Atanas & Identifying wget vulnerability"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "linux hard", "line": " Starting exploit"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 33, "seconds": 22}, "tag": "linux hard", "line": " Exploit failed, light debugging"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "linux hard", "line": " Issue found, not listening all interfaces"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 39, "seconds": 35}, "tag": "linux hard", "line": " Root shell returned."}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "linux hard", "line": " Unintentional Root Method (Edited Footage, IP Change)"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Begin of NMAP"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " GoBuster (Fails)"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "", "line": " Screw GoBuster, BurpSpider FTW"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 9, "seconds": 12}, "tag": "", "line": " Examing Routes File to find more pages"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "", "line": " Finding Credentials and downloading backup"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Cracking the zip with fcrackzip"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "", "line": " Finding more credentials (SSH) within MongoSource"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "", "line": " Privesc to Tom User"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 35, "seconds": 4}, "tag": "", "line": " Analyzing Backup Binary File"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 36, "seconds": 49}, "tag": "", "line": " Using strace to find binary password"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 40, "seconds": 25}, "tag": "", "line": " Finding blacklisted characters/words"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " Unintended method one, abusing CWD"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 52, "seconds": 20}, "tag": "", "line": " Unintended method two, wildcards to bypass blacklist"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 54, "seconds": 45}, "tag": "", "line": " Unintended method three, command injection via new line"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 59, "seconds": 15}, "tag": "", "line": " Intended root Buffer Overflow ASLR Brute Force"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " If you want to see more detail on the ret2libc check out October: https://www.youtube.com/watch?v=K05mJazHhF4&t=21m14s"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "windows hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 3, "seconds": 22}, "tag": "windows hard", "line": " Poking at a rabbit hole (8080)"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 8, "seconds": 8}, "tag": "windows hard", "line": " GoBuster to find hidden directory"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "windows hard", "line": " Finding SQL Creds in hidden directory"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "windows hard", "line": " Using dbeaver to enumerate database"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "windows hard", "line": " Impacket-PSExec to Admin"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "windows hard", "line": " Proving James is not an Admin"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 20, "seconds": 35}, "tag": "windows hard", "line": " Using MSF to Enable Remote Desktop to do Incident Response"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "windows hard", "line": " Start of Remote Desktop Looking at Event Log + Active Directory"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows hard", "line": " Installing Sysmon to get better logs"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "windows hard", "line": " Looking at Sysmon Logs"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "windows hard", "line": " Proving the PrivEsc was due to Impacket-PSExec not cleaning up"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "windows hard", "line": " Using Forensics to get Service Creation Date"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "windows hard", "line": " Finding a HTB User creating a Git Issue to Impacket (LOL)"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 55, "seconds": 10}, "tag": "windows hard", "line": " Intended Route - Forging a Kerberos Ticket MS14-068"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 71, "seconds": 0}, "tag": "windows hard", "line": " Explaining why the unintended route probably got created"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " If you want some more details about the actual ShellShock exploit, check out the Beep Video. "}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 0, "seconds": 39}, "tag": "", "line": " Begin Nmap, OS Enum via SSH/HTTP Banner"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " GoBuster"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 7, "seconds": 8}, "tag": "", "line": " Viewing CGI Script"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " Begin NMAP Shellshock"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "", "line": " Debugging Nmap HTTP Scripts via Burp"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 11, "seconds": 10}, "tag": "", "line": " Fixing the HTTP Request & nmap script"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Performing Shellshock & more fixing"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 18, "seconds": 25}, "tag": "", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 21, "seconds": 19}, "tag": "", "line": " Running LinEnum.sh"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Rooting the box"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 0, "seconds": 49}, "tag": "", "line": " Nmap"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 1, "seconds": 31}, "tag": "", "line": " Examining some odd behavior. Nmap different result than browser."}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Getting to /admin and testing for Zone Transfer"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Testing SSH Default Raspberry Pi Creds"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 6, "seconds": 11}, "tag": "", "line": " Escalate to root 'sudo su'"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "", "line": " Recovering the deleted root.txt"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 8, "seconds": 38}, "tag": "", "line": " GrepFu"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "", "line": " Downloading /dev/sdb via SSH"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 12, "seconds": 48}, "tag": "", "line": " Running Binwalk against it"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 13, "seconds": 18}, "tag": "", "line": " Trying to recover with TestDisk"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 14, "seconds": 37}, "tag": "", "line": " Trying to recover with PhotoRec"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Nmap"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 2, "seconds": 23}, "tag": "linux hard", "line": " Examining the Web Page"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 4, "seconds": 8}, "tag": "linux hard", "line": " GoBuster"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 4, "seconds": 53}, "tag": "linux hard", "line": " Finding /uploads/ Directory"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux hard", "line": " Finding /secret_area_51/ Directory"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux hard", "line": " Using Audacity to find Steg in Audio"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux hard", "line": " FTP With Creds revealed from Steg"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 10, "seconds": 6}, "tag": "linux hard", "line": " Examining files downloaded from FTP"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 12, "seconds": 43}, "tag": "linux hard", "line": " Finding decryption key + blob"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 14, "seconds": 33}, "tag": "linux hard", "line": " Using Python seccure to decrypt ecc"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 16, "seconds": 5}, "tag": "linux hard", "line": " SSH Into Shrek as SEC"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 16, "seconds": 35}, "tag": "linux hard", "line": " Farquad Rabbit Hole"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 17, "seconds": 42}, "tag": "linux hard", "line": " Incident Response : Finding files modified between two times"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 20, "seconds": 47}, "tag": "linux hard", "line": " What is /usr/src/thoughts.txt?"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 21, "seconds": 45}, "tag": "linux hard", "line": " Privesc through cron running: chown *"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " Blog Post: https://reboare.github.io/lxd/lxd-escape.html"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 1, "seconds": 28}, "tag": "linux hard", "line": " Begin of recon"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "linux hard", "line": " GoBuster"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux hard", "line": " admin.php discovered, finding the pw"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux hard", "line": " Getting Code Execution"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux hard", "line": " Finding out why Reverse Shells weren't working"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux hard", "line": " Getting a reverse shell by renaming nc"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Transfering files via nc"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux hard", "line": " Opening the wav file"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "linux hard", "line": " Using audiodiff to identify differences in sound"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 17, "seconds": 5}, "tag": "linux hard", "line": " The next step, why is the same song there twice?"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "linux hard", "line": " Importing files into Audacity and Inverting"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 22, "seconds": 25}, "tag": "linux hard", "line": " Attempting to exploit the process blacklist"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 24, "seconds": 25}, "tag": "linux hard", "line": " Unintended root LXC Background"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux hard", "line": " Creating an Alpine LXC"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 30, "seconds": 40}, "tag": "linux hard", "line": " Importing the image into lxc"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux hard", "line": " Creating the container"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux hard", "line": " Adding the host drive to container"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "linux hard", "line": " Starting the container and entering it"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 35, "seconds": 5}, "tag": "linux hard", "line": " Examining the Process Blacklist script "}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 35, "seconds": 54}, "tag": "linux hard", "line": " Running through the exploit again on a Ubuntu Host"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 0, "seconds": 38}, "tag": "windows easy", "line": " Start of Recon"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "windows easy", "line": " Finding NMAP Scripts (Probably a stupid way)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "windows easy", "line": " Running Safe Scripts - Not -sC, which is default."}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 2, "seconds": 52}, "tag": "windows easy", "line": " Listing NMAP Script Categories (Prob a really stupid way)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 3, "seconds": 18}, "tag": "windows easy", "line": " Really Cool Grep (Only show matching -oP)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "windows easy", "line": " Nmap Safe Script Output"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows easy", "line": " Exploiting MS17-010 with MSF"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "windows easy", "line": " Setting up Dev Branch of Empire"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 9, "seconds": 7}, "tag": "windows easy", "line": " Starting a Listener"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "windows easy", "line": " Getting a PowerShell Oneliner to launch payload"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 12, "seconds": 16}, "tag": "windows easy", "line": " Invoke-Expression (IEX) to Execute Launcher"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 13, "seconds": 25}, "tag": "windows easy", "line": " Interacting with a single agent"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "windows easy", "line": " Using Modules - PowerUp Invoke-AllChecks"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "windows easy", "line": " Fixing weird issue with PS Module"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "windows easy", "line": " Invoke-AllChecks finished"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 17, "seconds": 15}, "tag": "windows easy", "line": " Loading PS Modules into Memory"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "windows easy", "line": " Executing funcitons out of above module"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "windows easy", "line": " Why I don't pass to MSF via InjectShellcode"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "windows easy", "line": " How I pass from Empire to MSF (Unicorn + IEX)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 25, "seconds": 53}, "tag": "windows easy", "line": " Just running Powershell CMDs from Empire (Shell)"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 0, "seconds": 52}, "tag": "linux insane", "line": " Recon - NMAP"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 4, "seconds": 5}, "tag": "linux insane", "line": " Recon - Getting Linux Distro"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 4, "seconds": 35}, "tag": "linux insane", "line": " Recon - GoBuster"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "linux insane", "line": " Analyzing Jail.c source"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux insane", "line": " Begin Binary Exploitation"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "linux insane", "line": " Verify Buffer Overflow"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 17, "seconds": 35}, "tag": "linux insane", "line": " Create Exploit Skeleton"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux insane", "line": " Finding EIP Overwrite"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 23, "seconds": 2}, "tag": "linux insane", "line": " Adding Reverse TCP Shellcode"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 30, "seconds": 15}, "tag": "linux insane", "line": " Switching to \"Socket Re-Use\" Shellcode"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "linux insane", "line": " Shell Returned"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "linux insane", "line": " NFSv3 Privesc Begin"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "linux insane", "line": " Begin incorrectly playing with SetUID"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "linux insane", "line": " SELinux Escape"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 45, "seconds": 25}, "tag": "linux insane", "line": " Using SELinux Escape to copy SSH Key"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 48, "seconds": 55}, "tag": "linux insane", "line": " Logging in as Frank"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux insane", "line": " Privesc to adm (sudo rvim)"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 51, "seconds": 44}, "tag": "linux insane", "line": " Begin of finding a way to root"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 55, "seconds": 58}, "tag": "linux insane", "line": " Begin cracking rar file "}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 57, "seconds": 18}, "tag": "linux insane", "line": " Using Hashcat to generate custom wordlist"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 60, "seconds": 40}, "tag": "linux insane", "line": " Cracking with JohnTheRipper"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "linux insane", "line": " RsaCtfTool to exploit weak SSH Pub Key"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 63, "seconds": 36}, "tag": "linux insane", "line": " Login as root with SSH Private Key"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 64, "seconds": 11}, "tag": "linux insane", "line": " EXTRA CONTENT: Alternative Privesc to ADM (NFS)"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 65, "seconds": 21}, "tag": "linux insane", "line": " Creating a directory to give other users NFS Write access"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 67, "seconds": 30}, "tag": "linux insane", "line": " Correct way to do SetUID Program"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 71, "seconds": 4}, "tag": "linux insane", "line": " Using SetUID Programs to write to disk"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 1, "seconds": 58}, "tag": "", "line": " Begin Recon (NMAP)"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 4, "seconds": 19}, "tag": "", "line": " GoBuster HTTP + HTTPS"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 6, "seconds": 35}, "tag": "", "line": " Accessing Pages "}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "", "line": " Using Hydra against HTTP + HTTPS Web Forms"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Logging into HTTP and hunting for vulns"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " Second Hydra attempt against HTTPS"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 17, "seconds": 57}, "tag": "", "line": " Logging into HTTPS (phpLiteAdmin)"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 20, "seconds": 17}, "tag": "", "line": " Chaining Exploits to get Code Execution"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 26, "seconds": 38}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "", "line": " LinEnum.sh Script Review"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "", "line": " Watching for new Processes"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "", "line": " Found the error in script :)"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "", "line": " Getting reverse root shell"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 41, "seconds": 51}, "tag": "", "line": " Intended Route to get User"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 46, "seconds": 12}, "tag": "", "line": " Reviewing Knockd configuration"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 49, "seconds": 33}, "tag": "", "line": " Doing the PortKnock"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " The STTY command I messed up was simply `stty rows ## cols ##`"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "", "line": " Begin Recon with Reconnoitre"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "", "line": " Examining findings from Reconnoitre"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Decompiling java Jar Files with JAD"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 8, "seconds": 18}, "tag": "", "line": " Using JD-GUI"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 10, "seconds": 33}, "tag": "", "line": " Running WPScan"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "", "line": " Manually enumerating wordpress users"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 12, "seconds": 43}, "tag": "", "line": " SSH To the box and PrivEsc"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ------ Box Completed, Below extra content (Some mistakes, pretty much do this live without prep)"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Rabbit hole, gaining access through FTP"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 17, "seconds": 9}, "tag": "", "line": " Finding Wordpress DB Password"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 18, "seconds": 33}, "tag": "", "line": " Switching to WWW-DATA by using phpMyAdmin + Wordpress"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 20, "seconds": 10}, "tag": "", "line": " Generating a PHP Password for Wordpress"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "", "line": " Gaining code execution with Wordpress Admin access"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "", "line": " Shell as www-data"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "", "line": " Enumerating Kernel Exploits with Linux-Exploit-Suggester"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 30, "seconds": 10}, "tag": "", "line": " Attempting CVE-2017-6074 Dccp Kernel Exploit (Unstable AF)"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 0, "seconds": 17}, "tag": "", "line": " Why I like Tmux"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "", "line": " Creating Tmux Session"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "", "line": " Bash: Ctrl + R - Recursive Search"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 2}, "tag": "", "line": " Tmux: Prefix Key (default Ctrl+B)"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 5}, "tag": "", "line": " Tmux: New Window - Prefix c"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 7}, "tag": "", "line": " Tmux: Switch Window - Prefix #"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 36}, "tag": "", "line": " My Tmux Config"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "", "line": " Demo of \"nested tmux\""}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Tmux: Rename Window - Prefix ,"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "", "line": " Tmux: Send/Join Pane Prefix [s|j]"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 5, "seconds": 8}, "tag": "", "line": " Tmux: Setting Search to Vi mode"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Tmux: Enter edit mode Ctrl+["}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "", "line": " Tmux: Showing off tmux Searching"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 6, "seconds": 3}, "tag": "", "line": " Tmux: Copy and pasting lots of text"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 6, "seconds": 27}, "tag": "", "line": " Tmux: Logging Plugin"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://github.com/tmux-plugins/tmux-logging"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " Tmux: Splitting"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Tmux: Zooming - Prefix z"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Tmux: Moving Panes"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Bash: Cycle through past arguments Alt+."}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "", "line": " Bash: Moving cursor to begin, end or skipping words"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "", "line": " Tmux: Help Page Prefix ?"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Image in the intro is an XKCD comic if you didn't immediately recognize it as XKCD check out https://xkcd.com"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 0, "seconds": 24}, "tag": "", "line": " Recon with Sparta"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Enumerating SSL Certificate "}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 3, "seconds": 55}, "tag": "", "line": " Manually View SSL Certificate"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 4, "seconds": 35}, "tag": "", "line": " VirtualHostRouting Explanation"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 7, "seconds": 42}, "tag": "", "line": " SQL Injection - Auth Bypass"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Dumping the Database with SQLMap"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "", "line": " Begin of Web Exploit (Regex //e)"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Getting a Shell"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "", "line": " Begin PrivEsc (CronJob)"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 1, "seconds": 26}, "tag": "", "line": " Enumeration Start"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 2, "seconds": 58}, "tag": "", "line": " WPScan Start"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Directory Scanning with GoBuster"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 10, "seconds": 54}, "tag": "", "line": " Examining WPScan Output"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "", "line": " Bruteforcing with WPScan"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "", "line": " Bruteforcing HTTP Post with Hydra"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "", "line": " Edit WP Theme to get Code Execution"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 22, "seconds": 9}, "tag": "", "line": " Return of Reverse Shell"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 26, "seconds": 25}, "tag": "", "line": " Privelege Escalation Word Writeable Passwd"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " Articles Mentioned:"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " https://ictf.cs.ucsb.edu/pages/the-2016-2017-ictf-ddos.html"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/index.html"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 46}, "tag": "linux hard", "line": " NMAP Scan and Review"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 1, "seconds": 53}, "tag": "linux hard", "line": " GoBuster and identify User Agent based Routing"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 4, "seconds": 9}, "tag": "linux hard", "line": " SQLMap the Login"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux hard", "line": " Login to the page"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 8, "seconds": 55}, "tag": "linux hard", "line": " Begin of XSS"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux hard", "line": " Bypass first XSS Filter"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "linux hard", "line": " Encoded JS Payload - Getting XSS to call back to us"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 16, "seconds": 56}, "tag": "linux hard", "line": " Using Python to encode JS which will call back to us."}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 24, "seconds": 25}, "tag": "linux hard", "line": " Executing the paylaod"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 25, "seconds": 6}, "tag": "linux hard", "line": " Stage 2 XSS Attack - XMLHttpRequest"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "linux hard", "line": " Troubleshooting, No code works the first time."}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Stage 2 Fixed."}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 40, "seconds": 57}, "tag": "linux hard", "line": " Initial access to /admin"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux hard", "line": " Finding Command Injection"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "linux hard", "line": " Explanation of IP \"Encoding\""}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "linux hard", "line": " Rev Shell obtained"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "linux hard", "line": " How I found out about the IP Encode Trick"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 51, "seconds": 40}, "tag": "linux hard", "line": " Begin of PrivEsc"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " Creator: g0blin"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " If you're wondering how this could be an hour long video, over half the video is talking about IPv6."}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 0, "seconds": 44}, "tag": "", "line": " Recon + Web Enum"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 1, "seconds": 33}, "tag": "", "line": " SQL Injection"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Start of IPv6 Talk"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " What is an IPv6 IP Address?"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 11, "seconds": 27}, "tag": "", "line": " Types of IPv6 Addresses"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 14, "seconds": 6}, "tag": "", "line": " IPv6 Subnetting Explained"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " End of IPv6 Primer, Exploit time!"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 22, "seconds": 43}, "tag": "", "line": " Method 1: Getting MAC and calculating fe80"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "", "line": " Method 2: Enumerating Networks by pinging Multicast"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 33, "seconds": 56}, "tag": "", "line": " Extra: Getting Windows to respond from Multicast Ping"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 38, "seconds": 7}, "tag": "", "line": " Extra: NMAP Scanning ipv6 local networks"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "", "line": " Convert RPM to DEB (Needed for install nmap on tenten)"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "", "line": " Intended Solution: Getting IPv6 via SNMP"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 43, "seconds": 58}, "tag": "", "line": " No SNMP MIB Output"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 45, "seconds": 58}, "tag": "", "line": " Getting SNMP MIBS Installed and Configured"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 47, "seconds": 52}, "tag": "", "line": " Tool: Enyx - SNMPv6 Enumeration via Python"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 50, "seconds": 44}, "tag": "", "line": " Privesc Enumeration"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 52, "seconds": 49}, "tag": "", "line": " Buffer Overflow"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux hard", "line": " Rabbit Hole - Searching for SuperCMS"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 6, "seconds": 23}, "tag": "linux hard", "line": " Running enumeration in the background (GoBuster)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux hard", "line": " Rabbit Hole - SQLMap Blog SinglePost.php"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 12, "seconds": 4}, "tag": "linux hard", "line": " Finding PHP Files in /cmsdata/ (GoBuster)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 12, "seconds": 53}, "tag": "linux hard", "line": " Manual Identification of SQL Injection"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux hard", "line": " SQL Injection Explanation"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux hard", "line": " Rabbit Hole - Starting SQLMap in the Background"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "linux hard", "line": " SQL Union Injection Explanation"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux hard", "line": " Identifying \"Bad/Filtered Words\" in SQL Injection"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 21, "seconds": 2}, "tag": "linux hard", "line": " SQL Union Finding number of items returned"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 21, "seconds": 48}, "tag": "linux hard", "line": " Returning data from Union Injection"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 22, "seconds": 48}, "tag": "linux hard", "line": " SQL Concat Explanation"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 23, "seconds": 55}, "tag": "linux hard", "line": " Enumerating SQL Databases Explanation (Information_Schema)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 25, "seconds": 46}, "tag": "linux hard", "line": " Returning Database, Table, Columns from Information_Schema"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux hard", "line": " Scripting to dump all columns"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 36, "seconds": 45}, "tag": "linux hard", "line": " Listing of columns in SuperCMS"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 37, "seconds": 15}, "tag": "linux hard", "line": " Dumping User Credentials"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 41, "seconds": 36}, "tag": "linux hard", "line": " Logging in and exploiting SuperCMS"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Return of reverse shell"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "linux hard", "line": " Transfering small files from shell to my machine"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 50, "seconds": 56}, "tag": "linux hard", "line": " Using RsaCtfTool to decrypt contents with weak public key"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 52, "seconds": 52}, "tag": "linux hard", "line": " Breaking weak RSA manually"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 61, "seconds": 20}, "tag": "linux hard", "line": " Begin PrivEsc to Root"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 62, "seconds": 40}, "tag": "linux hard", "line": " Transering large files with NC"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "linux hard", "line": " Analyzing SuperShell with BinaryNinja (Paid)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 66, "seconds": 4}, "tag": "linux hard", "line": " Analyzing SuperShell with Radare2 (Free)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 68, "seconds": 22}, "tag": "linux hard", "line": " Exploiting SuperShell"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 72, "seconds": 46}, "tag": "linux hard", "line": " Encore. Getting a Root Shell with SetUID Binary"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 1, "seconds": 38}, "tag": "windows easy", "line": " Go to HTTPFileServer"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 2, "seconds": 56}, "tag": "windows easy", "line": " Explanation of Vulnerability"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 4, "seconds": 49}, "tag": "windows easy", "line": " Testing the Exploit"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 6, "seconds": 25}, "tag": "windows easy", "line": " Getting rev tcp shell with Nishang"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 11, "seconds": 54}, "tag": "windows easy", "line": " Shell returned"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "windows easy", "line": " Finding exploits with Sherlock"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "windows easy", "line": " Using Empire Module without Empire for Privesc"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "windows easy", "line": " Start of doing the box with Metasploit"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 22, "seconds": 36}, "tag": "windows easy", "line": " Reverse Shell Returned (x32)"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "windows easy", "line": " MSF Error during PrivEsc"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 25, "seconds": 35}, "tag": "windows easy", "line": " Reverse Shell Returned (x64)"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 26, "seconds": 19}, "tag": "windows easy", "line": " Same PrivEsc as earlier, different result"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 28, "seconds": 47}, "tag": "windows easy", "line": " Examining how Rejetto MSF Module works with Burp"}, {"machine": "HackTheBox - Pivoting Update: Granny and Grandpa", "videoId": "HQkDL-xh7es", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " Really wanted to show people this method of pivoting, but ran into issues last video. This video doesn't explain any exploits, just uses plink.exe to set up a tunnel which we can use as a gateway for Reverse_TCP Sessions."}, {"machine": "HackTheBox - Pivoting Update: Granny and Grandpa", "videoId": "HQkDL-xh7es", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " If you wanted to see the explanations behind exploits check out the original video: https://www.youtube.com/watch?v=ZfPVGJGkORQ"}, {"machine": "HackTheBox - Pivoting Update: Granny and Grandpa", "videoId": "HQkDL-xh7es", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " Apologies for any confusion/wasted time."}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " Heads up. The pivot idea, was a pretty big fail. Should of prep'd more but was short on time. Enjoy watching me struggle, if you wanted to see the pivot stuff working I uploaded an updated video here: https://youtu.be/HQkDL-xh7es"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "windows easy", "line": " Nmap Results (Discovery of WebDav)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 4, "seconds": 35}, "tag": "windows easy", "line": " DavTest"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 6, "seconds": 22}, "tag": "windows easy", "line": " HTTP PUT Upload Files"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "windows easy", "line": " MSFVenom Generate aspx payload"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "windows easy", "line": " User Shell Returned"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 16, "seconds": 23}, "tag": "windows easy", "line": " Get Admin Shell (ms14-070)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 17, "seconds": 14}, "tag": "windows easy", "line": " Beginning of Pivot Fail. Socks Proxy"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 29, "seconds": 35}, "tag": "windows easy", "line": " Shell on Grandpa (CVE-2017-7269)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 32, "seconds": 45}, "tag": "windows easy", "line": " Using portfwd to access ports not exposed to routable interfaces"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 34, "seconds": 45}, "tag": "windows easy", "line": " Cracking LM Hash Explanation"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "windows easy", "line": " Cracking LM Hashes via Hashcat"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "windows easy", "line": " Grandpa acts cranky. Revert. "}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "windows easy", "line": " Expected behavior when exploiting via CVE-2017-7269. None of that auto system weirdness (45:20 gets admin)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "windows easy", "line": " Using Hashcat to crack NTLM using LM Hashes"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "windows easy", "line": " Finally log into SMB using the portfwd from 32:45"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 49, "seconds": 7}, "tag": "windows easy", "line": " Random pivot attempt failure."}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " OLEVBA - https://github.com/decalage2/oletools/wiki/olevba"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 1, "seconds": 58}, "tag": "", "line": " Extract Macro with olevba"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "", "line": " ExifTool to examine Document Metadata (Comments used in Macro)"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 3, "seconds": 48}, "tag": "", "line": " Examining Macro Code"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 4, "seconds": 21}, "tag": "", "line": " Using Python to explan Right(left))"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Opening ProcMon"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 9, "seconds": 7}, "tag": "", "line": " Why you should be careful when executing portions of \"bad code\""}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 9, "seconds": 55}, "tag": "", "line": " Viewing Macro's in Word and DeObfuscating by changing Shell to Print"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 12, "seconds": 17}, "tag": "", "line": " Start of Obfuscated Powershell (after de-base64)"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 13, "seconds": 21}, "tag": "", "line": " Malicious Powershell Code "}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "", "line": " Upload to VirusTotal"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 16, "seconds": 51}, "tag": "", "line": " Looking at process explorer"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 20, "seconds": 21}, "tag": "", "line": " Looking at Wireshark"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 1, "seconds": 2}, "tag": "windows easy", "line": " Going over NMAP"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "windows easy", "line": " Anonymous FTP + File Upload"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "windows easy", "line": " MSFVenom "}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "windows easy", "line": " Metasploit"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows easy", "line": " Exploit Suggestor"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "windows easy", "line": " Getting Root"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "", "line": " Using CheckSEC to explain the binary protections that can be applied."}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "", "line": " Running the binary to discover a segfault with long string of A's"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "", "line": " This is a 64 bit Binary so we overwrite RSP (Stack Pointer) not RIP (Instruction Pointer)"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Using Pattern Create to identify where we can overwrite RSP"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "", "line": " Using PwnTools to create a skeleton exploit"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Using objdump to dump the PLT (Procedural Link Address) and GOT (Global Offset Table) Address for PUTS so we can use ROP to write to the screen"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Using R2 (radare) to find the location to a pop rdi function"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "", "line": " Building the gadget chain to print the location of PUTS"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Packing the addresses in our exploit with p64(), then showing the leaked address"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Storing the leaked address as a variable so we can convert it to hex"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "", "line": " Memory address retrieved! It changes every time the program loads, so adding a ROP back to MAIN"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "", "line": " Looking for a SYSTEM() Address with ReadElf"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Using strings to find the location of \"/bin/sh\" within libc"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 19, "seconds": 55}, "tag": "", "line": " Using the leaked addresses to find where libc is loaded"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "", "line": " Fixing up some memory addresses then getting a shell!"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "", "line": " Using Pwntools to the max! Having it automate a lot of stuff."}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Mapping the ELF + LIBC within PwnTools"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "", "line": " Using PwnTools to build the ROP Chain to leak PUTS"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "", "line": " Using PwnTools to rebase LibC From our memory leak"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "", "line": " Using PwnTools to pull the SYSTEM and /bin/sh information from LibC"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "", "line": " Debugging some errors then getting a shell!"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Bitterman: https://github.com/ctfs/write-ups-2015/blob/master/camp-ctf-2015/pwn/bitterman-300/bitterman?raw=true"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Good Links."}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " PLT/GOT explanation: https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Great Writeup to similar CTF Challenge: https://blog.skullsecurity.org/2015/defcon-quals-r0pbaby-simple-64-bit-rop"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 0, "seconds": 39}, "tag": "", "line": " Basic Web Page Discovery"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Examining Cookies - Pt1 (Burp Sequencer)"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 5, "seconds": 5}, "tag": "", "line": " Fuzzing Usernames (2nd Order SQL Injection)"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "", "line": " Examining Cookies - Pt2"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "", "line": " Cookie Bitflip"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "", "line": " Oracle Padding Attack - Pt1"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Rooting the Box"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "", "line": " Oracle Padding Attack - Pt2"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "", "line": " GoBuster"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "", "line": " Exploiting exposed.php"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "", "line": " Getting Shell"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 20, "seconds": 9}, "tag": "", "line": " Screen Privesc"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 0, "seconds": 27}, "tag": "", "line": " Port Enumeration"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 2, "seconds": 54}, "tag": "", "line": " UDP Port Review"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "", "line": " TFTP Enumeration"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Cracking Squid PW"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "", "line": " FoxyProxy Setup"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "", "line": " Burp Setup"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Running Commands"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " Reverse Shell"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " PrivEsc to Alekos #1"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "", "line": " PrivEsc to Alekos #2"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 30, "seconds": 37}, "tag": "", "line": " Root #1 (SymLink)"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 30, "seconds": 48}, "tag": "", "line": " Root #2 (Tar Checkpoint)"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 44, "seconds": 45}, "tag": "", "line": " Root #3 (Remove Development)"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 0, "seconds": 39}, "tag": "", "line": " Nmap Results"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "", "line": " DNS Enumeration"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 4, "seconds": 8}, "tag": "", "line": " HTTP VirtualHost Routing"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 5, "seconds": 28}, "tag": "", "line": " DirSearch (Web Enumeration) "}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " HTTP Redirect Vulnerability"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 13, "seconds": 23}, "tag": "", "line": " PW in Balance-Transfer"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "", "line": " File Upload, WebShell"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 21, "seconds": 48}, "tag": "", "line": " First Shell"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 30, "seconds": 10}, "tag": "", "line": " First Privesc Method (SUID)"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 31, "seconds": 38}, "tag": "", "line": " Second Privesc Method (passwd)"}, {"machine": "HackTheBox - Bastard", "videoId": "lP-E5vmZNC0", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " Sherlock was fixed, should no longer report the false negative https://github.com/rasta-mouse/Sherlock/commit/ceb49f5b54be54effbada47fa3198abf744af390"}, {"machine": "HackTheBox - Bastard", "videoId": "lP-E5vmZNC0", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " If you wanted to do this with MSF -- Watch the Arctic Video and use the exploit shown in the video. If it doesn't work, try changing the payload with the exploit and ensure you're a 64 bit process."}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Watch me fail my way to victory as I exploit beep 4 different ways. Next time I try to exploit something multiple ways, I'll probably split it up in multiple videos."}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 1, "seconds": 35}, "tag": "", "line": " Method 1: LFI + Password"}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 16, "seconds": 3}, "tag": "", "line": " Method 2: Turning LFI into RCE"}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 37, "seconds": 46}, "tag": "", "line": " Method 3: Code exec via call"}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "", "line": " Method 4: Shellshock"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 0, "seconds": 20}, "tag": "linux insane", "line": " Recon"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux insane", "line": " Start of WP Hacking"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux insane", "line": " Logged into WP"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "linux insane", "line": " Login to SuperSecretForum"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux insane", "line": " Cracking the SSH Key"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 27, "seconds": 15}, "tag": "linux insane", "line": " Begin of getting root.txt (RSA Cracking)"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " http://rumkin.com/tools/cipher/ -- Site used to during the SecretForum stuff."}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 12}, "tag": "windows easy", "line": " Enumerate with nmap"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "windows easy", "line": " Going to the webpage"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "windows easy", "line": " Using SearchSploit to find ColdFusion Exploits"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "windows easy", "line": " Attempt to exploit through MSF. Debug why it failed."}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "windows easy", "line": " Setting up a Burp Redirect listener"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 4, "seconds": 55}, "tag": "windows easy", "line": " Examining request send by MSF Exploit"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 6, "seconds": 35}, "tag": "windows easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "windows easy", "line": " Using Unicorn to create a Powershell Meterpreter Loa"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " der"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "windows easy", "line": " Reverseshell returned"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "windows easy", "line": " Using the MSF post module local_exploit_suggestor"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 15, "seconds": 29}, "tag": "windows easy", "line": " Privesc via MS10-092"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Twitter @ippSec"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Low Priv: Default Account + File Upload"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " PrivEsc: Return to LibC + ASLR Bruteforce"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Pulling up Web Page."}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "", "line": " Searchsploit"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "", "line": " Enumerating Version (Download Versions, Hash Static Files)"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Default cred /backend -- Upload Shell"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 9, "seconds": 51}, "tag": "", "line": " User Reverse Shell"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "", "line": " Transfering file over nc"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Begin \"fuzzing\" Binary"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "", "line": " GDB Analysis"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 18, "seconds": 46}, "tag": "", "line": " Get a full reverse shell with tab autocomplete."}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Showing ASLR changing address "}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "", "line": " Disable ASLR on Exploit Dev Machine"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "", "line": " Start of exploit development for ovrflw binary (Pattner_Create)"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 27, "seconds": 27}, "tag": "", "line": " Start of Return to LibC attack - Getting Addresses"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "", "line": " Grabbing memory locations off October Machine"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "", "line": " Convert script to Bruteforce ASLR"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 25}, "tag": "", "line": " TMUX and Connecting to HTB"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Virtual Host Routing Explanation"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "", "line": " File Enumeration (Dirb)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 3, "seconds": 59}, "tag": "", "line": " Discover of Web App"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "", "line": " Starting SQLMap in the Background"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "", "line": " Uploading a PHP Shell"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 14, "seconds": 1}, "tag": "", "line": " Python PTY Reverse Shell (Tab Autocomplete!)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "", "line": " MOTD Root (Method 1)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "", "line": " Dirtyc0w Root (Method 2)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Twitter: @ippSec"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Low Priv - File Upload (Torrent image)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Roots: MOTD/PAM exploit and DirtC0w"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Stuff about phpinfo(): https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Python PTY Shells: https://github.com/infodox/python-pty-shells"}, {"machine": "HHC2016 - Getting Coins", "videoId": "ylBjVicempc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Getting Coins", "videoId": "ylBjVicempc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/tokens/"}, {"machine": "HHC2016 - Getting Coins", "videoId": "ylBjVicempc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Note: Video may contain slight errors, most notably in this video is using \"function\" and \"variable\" interchangeably."}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-4/#analytics"}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Note: Video may contain slight errors, most notably in this video is mistakenly saying \"Hash\" instead of \"Encrypt\" (ex: @5 minutes). "}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " A full text writeup can be found at:"}, {"machine": "HHC2016 - Exception", "videoId": "2jQ2W5epPYc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Exception", "videoId": "2jQ2W5epPYc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-4/#exception"}, {"machine": "HHC2016 - Debug", "videoId": "fcemTQaosOQ", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Debug", "videoId": "fcemTQaosOQ", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-4/#debug"}, {"machine": "HHC2016 - Ads", "videoId": "5UZy8OdqA4o", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Ads", "videoId": "5UZy8OdqA4o", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-4/#ad"}, {"machine": "HHC2016 - Terminal Speedrun", "videoId": "yy6z3fL3vi8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up Link:"}, {"machine": "HHC2016 - Terminal Speedrun", "videoId": "yy6z3fL3vi8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-3/"}, {"machine": "HHC2016 - Dungeon", "videoId": "hWC7mlIYOtU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Dungeon", "videoId": "hWC7mlIYOtU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-4/#dungeon"}] \ No newline at end of file +[{"machine": "Academy: Learning Process", "academy": "9", "line": "Free HackTheBox Course on getting into the right mindset to learn.\n", "tag": ""}, {"machine": "Academy: Intro to Academy", "academy": "15", "line": "Free HackTheBox Course on using the Academy Platform\n", "tag": ""}, {"machine": "Academy: Hacking Wordpress", "academy": "17", "line": "HackTheBox Course on Hacking Wordpress. This cost 100 cubes, which is ~$10\n", "tag": ""}, {"machine": "Academy: Network Enumeration with Nmap", "academy": "19", "line": "HackTheBox Course on using NMAP to its fullest. This cost 50 cubes, which is ~$5\n", "tag": ""}, {"machine": "Academy: Cracking Passwords with Hashcat", "academy": "20", "line": "HackTheBox Course on using Hashcat to its fullest. This cost 100 cubes, which is ~$10\n", "tag": ""}, {"machine": "Academy: Active Directory LDAP", "academy": "22", "line": "HackTheBox Course on Enumerating Active Directory over LDAP. This cost 1000 cubes, which is ~$100\n", "tag": ""}, {"machine": "Academy: File Inclusion / Directory Traversal", "academy": "23", "line": "Free HackTheBox Course on performing Directory Traversal and File Inclusion attacks\n", "tag": ""}, {"machine": "Academy: Web Requests", "academy": "35", "line": "Free HackTheBox Course about HTTP or Web Requests\n", "tag": ""}, {"machine": "Academy: Secure Coding 101: Javascript", "academy": "38", "line": "HackTheBox Course on Javascript Coding. This cost 1000 cubes, which is ~$100\n", "tag": ""}, {"machine": "Academy: Javascript Deobfuscation", "academy": "41", "line": "Free HackTheBox Course on Deobfuscating Javascript\n", "tag": ""}, {"machine": "Academy: Whitebox Pentesting 101: Command Injection", "academy": "48", "line": "HackTheBox Course on Command Injection Vulnerabilities. This cost 500 cubes, which is ~$50\n", "tag": ""}, {"machine": "Academy: Windows Fundamentals", "academy": "49", "line": "Free HackTheBox Introductory Course on Windows\n", "tag": ""}, {"machine": "Academy: Linux Privilege Escalation", "academy": "51", "line": "HackTheBox Course on Linux Privilege Escalation. This cost 500 cubes, which is ~$50\n", "tag": ""}, {"machine": "Academy: Attacking Web Applications with FFUF", "academy": "54", "line": "Free HackTheBox Course on using FFUF\n", "tag": ""}, {"machine": "Academy: Login Brute Forcing", "academy": "57", "line": "Free HackTheBox course on bruteforcing common logins\n", "tag": ""}, {"machine": "Academy: Active Directory PowerView", "academy": "68", "line": "HackTheBox course on Active Directory Enumeration and Exploitation with PowerView. This cost 1000 cubes, which is $100\n", "tag": ""}, {"machine": "Academy: Active Directory BloodHound", "academy": "69", "line": "HackTheBox Course on using Bloodhound, including writing cypher queries for custom graphs! This cost 500 cubes, which is $50\n", "tag": ""}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction talking about the power of Jinja2"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "", "line": " Quick Jinja2 introduction, showing how Ansible uses templates"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "", "line": " Using Jinja2 Loops with Ansible Variables to build URL's of Firefox Plugins and not put a comma on the last item."}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "", "line": " Showing how we can automate installing extensions in Firefox by editing the /usr/share/firefox-esr/distribution/policies.json"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Copying our test playbook of configuring Firefox into our main playbook as a role"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Showing a really good BurpSuite role, but we won't use this. I'd recommend you learn it"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "", "line": " Short rant on what I initially tried to do but gave up attempting (grabbing certificate out of userPrefs)"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "", "line": " Showing how the Ansible Plugin works, by starting BurpSuite in Headless mode, accepting the license then downloading off of Burps Website"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 30, "seconds": 45}, "tag": "", "line": " Struggling to get a shell script to download the Burp Certificate"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "", "line": " Playbook appears to work, but Burp was running from a previous test which made it work. We fix this at 1:08:15"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "", "line": " Using our VSCode with Github Copilot to have AI Help us make playbooks"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 40, "seconds": 20}, "tag": "", "line": " Telling BurpSuite to only download the Certificate if it doesn't exist already"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "", "line": " Back to automating firefox, having it autoinstall our CA Certificate from BurpSuite"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "", "line": " Editing the font sizes in BurpSuite"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "", "line": " Install Jython and JRuby so we can easily install BurpSuite Plugins"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 64, "seconds": 38}, "tag": "", "line": " Attempting to install our playbook on a fresh copy of Parrot and running into an issue."}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 68, "seconds": 15}, "tag": "", "line": " Fixing our BurpSuite Activation, simplifying the shell command by making it a bash script"}, {"machine": "Configuring Burpsuite and Firefox via Ansible - Intro to Jinja2 and Ansible", "videoId": "XDJB0TVKtNk", "timestamp": {"minutes": 76, "seconds": 6}, "tag": "", "line": " Adding a pkill Java and increasing the time we wait for burpsuite to run. Then showing everything works!"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Introduction"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "windows medium", "line": " Examining SSL Certificates and seeing \"sequel-DC-CA\", which hints towards there being a Certificate Authority"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows medium", "line": " Using CrackMapExec to enumerate file shares"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows medium", "line": " Accessing the Public Share, downloading a PDF File and finding credentials in it, using CME again and using CME to test smb, winrm, and mssql"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows medium", "line": " Using mssqlclient to login to access MSSQL"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "windows medium", "line": " Using XP_DIRTREE to request a file off an SMB Share in order to intercept the hash of the user running MSSQL, then cracking it"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 18, "seconds": 45}, "tag": "windows medium", "line": " Using Evil-WinRM to login to the box with SQL_SVC account, uploading Certify.exe and not finding a vulnerable certificate"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "windows medium", "line": " Looking at the error logs and discovering a user entered their password as a username so it got logged. Logging in as Ryan.Cooper"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "windows medium", "line": " Running Certify again as Ryan and finding a vulnerable UserAuthentication Certificate"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "windows medium", "line": " Using Certify Scenario #3 to create a UserAuthentication certificate with Administrator as the Alt Name which lets us authenticate as them"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows medium", "line": " Cannot use the certificate for WinRM because there isn't SSL (5986)"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows medium", "line": " Uploading Rubeus and the PFX File to the box, so we can use the PFX to obtain the local administrator NTLM Hash"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "windows medium", "line": " Showing an alternative method with Certipy which lets us run this attack from our attacker box without uploading files to the box"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "windows medium", "line": " Showing an alternate way to root via Silver Tickets and MSSQL, Explaining what a TGS Ticket is and why this attack works"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 41, "seconds": 10}, "tag": "windows medium", "line": " Generating the NTLM Hash from the password because that is what signs/encrypts kerberos tickets"}, {"machine": "HackTheBox - Escape", "videoId": "PS2duvVcjws", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "windows medium", "line": " Using Ticketer.py to generate a silver ticket which lets us log into MSSQL as Administrator"}, {"machine": "Building Ippsec's Parrot VM - How to Run the Playbook.", "videoId": "eMI7g4huIsc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Github Repo: https://github.com/ippsec/parrot-build"}, {"machine": "Building Ippsec's Parrot VM - How to Run the Playbook.", "videoId": "eMI7g4huIsc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " This is a quick video just to show how to run my Ansible Playbook to build out my Parrot VM. Check out the Building Parrot Playlist to see how this all works, so you can customize things to your liking."}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Sponsor Link: https://snyk.co/ippsec"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Repo Here: https://github.com/IppSec/parrot-build"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction Promoting Snyk"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 1, "seconds": 25}, "tag": "", "line": " Showing why we are using VSCode and not Codium"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Showing Ansible Galaxy, which are community provided roles. Specifically the Visual Studio Code one and creating requirements.yml"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Adding the Visual Studio Code role to our playbook and installing a couple extensions"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Going to the Visual Studio Code Marketplace and showing how we get extension names to add to our playbook, then running our playbook"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Opening VS Code and Signing in to Copilot, then showing it do some predictive typing with python"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "", "line": " Showing Autopilot works with Ansible Playbooks"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 11, "seconds": 10}, "tag": "", "line": " Downloading the web application on TwoMillion, so we can use Snyk to analyze it"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 12, "seconds": 28}, "tag": "", "line": " Installing the Snyk VSCode Plugin"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "", "line": " Opening VS Code and authenticating with Snyk"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "", "line": " Talking about Snyk Open Source Security"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "", "line": " Enabling Snyk Code Scanning to have it scan our code and find vulnerabilities"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "", "line": " Showing Snyk find the RCE Vulnerability and it providing examples on how other applications fixed the vulnerability"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "", "line": " Installing an PHP Extension to enable our IDE to have better PHP Support and easily see where functions are called"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "", "line": " Diving into the RCE Vulnerability and figuring out HTTP Endpoint that is vulnerable to it"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "", "line": " Patching the vulnerability"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "", "line": " Showing the code Quality Piece and it talking about unreachable code"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "", "line": " Playing with Copilot, adding a new HTTP Endpoint to delete a VPN and seeing how much code it will auto suggest"}, {"machine": "Installing VSCode with Copilot and Snyk via Ansible", "videoId": "VRz_vtPBZzA", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "", "line": " Closing thoughts, talking about future videos in this series"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " The Github Repo: https://github.com/IppSec/parrot-build"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro downloading the HTB Edition of Parrot and talking about basic VM Things"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Talking about using Ansible to install software after and why we should not use Snapshot's for a long-term solution."}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Parrot has been installed! Fixing up the Terminal real quick and talking about how to set the prompt like I have it"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "", "line": " Installing Ansible with apt"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "", "line": " Creating our first playbook, doing some quick introduction things"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Creating an Ansible Role to configure tmux"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "", "line": " Looking at all the ansible_facts to see the variable where our home is stored"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "", "line": " Using the copy module in ansible to copy files to our users home directory"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 27, "seconds": 55}, "tag": "", "line": " Start creating an ansible role for customizing our terminal"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 30, "seconds": 10}, "tag": "", "line": " Looking at how Mate Terminal creates profiles and exporting our settings so ansible can load it. Lots of using dconf"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "", "line": " Using Ansible to start configuring mate terminal"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 38, "seconds": 27}, "tag": "", "line": " Creating a new fact (variable) and using regex_replace to remove the last character, so we can append to the list."}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "", "line": " Using when, so an ansible task will be skipped if the string 'video' is in profile_list."}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 48, "seconds": 10}, "tag": "", "line": " Creating an Ansible Role to install tools such as Kerbrute"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 49, "seconds": 15}, "tag": "", "line": " This time our role will have multiple task files, so when we have 100 tools we will be able to easily remove tools we don't want"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 51, "seconds": 10}, "tag": "", "line": " Using the ansible shell module to run multiple commands"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "", "line": " Ansible script complete! Rebuilt my VM and am running the script to see if it works"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 57, "seconds": 10}, "tag": "", "line": " Looking at the role that errored, showing when there are no profiles /org/mate/terminal/global does not exist"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "", "line": " Adding another check to create a standard profile_list.value when profile_list is None"}, {"machine": "Rebuilding Parrot and Using Ansible to Script Customizations to My Image", "videoId": "2y68gluYTcc", "timestamp": {"minutes": 59, "seconds": 40}, "tag": "", "line": " Re-running our playbook and having our parrot built!"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Introduction"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap, assuming the web app is NodeJS based upon a 404 message"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux easy", "line": " Running Gobuster and discovering Tiny File Manager"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Looking for the source code and finding a default password of admin@123"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux easy", "line": " Navigating to uploads and attempting to upload a php shell to the website"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux easy", "line": " Getting a reverse shell with our php shell"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux easy", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux easy", "line": " Talking about hidepid=2 is set, so we can't see processes for other users"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux easy", "line": " Looking at nginx configuration to see what port 9091 is and discovering a new subdomain (soc-player.soccer.htb)"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux easy", "line": " Navigating to soc-player.soccer.htb and discovering a few more pages"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux easy", "line": " The /check endpoint looks like it is vulnerable to Boolean SQL Injection"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux easy", "line": " Intercepting the websocket in BurpSuite and showing "}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 15, "seconds": 20}, "tag": "linux easy", "line": " Using SQLMap to dump the database, first time I've used SQLMap with websockets"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Attempting to ssh with creds found in the database and logging in as player"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux easy", "line": " Looks like we can run doas, which is like sudo. Looking at the command we can run and seeing dstat"}, {"machine": "HackTheBox - Soccer", "videoId": "V_CkT7xyiCc", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux easy", "line": " Creating a dstat plugin, then executing it with doas"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 0, "seconds": 18}, "tag": "linux easy", "line": " Start of nmap, scanning all ports with min-rate"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 2, "seconds": 35}, "tag": "linux easy", "line": " Browsing to the web page and taking a trip down memory lane with the HackTheBox v1 page"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Attempting to enumerate usernames"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux easy", "line": " Solving the HackTheBox Invite Code Challenge"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux easy", "line": " Sending the code to JS-Beautify"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux easy", "line": " Sending a curl request to /api/v1/invite/how/to/generate to see how to generate an invite code"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "linux easy", "line": " Creating an account and logging into the platform then identifying what we can do"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux easy", "line": " Discovering hitting /api/v1/ provides a list of API Routes, going over them and identifying any dangerous ones"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux easy", "line": " Attempting a mass assignment vulnerability upon logging in now that we know there is an is_admin flag"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux easy", "line": " Playing with the /api/v1/admin/settings/update route and discovering we can hit this as our user and change our role to admin"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux easy", "line": " Now that we are admin, playing with /api/v1/admin/vpn/generate and finding a command injection vulnerability"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux easy", "line": " Got a shell on the box, finding a password in an environment variable and attempting to crack the user passwords"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux easy", "line": " Re-using the database password to login as admin, discovering mail that hints at using a kernel privesc"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux easy", "line": " Searching for the OverlayFS Kernel Exploit"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux easy", "line": " Finding a proof of concept for CVE-2023-0386, seems sketchy but GCC is on the HTB Machine so i don't feel bad about running it"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 37, "seconds": 27}, "tag": "linux easy", "line": " Running the exploit and getting Root, finding an extra challenge thank_you.json, which is can be done pretty much in CyberChef"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "linux easy", "line": " Looking deeper at the invite code challenge to see if it was vulnerable to Type Juggling (it was back in the day but not anymore)"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "linux easy", "line": " Testing for command injection with a poisoned username"}, {"machine": "HackTheBox - TwoMillion", "videoId": "Exl4P3fsF7U", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "linux easy", "line": " Didn't work, looking at the source code and discovering it had sanitized usernames on the non-admin function"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux medium", "line": " Taking a look at the web page"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux medium", "line": " Looking for LFI, then exploring /proc to find where the application is and extracting the source code"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Taking a look at the Python Source Code and discovering port 5000 is the dotnet application and uses websockets"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux medium", "line": " Using wscat to test the websocket"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux medium", "line": " Bruteforcing the /proc/{pid}/cmdline directory in order to see running processes and find the dotnet dll"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 13, "seconds": 45}, "tag": "linux medium", "line": " Reversing Bagel.dll and discovering a deserialization vulnerability in dotnet which allows us to read files"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "linux medium", "line": " Looking at what TypeNameHandling means in NewtonSoft's deserialize"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux medium", "line": " Looking for a gadget to use with our deserialization"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "linux medium", "line": " Building the deserialization payload"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux medium", "line": " Dumping Phil's SSH Key, then logging in"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " The dotnet app, had developers password, switching to that user"}, {"machine": "HackTheBox - Bagel", "videoId": "teHGtY_ta40", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux medium", "line": " Developer can run dotnet with sudo, using the FSI gtfobin to get a shell."}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows insane", "line": " Start of nmap discovering Active Directory (AD)"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "windows insane", "line": " Using wget to mirror the website, then a find command with exec to run exiftool and extract all user names in metadata"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "windows insane", "line": " Using Username Anarchy to build a wordlist of users from our dump and then Kerbrute to enumerate valid ones"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 13, "seconds": 55}, "tag": "windows insane", "line": " Building Kerbrute from source to get the latest feature of auto ASREP Roasting"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "windows insane", "line": " Kerbrute pulled the wrong type of hash, using the downgrade to pull etype 18 of the hash"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "windows insane", "line": " Running Bloodhound with D.Klay, using Kerberos authentication"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "windows insane", "line": " Going over the bloodhound data and finding some attack paths"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 31, "seconds": 13}, "tag": "windows insane", "line": " Manually parsing the Bloodhound with JQ to show descriptions for all users and finding the SVC_SMB password in the Description"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 34, "seconds": 45}, "tag": "windows insane", "line": " EDIT: Don't want to use Blodhound? Showing LdapSearch with Kerberos, and why the FQDN has to be first in the /etc/hosts file"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "windows insane", "line": " End of edit: Using SMBClient with SVC_SMB and Kerberos to download files"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 46, "seconds": 22}, "tag": "windows insane", "line": " Sharing my internet connection from Linux to Windows, so I can run test.exe on Windows"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 53, "seconds": 45}, "tag": "windows insane", "line": " Running test.exe and getting m.lovegod's password from LDAP"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 56, "seconds": 30}, "tag": "windows insane", "line": " Going back to Bloodhound, and now we can perform the attack of adding a member to a group then creating shadow credentials for winrm_user"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "windows insane", "line": " Pulling a version of Impacket that has DACLEDIT and building it"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 61, "seconds": 0}, "tag": "windows insane", "line": " Running DaclEdit to give m.lovegod permission to add users to a group and then net rpc to add him"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 68, "seconds": 20}, "tag": "windows insane", "line": " Running Certipy to add shadow credentials to winrm_user so we can login "}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 72, "seconds": 0}, "tag": "windows insane", "line": " Using WinRM to login to the box with our shadow credential"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 75, "seconds": 30}, "tag": "windows insane", "line": " Start of fumbling around with KRBRelay to privesc"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 78, "seconds": 40}, "tag": "windows insane", "line": " Using RunasCS to change our LoginType which may allow us to run KRBRelay"}, {"machine": "HackTheBox - Absolute", "videoId": "rfAmMQV_wss", "timestamp": {"minutes": 87, "seconds": 40}, "tag": "windows insane", "line": " Pulling the CLSID of TrustedInstaller which works and allows us to add ourselves to the administrator group"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Introduction"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux easy", "line": " Checking out the web page and finding command injection in the URL "}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Space appears to be a bad character with command injection. Normal tricks like brace expansion or IFS don't work."}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux easy", "line": " Trying IFS to be a space but the trailing character makes it difficult"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux easy", "line": " Taking a step back from the RCE, downloading the PDF to examine metadata and discovering it was made with pdfkit 0.8.6, which has public POC's against it"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux easy", "line": " The POC puts a space before the exploit which then removes the space being a bad character in our exploit"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 14, "seconds": 29}, "tag": "linux easy", "line": " Beyond Root/Edit: Using $- to terminate the $IFS, allowing us to bypass the need to prepend the space"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux easy", "line": " End of edit, shell as ruby, discovering credentials in a config file for henry"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 22, "seconds": 53}, "tag": "linux easy", "line": " Henry can run sudo, discover he can execute a ruby script"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux easy", "line": " Looking up a ruby deserialization exploit with YAML"}, {"machine": "HackTheBox - Precious", "videoId": "2XSFWiGa2j0", "timestamp": {"minutes": 27, "seconds": 35}, "tag": "linux easy", "line": " Finding a different payload and getting a root shell"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduciton"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux medium", "line": " Start of nmap, navigating to the page and identifying the framework based upon 404"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Playing around looking at javascript source, not getting anything"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux medium", "line": " Playing around with prd.m.rengering-api.interface.htb... I'm guessing file not found is the webserver, not actual code."}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux medium", "line": " Showing the difficulty of dirbusting API Servers"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux medium", "line": " Showing importance of updating FeroxBuster"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "linux medium", "line": " Playing with the HTML2PDF endpoint and discovering we need to send a POST with HTML as an argument"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux medium", "line": " The PDF Generated has dompdf 1.2.0 in the exif data searching for exploits"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "linux medium", "line": " Researching how CVE-2022-28368 works, then manually exploiting the vulnerabiltiy"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux medium", "line": " The CSS/Font is created, running the exploit and finding where the Font (PHP File) gets uploaded to"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux medium", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 38, "seconds": 15}, "tag": "linux medium", "line": " Uploading pspy to examine how the box cleans itself up"}, {"machine": "HackTheBox - Interface", "videoId": "yM914q6zS-U", "timestamp": {"minutes": 40, "seconds": 20}, "tag": "linux medium", "line": " Discovering and exploiting Bash Arithmetic Injection"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Introduction"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows hard", "line": " Start of Nmap "}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows hard", "line": " Playing with the web page, but everything is static doing a VHOST Bruteforce to discover school.flight.htb"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "windows hard", "line": " Discovering the view parameter and suspecting File Disclosure, testing by including index.php and seeing the source code"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "windows hard", "line": " Since this is a Windows, try to include a file off a SMB Share and steal the NTLMv2 Hash of the webserver then crack it"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "windows hard", "line": " Running CrackMapExec (CME) checking shares, doing a Spider_Plus to see the files in users"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "windows hard", "line": " Running CrackMapExec (CME) to create a list of users on the box then doing a password spray to discover a duplicate password"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "windows hard", "line": " Checking the shares with S.Moon and discovering we can write to the Shared Directory"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "windows hard", "line": " Using NTLM_Theft to create a bunch of files that would attempt to steal NTLM Hashes of users when browsing to a directory getting C.Bum's creds with Desktop.ini"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 26, "seconds": 18}, "tag": "windows hard", "line": " C.Bum can write to Web, dropping a reverse shell "}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "windows hard", "line": " Reverse shell returned as svc_apache, discovering inetpub directory that c.bum can write to"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "windows hard", "line": " Using RunasCS.EXE to switch users to cbum"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "windows hard", "line": " Creating an ASPX Reverse shell on the IIS Server and getting a shell as DefaultAppPool"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "windows hard", "line": " Reverse shell returned as DefaultAppPool, showing it is a System Account"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 50, "seconds": 5}, "tag": "windows hard", "line": " Uploading Rubeus and stealing the kerberos ticket of the system account, which because this is a DC we can DCSync"}, {"machine": "Hack The Box - Flight", "videoId": "Jor8DNWLmiM", "timestamp": {"minutes": 52, "seconds": 50}, "tag": "windows hard", "line": " Running DCSync"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Introduction"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap, attempting to login with FTP then going to the website"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux easy", "line": " Running WPScan with enumerate all plugins in aggressive mode"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Taking a look at the site while WPScan runs and finding a plugin (BookingPress-Appointment-Booking) and finding an exploit"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux easy", "line": " Replacing the NONCE in the exploit to get it working"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux easy", "line": " Using SQLMap to dump everything, while we attempt to get only the data we think we are interested in. "}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux easy", "line": " Manually dumping the WP_USERS table with the SQL Injection"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 13, "seconds": 25}, "tag": "linux easy", "line": " Cracking the wordpress hashes to get a user credential"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 16, "seconds": 57}, "tag": "linux easy", "line": " EDIT: Playing with SQLMap to get it to dump this database"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Searching for Wordpress 5.6.2 exploits, discovering an XXE in WAV Files"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux easy", "line": " Using the XXE to exfil files off the webserver"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "linux easy", "line": " Discovering FTP Credentials in the WP Config, logging into the FTP Server and finding SSH Credentials"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux easy", "line": " Logging in as JNelson and seeing PassPie, which is a CLI Password Manager that uses PGP/GPG Keys"}, {"machine": "HackTheBox - MetaTwo", "videoId": "Alx5KQWq7ZM", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux easy", "line": " Cracking to PGP/GPG Key with John and getting root"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux medium", "line": " Start of gobuster"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux medium", "line": " Discovering an upload form, looking for where things get uploaded"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux medium", "line": " The upload gives us ExifTool output, including the version number to show it is vulnerable to CVE-2022-23935"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 8, "seconds": 11}, "tag": "linux medium", "line": " You should really watch \"The Perl Jam\""}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux medium", "line": " Showing the weird syntax of perl's file open and how | leads to RCE"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "linux medium", "line": " Back to the box, exploiting and getitng a shell"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned, looking at the uploaded files"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 22, "seconds": 35}, "tag": "linux medium", "line": " Running LinPEAS to discover a cron"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " There's an outlook email message with an attachment. Copying it then converting to eml format and extracting the file"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 32, "seconds": 45}, "tag": "linux medium", "line": " The file was an windows event log. Using Chainsaw to search through the logs"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux medium", "line": " Using Chainsaw and JQ to parse the Successful and Failed logins"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 42, "seconds": 25}, "tag": "linux medium", "line": " In the failed logins field, there's a password as a username and logging in as smorton"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 44, "seconds": 35}, "tag": "linux medium", "line": " There's a binary on this box, copying it to us and opening in Ghidra"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "linux medium", "line": " Start of reversing, just showing strings and finding out where the get loaded in the program"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux medium", "line": " Running the binary in GDB and showing how arguments work, then renaming and retyping variables to have decompiled output make more sense"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "linux medium", "line": " Retyping done, renaming a few variables to make things easier to read"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 53, "seconds": 45}, "tag": "linux medium", "line": " Cleaning up the curl_easy_setopt, code by creating an enum in C then using Ghidra to \"Parse C Source\""}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 59, "seconds": 20}, "tag": "linux medium", "line": " Now that the code is cleaned up, it is obvious the program executes perl scripts... Funny thing is the perl binary can execute non-perl scripts"}, {"machine": "HackTheBox - Investigation", "videoId": "X5hVEuWmehk", "timestamp": {"minutes": 61, "seconds": 5}, "tag": "linux medium", "line": " Showing there is also a race condition in the binary because the curl downloads to CWD and even thoe its owned by root we can rename it and take control over the file"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux medium", "line": " Checking out the API Documentation"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux medium", "line": " Interacting with the API Server"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "linux medium", "line": " Showing the file_url, parameter and showing we can access local files"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 6, "seconds": 36}, "tag": "linux medium", "line": " Building a webserver in Flask to make some middleware to exploit this SSRF, allowing us to easily download files from the webserver"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux medium", "line": " Our middleware works! Can download files off the server. "}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux medium", "line": " Downloading the apache2 configuration to find where all the webserver files are hosted"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux medium", "line": " Using gobuster against our middleware to discover any hidden webfiles, have to edit our middleware to return 404 if it didn't return a file"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux medium", "line": " Running gobuster against our code now that it gives 404... Its going slow, switching to a different wordlist and finding a .git repository"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux medium", "line": " Git-Dumper fails because our middleware isn't setting content-type correctly. Have to fix that"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux medium", "line": " Opening the source code from the .git repo up in Visual Studio code and Snyk shows us there is an LFI"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux medium", "line": " Getting Unacceptable URL when trying to exploit this. Removing http:// fixes that showing parse_url in php fails to return the hostname when there is no wrapper"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Getting RCE on a include() statement without poisoning a file on the server with PHP Gadgets"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 26, "seconds": 58}, "tag": "linux medium", "line": " EDIT: Showing there is also a URL Parsing bug on handler.php and we can change the domain that script goes to by inserting an \"@\""}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 31, "seconds": 52}, "tag": "linux medium", "line": " With a shell on the box, discover we can use git with sudo. Inserting a POST-COMMIT hook"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux medium", "line": " Generating a ed25519 ssh key, because the public key is extremely small... It's also more secure than RSA"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 38, "seconds": 10}, "tag": "linux medium", "line": " Cannot make a git commit because we can't write to the directory. But since we can write to .git we can add files outside of the working directory and commit"}, {"machine": "HackTheBox - Encoding", "videoId": "iyGvnmkx1es", "timestamp": {"minutes": 45, "seconds": 15}, "tag": "linux medium", "line": " Shell as SVC, discovering we can write to systemd, creating a malicious service to get root"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction talking a little bit about "}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "", "line": " Using Extension to show a legitimate password reset"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "", "line": " Modifying the host header and showing the website uses that in the sent email"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "", "line": " Talking about mail filters auto-clicking links, which means user interaction isn't always required"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Sending a password reset to one of my personal emails, to show a mail filter auto clicks the link"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "", "line": " Got our click! Checking the IP Address to show it was a bot"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "", "line": " Showing how easy this vulnerability can occur by having OpenAI Build us code!"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "", "line": " Verifying the code was indeed vulnerable"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "", "line": " Asking the AI ways to protect against this type of attack, the best way is to put a whitelist on valid domains used to generate password reset links"}, {"machine": "Attacking Password Resets with Host Header Injection", "videoId": "KcYBV1L2w_s", "timestamp": {"minutes": 10, "seconds": 37}, "tag": "", "line": " Talking about the other ways to protect against this attack"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 0, "seconds": 51}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Finding some vulnerable-looking parameters"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "linux medium", "line": " Testing some basic things for LFI, finding a WAF blocking ../. Double encoding it to get passed"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 7, "seconds": 11}, "tag": "linux medium", "line": " Start of writing a script to abuse this LFI and crawl/download all the php source"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux medium", "line": " Making the script recursive, so it will check pages downloaded for new links"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux medium", "line": " Making the script save the files"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux medium", "line": " Opening the code in Visual Studio Code, and showing off Snyk's static code anlysis to highlight a Unserialization vuln"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "linux medium", "line": " Identifying how the site generates activation codes upon registration identifying an insecure use of SRAND(). Generating our own activation code"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux medium", "line": " Exploiting the PHP Unserialization by finding a vulnerable gadget (wakeup) which will save a file"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 27, "seconds": 45}, "tag": "linux medium", "line": " Building a deserialization object to download a file off our server and write it to the web directory"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 32, "seconds": 8}, "tag": "linux medium", "line": " EDIT: Talking about webserver hardening (allow_url_fopen in php) and how it would slow down this attack"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux medium", "line": " EDIT: Poisoning our PHP Session with PHP Code as our username, then building an object to copy that to the server so don't need to use a remote host"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 41, "seconds": 38}, "tag": "linux medium", "line": " Getting a shell on the box, dumping credentials from postgres"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 44, "seconds": 55}, "tag": "linux medium", "line": " Attempting to crack the passwords, failing, checking the source code to identify there is a hidden salt. Then cracking the passwords"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 51, "seconds": 25}, "tag": "linux medium", "line": " Passwords cracked logging in as bill"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 55, "seconds": 10}, "tag": "linux medium", "line": " Using pspy to identify a script runs to renew certificates"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 57, "seconds": 15}, "tag": "linux medium", "line": " Going over the bash script and identifying a command injection vulnerability."}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 61, "seconds": 45}, "tag": "linux medium", "line": " Failing for a bit because I didn't change the certificate time, then changed too much at once which caused me more problems"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 66, "seconds": 4}, "tag": "linux medium", "line": " Finding the CheckEnd parameter, setting our days equal to one but our payload doesn't work"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 68, "seconds": 15}, "tag": "linux medium", "line": " Putting the payload in $(), and getting root to the box"}, {"machine": "HackTheBox - BroScience", "videoId": "kyPYfqMYQm8", "timestamp": {"minutes": 70, "seconds": 20}, "tag": "linux medium", "line": " Just making sure we fully understood why our first attempts failed"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 1, "seconds": 11}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Running ffuf to discover the portal virtual host"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 6, "seconds": 40}, "tag": "", "line": " Logging in with admin:admin and discovering a new cookie"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "", "line": " Looking at the Node-Serialize exploit"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "", "line": " Attempting to do the exploit and discovering modsecurity blocks us, then putting some unicode in the payload to evade it"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "", "line": " Whoops forgot to end the payload with (), so thats why we didn't get our shell"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 17, "seconds": 11}, "tag": "", "line": " EDIT Looking at how modsecurity is configured"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 19, "seconds": 33}, "tag": "", "line": " Showing the NGINX Error Log with modsecurity blocking, taking the unique ID going to the modsecurity log to get more information"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "", "line": " Looking at the JSDECODE transform for modsecurity to fix the rule"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "", "line": " Switching ModSecurity to Detection Only mode or Permissive so we don't block but get logs"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 31, "seconds": 42}, "tag": "", "line": " END OF EDIT, putting an SSH Key on the box"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 34, "seconds": 15}, "tag": "", "line": " Attempting to unzip the backup.zip, discovering a password but is using ZipCrypto, doing a plaintext crac with bkcrack to extract it"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "", "line": " Dumping the sssd.ldb database used to join the linux server to the domain. Getting a credential"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "", "line": " Using kinit to get a kerberos ticket, then ksu to switch to root"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "", "line": " Having trouble with tunneling, looking at iptables to see it blocks non-root users from accessing 192.168.0.0"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "", "line": " Looking at the shares to discover a powershell program to reset mobile phone numbers"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "", "line": " Modifying a phone number via ldap and seeing a script will execute what we put in the field"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 71, "seconds": 40}, "tag": "", "line": " Attempting to steal a NTLMv2 Hash, having trouble because NTLM is disabled"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 74, "seconds": 15}, "tag": "", "line": " Forwarding port 445 from the webserver to us, so we can use its DNS Name, but need to enable GatewayPorts in SSHD's config to listen on a non-loopback port"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 80, "seconds": 5}, "tag": "", "line": " Building a list of users with ldapsearch, then password spraying the password we cracked to get access to bob.wood"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "", "line": " Downloading dpapi keys and chrome/edge files then using pypykatz to decrypt saved passwords"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 96, "seconds": 11}, "tag": "", "line": " Got all the files on our box, using pypykatz to decrypt saved passwords"}, {"machine": "HackTheBox - Sekhmet", "videoId": "vsgPsMZx59w", "timestamp": {"minutes": 105, "seconds": 0}, "tag": "", "line": " Showing the intended way of bypassing applocker which would allow us to run programs to automatically decrypt everything"}, {"machine": "Twitter Live Now", "videoId": "IzmSQyFAR14", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Three days ago, I was wondering how all the \"Tesla Live Now\" scams faked people talking. After spending around $60 on \"Voice.AI\", I could change my voice to sound like Elon. I was googling to find a way to fake the video, and could probably do it with this: https://github.com/iperov/DeepFaceLive. But ended up finding ElonTalks.com (and anyonetalks.com), and the owner of that site was gracious enough to put my audio on top of his video."}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Introduction talking about how this box is about finding CVE's and building an exploit based upon exploit"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux hard", "line": " Running gobuster and showing the importance of using multiple wordlists."}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux hard", "line": " Attempting to register an account, which shows the endpoint /api/register but /api/ returns a 404"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "linux hard", "line": " Showing that raft-small-words wordlist won't discover .git but commons.txt will because commons has .git/HEAD"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 8, "seconds": 25}, "tag": "linux hard", "line": " Running Git-Dumper to extract the source then looking at the code"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux hard", "line": " Showing the vulnerable code and how secure the code appears at first glance without knowing specifics about the library"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux hard", "line": " Googling MySQLJS Sql Injection and showing how you would have found this exploit"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Showing how you could have found it blindly, passing an object into the SQL Query and doing SQL Injection on NodeJS with MySQL"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux hard", "line": " Logging in and finding OpenWebAnalytics version 1.7.3, finding a CVE and writeup for the vulnerability"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Showing the piece missing from the writeup that tells us how we can retrieve the cache file that can be used to reset a password"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "linux hard", "line": " Going over the code, and figuring out how the filename is generated."}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux hard", "line": " FIXED PART, sorry cut out a piece on how I traced the function back to how it generates the filname"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 31, "seconds": 29}, "tag": "linux hard", "line": " Resetting the admin account from the exposed cache file"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 35, "seconds": 39}, "tag": "linux hard", "line": " Exploiting the Mass Assignment Vulnerability to write to a configuration file, to increase log verbosity, file name of log, and then poisoning the log"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 46, "seconds": 9}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 48, "seconds": 39}, "tag": "linux hard", "line": " Downloading a custom password generator that appears to be a compiled python executable."}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 51, "seconds": 24}, "tag": "linux hard", "line": " Running Pyinsxtractor to extract the pyc files out of the exe and then using Docker to match the python version which will allow uncompyle to convert pyc to py files"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 56, "seconds": 19}, "tag": "linux hard", "line": " Starting the docker and copying our password generator into it"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 57, "seconds": 29}, "tag": "linux hard", "line": " Showing the vulnerable password generation function, it is just using millisecond as a seed"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 57, "seconds": 49}, "tag": "linux hard", "line": " Building a script to generate all possible passwords, turns out it fails because Windows and Linux randomization is different"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 60, "seconds": 29}, "tag": "linux hard", "line": " Running pdf2john to generate a hash for the pdf file"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 62, "seconds": 19}, "tag": "linux hard", "line": " Running the script on windows to generate different passwords, then cracking ethans password with john"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 65, "seconds": 39}, "tag": "linux hard", "line": " Looking at SetUID Files, finding PINNS from CRI-O which is a binary related to Kubernetes"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 67, "seconds": 39}, "tag": "linux hard", "line": " There's no man page for the PINNS binary, so looking at the source code to change the kernel parameter for core dumps"}, {"machine": "HackTheBox - Vessel", "videoId": "ZANv0DlrTN8", "timestamp": {"minutes": 71, "seconds": 0}, "tag": "linux hard", "line": " Creating an exploit script, poisoning the core dump parameter, and generating a dump to execute our script and getting root"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap, then discovering a laravel app"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux hard", "line": " Laravel app uses Ziggy which exposes a list of all the routes"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux hard", "line": " Finding the /management/dump endpoint but we keep getting page expired (missing some headers)"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "linux hard", "line": " Using ffuf to brute-force the management/dump endpoint"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 15, "seconds": 55}, "tag": "linux hard", "line": " Dumping a list of users and then cracking them"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux hard", "line": " Enumerating virtualhosts, then looking at the roundcube version"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux hard", "line": " Discovering the first 32 characters of the password reset token does not change"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux hard", "line": " Attempting to bruteforce the password reset token for Charlie's password but discovering there's rate limiting in play"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "linux hard", "line": " Spamming the password reset link to generate multiple tokens, which will allow us to guess a token"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 35, "seconds": 14}, "tag": "linux hard", "line": " Edit, explaining the multiple password reset vulnerability more in depth"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 37, "seconds": 18}, "tag": "linux hard", "line": " End of edit, resetting charlie's password"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux hard", "line": " Logging into Gitea as Jean and discovering a browser extension. Installing it to see what it does"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "linux hard", "line": " Explaining the XSS Filter check on the extension"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 58, "seconds": 30}, "tag": "linux hard", "line": " Initial payload to prove we can execute javascript"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 73, "seconds": 45}, "tag": "linux hard", "line": " We have a base64 cradle to bypass the filter, creating a payload to interact with the gitea api to see what repo's the user has access to"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 84, "seconds": 4}, "tag": "linux hard", "line": " Getting information from the backups repo, then downloading the contents"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 89, "seconds": 0}, "tag": "linux hard", "line": " Extracting the tar from the git repo and getting an ssh key, finding passwords in the .git_credentials file"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 93, "seconds": 20}, "tag": "linux hard", "line": " Looking at the Laravel Source Code and discovering there is a command injection"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 98, "seconds": 0}, "tag": "linux hard", "line": " Looking at the email validation request, to show we need to create a valid checksum"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 102, "seconds": 30}, "tag": "linux hard", "line": " Explaining how the secret is generated from the source code, because the secret is at the beginning we can do a hash length extension"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 104, "seconds": 20}, "tag": "linux hard", "line": " Using Hash_Extender to generate a bunch of payloads in order to find the length of the secret"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 109, "seconds": 0}, "tag": "linux hard", "line": " Start of using python to submit the validation check"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 121, "seconds": 50}, "tag": "linux hard", "line": " Finding out the issue I'm running into, stupid formatting issue, having hash_extender output in a different format"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 130, "seconds": 50}, "tag": "linux hard", "line": " Getting a reverse shell on the container"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 137, "seconds": 0}, "tag": "linux hard", "line": " Finding there is a docker.sock file in our container, which enables us to interact with docker on the host"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 139, "seconds": 30}, "tag": "linux hard", "line": " Copying the Docker Executable to the container, which makes it much easier to interact with. Starting a container with the host file system mounted to get root"}, {"machine": "HackTheBox - Extension", "videoId": "qNsbf3EmLrA", "timestamp": {"minutes": 143, "seconds": 35}, "tag": "linux hard", "line": " Extra content, showing SSH can tunnel named pipes (socket files)"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of Nmap"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Enumerating for virtual hosts with ffuf to find the api.mentorquotes.htb page"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux medium", "line": " Talking about FastAPI, attempting to utilize the endpoints but Authentication is required. Create an account"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux medium", "line": " Logging into the endpoint, discovering how to send authentication to the endpoints. Don't really gain anything"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "linux medium", "line": " Using ffuf to search for extra endpoints and discover /admin/ but can't do anything"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Running NMAP again with UDP to discover SNMP"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "linux medium", "line": " EDIT: Showing the minrate with nmap to scan UDP much quicker"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux medium", "line": " Using SNMP Walk"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux medium", "line": " Using SNMP-BRUTE to bruteforce other community strings"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "linux medium", "line": " EDIT: Showing Hydra and OneSixtyOne fail to enumerate the second community string"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 23, "seconds": 5}, "tag": "linux medium", "line": " Using SNMPBruteWalk to dump the SNMP Database, showing how much faster it is than SNMPWalk"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " SNMP Shows running processes and arguments, there was a password passed via STDIN and we can get the password and login as James on FastAPI"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux medium", "line": " Accessing the Admin Endpoint, and figuring out what parameters it expects via error messages"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux medium", "line": " Discovering command injection in the backup endpoint"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 35, "seconds": 19}, "tag": "linux medium", "line": " Shell returned! "}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux medium", "line": " Editing the User Endpoint in FastAPI to dump password hashes. Talking about Pydantic"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 40, "seconds": 45}, "tag": "linux medium", "line": " EDIT: Showing how we could background out reverse shell with nohup so we don't hang the webserver"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 47, "seconds": 15}, "tag": "linux medium", "line": " Cracking the hashes and getting svc's password and then logging into the server via SSH"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "linux medium", "line": " Doing some light forensics looking for files edited on the box shortly after linux was installed"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 56, "seconds": 45}, "tag": "linux medium", "line": " Finding a password in the snmpd password which gets us root"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 61, "seconds": 10}, "tag": "linux medium", "line": " Editing LinPEAS to add an extra regex to pull passwords out of SNMPd configuration"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux medium", "line": " Rebuilding the LinPEAS Shell script and then running LinPEAS to discover we now detect the password in SNMPD"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 66, "seconds": 40}, "tag": "linux medium", "line": " Forwarding PostGres to our server with chisel so we can dump the database"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 72, "seconds": 20}, "tag": "linux medium", "line": " Enumerating PostGres manually to dump users, then showing how to run code on postgres servers"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 76, "seconds": 30}, "tag": "linux medium", "line": " Setting up the FastAPI Environment on our local box, copying files from the docker"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 78, "seconds": 30}, "tag": "linux medium", "line": " Doing some light edits on the FastAPI Code, so we can run it within an IDE and set breakpoints"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 84, "seconds": 14}, "tag": "linux medium", "line": " Start of adding auth to the /user/ endpoint. "}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 90, "seconds": 15}, "tag": "linux medium", "line": " Fixing our /auth/login endpoint to accept our new login request"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 97, "seconds": 20}, "tag": "linux medium", "line": " Getting the browser to accept our bearer token"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 105, "seconds": 30}, "tag": "linux medium", "line": " Fixing up the /user/ endpoint to work with our bearer token"}, {"machine": "HackTheBox - Mentor", "videoId": "MjddXhMF9vg", "timestamp": {"minutes": 110, "seconds": 20}, "tag": "linux medium", "line": " Getting the user decorator to return the User Object which makes it easy for our code to identify our group"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Feedback: https://orrsuc93j02.typeform.com/HTBSEASONS"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Sorry for the bad cam quality. Screwed up recording, then was too lazy to re-record."}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction why you should play NOW"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 1, "seconds": 2}, "tag": "", "line": " Going over the blog, what we mean by Beta Season"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "", "line": " How many points each machine is worth"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "", "line": " Talking about Tiers AKA the completion based rewards"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Talking about the prizes"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Talking about Academy Modules"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Talking about the competitive rewards"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " FAQ"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Connecting to the Seasonal Machine"}, {"machine": "Ippsec's Thoughts on the New Hack The Box Seasons", "videoId": "M1cbUQkm-Rw", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "", "line": " How to give feeback."}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 1, "seconds": 3}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux medium", "line": " Talking about Varnish, then looking at the website"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux medium", "line": " Poking at the Forgot Password functionality and showing we can enumerate valid users"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 6, "seconds": 25}, "tag": "linux medium", "line": " Discovering a username in the HTML Source"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "linux medium", "line": " Start talking about Host Header Injection, showing the page will use the Host Header when building redirects"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 9, "seconds": 28}, "tag": "linux medium", "line": " Using host header injection in the password reset, in order to send the user a link that goes to our box"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux medium", "line": " Explaining host header injection password reset in depth"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux medium", "line": " Live Demo showing that Host Header Injection on Password Reset may not require user interaction, mail filters love clicking links."}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "linux medium", "line": " Sending an email to myself, then checked Burpsuite Collaborator and saw some bots clicked our link and sent us the token that was in the email!"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 16, "seconds": 43}, "tag": "linux medium", "line": " Showing what Robert can do in the web application and discovering some odd behavior on the /tickets/ page. Anything after the slash will return tickets and not 404!"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 21, "seconds": 10}, "tag": "linux medium", "line": " Identifying when Varnish decides to cache things by looking at the age header, and discovering whenever /static/ is in the URL it becomes cached and that the page doesn't check authorization before displaying cache"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux medium", "line": " Getting the administrator to click a link on /admin_tickets/static/Junk, which will cache /admin_tickets/ and allow anyone to view the admin_tickets page!"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 26, "seconds": 55}, "tag": "linux medium", "line": " Going in-depth with the Web Cache Deception attack and how Varnish works"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux medium", "line": " Showing the Varnish configuration"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux medium", "line": " Editing the Varnish configuration to add UserAgent as part of the caching logic to show it can have unique hashes per user. Then updating it to use Cookies instead"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux medium", "line": " Explaining the weird behavior with how the flask app does routing and allows the user to put /static/ in the URL and not have it go to the static directory"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 34, "seconds": 45}, "tag": "linux medium", "line": " Checking what Diego can run via sudo and discovering he can execute ml_security which appears to be some machine learning poc to look for XSS"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "linux medium", "line": " Getting the version of TensorFlow and looking for vulnerabilities in the library itself"}, {"machine": "HackTheBox - Forgot", "videoId": "wKcTELVst20", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux medium", "line": " Exploiting TensorFlow 2.6.3 Save_Model_cli (CVE-2021-41228 and CVE-2022-29216)"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux medium", "line": " Taking a look at the web page, finding users on the site, and using FFUF to VHost Enumeration due to talking about a store"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux medium", "line": " Fingerprinting the websites, dev looks to be PHP and the main page appears to be Vue"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux medium", "line": " Exploring the vue app in Firefox Dev Tools, discovering some routes in the webpack which lead to an API"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux medium", "line": " An JWT error message is displayed when accessing some API Pages, removing the token and bypassing authentication"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "linux medium", "line": " Explaining why the web application skips authentication when a cookie is not present, and showing how similar it was to the OMIGod Vulnerability"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux medium", "line": " Extracting all users from the page and then using curl to save the hashes to a file. Use CrackStation to crack hashes and get a cred"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "linux medium", "line": " Logged in as Christopher.Jones, checking the Online Store Status link which is vulnerable to SSRF"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "linux medium", "line": " Using FFUF to fuzz for all possible ports and using a bash trick to create a wordlist based upon a range of numbers without creating a file"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux medium", "line": " Discovering some API Documentation on a page on port 3002"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 31, "seconds": 10}, "tag": "linux medium", "line": " The API all-leave page uses awk, and we can abuse this binary to perform a file disclosure vulnerability if we can poison user names. "}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux medium", "line": " Using hashcat to crack our JWT "}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "linux medium", "line": " Creating a python script to generate JWT's which allow us to exploit awk and exfil files off the server"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux medium", "line": " Python script completed, leaking some files and discovering a unique file in a users .bashrc"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux medium", "line": " Having trouble exporting the backup file, and modifying our script to write binary files which allow us to download the tar.gz backup"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "linux medium", "line": " Discovering bean's credentials in his xpad directory and logging in"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 56, "seconds": 20}, "tag": "linux medium", "line": " Running a process list on the box shows inotify is watching an interesting file that is only writable by www-data"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 59, "seconds": 40}, "tag": "linux medium", "line": " Looking for system() calls in the PHP app and discovering a sed command. We can exploit this like we did awk to get code execution without any bad characters. Having trouble getting this to work."}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 71, "seconds": 10}, "tag": "linux medium", "line": " Taking it slower, discovering our mistake and getting code execution"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 74, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell as www-data. Modifying the file and trying to find out what happens"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 78, "seconds": 10}, "tag": "linux medium", "line": " Running PSPY, since it will be more thorough than our PS Commands and discover we can inject into the mail command"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 84, "seconds": 30}, "tag": "linux medium", "line": " Got our command execution working and shell returned as root"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 85, "seconds": 30}, "tag": "linux medium", "line": " Getting shell as www-data was unintended, showing the intended way of doing this which involves the leave-request page and symlinks"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 92, "seconds": 0}, "tag": "linux medium", "line": " Cannot poison our JWT and get code execution because of bad characters"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 98, "seconds": 30}, "tag": "linux medium", "line": " There were directories chmod'd to 777 that the application wrote to. We can use symlinks here to point to other files and have the webserver write to another file"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 100, "seconds": 50}, "tag": "linux medium", "line": " Showing why we need to create a new product to place our malicious payload"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 104, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned the intended way, and then showed we definitely needed the ! which is a bad character"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 107, "seconds": 40}, "tag": "linux medium", "line": " Extra content! Showing a more in-depth look at why removing the cookie bypassed auth. By loading the code locally and running it in VS so we can properly debug and step through it"}, {"machine": "HackTheBox - Awkward", "videoId": "gmaizI5Xcqs", "timestamp": {"minutes": 109, "seconds": 30}, "tag": "linux medium", "line": " Explaining and showing why the application should have had an authentication function so there was less duplicate code in each function, which makes it easier to patch"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Introduction"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "linux hard", "line": " Identifying this page is built with flask based upon a 404 page"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux hard", "line": " Looking at /api/"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux hard", "line": " Showing a weird bug in python where you cannot run int() on a string that is a float"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux hard", "line": " Showing the source code on why this bypassed the check"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 10, "seconds": 12}, "tag": "linux hard", "line": " End of edit, extracting all the users passwords with curl"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux hard", "line": " Cracking the hashes and getting a password of rubberducky, playing with creating containers"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Getting a reverse shell on the Alpine-Python container"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux hard", "line": " We are a privileged container and can see processes from root, which lets us access the hosts disk and CWD leaks file handles to directories. Grab an SSH Key"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 27, "seconds": 15}, "tag": "linux hard", "line": " Can execute safe_python with sudo as jack_adm but it turns out to be a sandbox, eventually find a use-after-free vuln on google and use that to escape"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "linux hard", "line": " Shell as Jack_adm, we can use sudo with hash_password.py, its a bcrypt hash but we can't crack what we create"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "linux hard", "line": " Explaining the vulnerability, bcrypt has a maximum length we can fill the buffer and prevent the python script from appending something to the password"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "linux hard", "line": " Creating a Hashcat rule file to append a single character to the password"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "linux hard", "line": " Creating a python script to exploit this vuln in bcrypt and leaking the secret key one character at a time"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 53, "seconds": 48}, "tag": "linux hard", "line": " Script to exploit the truncation vuln in bcrypt complete. Using hashcat to crack the password, showing two ways rule file and combinator attack which uses two dictionary files"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "linux hard", "line": " Finished the box but we skipped one step. Going back to show there was a dev subdomain which we need to pivot through a container to access"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 65, "seconds": 50}, "tag": "linux hard", "line": " The dev site has a different /api/healhtcheck page, we can use boolean logic with regex to perform a file disclosure vulnerability one char at a time"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 73, "seconds": 24}, "tag": "linux hard", "line": " Creating a python script to automate the file disclosure vulnerability and exporting files to leak extracting the cookie"}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 90, "seconds": 10}, "tag": "linux hard", "line": " Talking about ways to improve the script, and realizing we can just run the script on the docker which makes this process exponentially faster. Good demo on how much a proxy slows things down."}, {"machine": "HackTheBox - RainyDay", "videoId": "E5TOeiCnGkE", "timestamp": {"minutes": 100, "seconds": 50}, "tag": "linux hard", "line": " Showing the web source code which starts the container and why background was not pid 1337"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "", "line": " Generating our SSH Key and Base64 Decoding it"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "", "line": " Opening the SSH Key in Bless"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "", "line": " Showing information from the SSH RFC which will tell us what we are parsing"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "", "line": " Start of parsing the SSH Key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Opening an Encrypted Key and showing the slight changes"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Back to the unencrypted SSH Key and showing the private key does contain the private key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "", "line": " Extracting the Exponent and N our of the Public Key portion"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "", "line": " Start of Private Key Information in the Private Key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Extracting the variables from the Private Key Field"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "", "line": " Extracting Q, which is the big prime that we used in Response to rebuild the key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Showing the comment which contains the username and hostname of the person that generated the key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "", "line": " Extracting E/N from the Public Key"}, {"machine": "Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots", "videoId": "4F1XGsvB2iA", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Extracting Q from the Private Key again and using RsaCtfTool to generate the key"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 2, "seconds": 17}, "tag": "linux medium", "line": " Discovering this is a ruby Sinatra Web App based upon error message"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "linux medium", "line": " Discovering credentials in javascript"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux medium", "line": " Examining the HTTP Request to resize images and discovering an RCE"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux medium", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 11, "seconds": 12}, "tag": "linux medium", "line": " Discovering we have SETENV with sudo on a script, checking for path injection"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux medium", "line": " Exploiting path injection with the find command"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " Exploiting path injection because the script disables some Bash Built-ins"}, {"machine": "HackTheBox - Photobomb", "videoId": "-4asq6Tldf0", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux medium", "line": " Explaining bash built-ins"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux insane", "line": " Start of nmap"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "linux insane", "line": " Discovering the /status/ page which gives us some information on how to use the Proxy"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "linux insane", "line": " Start of coding our own proxy"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux insane", "line": " Downloading the source code to the chat application"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "linux insane", "line": " Modifying our proxy to forward all requests to chat.reponse.htb and adding a webserver to it"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux insane", "line": " Web Proxy is up! But we need to replace some URL's to send everything through our proxy"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "linux insane", "line": " Adding POST Request support"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "linux insane", "line": " Post request working! Can login with Guest and talk to Bob over the chat"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "linux insane", "line": " Discovering the login request also sends a LDAP Server, we can point the login request to a ldap we control"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 59, "seconds": 0}, "tag": "linux insane", "line": " Using ChatGPT to Give us the hex to a successful LDAP Bind, so we can login after poisoning the LDAP Server"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux insane", "line": " Logged in with admin!"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 66, "seconds": 15}, "tag": "linux insane", "line": " Building a Cross Site Protocol Forgery payload to connect to the FTP Server, showing it work against us"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 75, "seconds": 40}, "tag": "linux insane", "line": " Sending bob the malicious payload and using FTP on his behalf"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 79, "seconds": 40}, "tag": "linux insane", "line": " Going over scan.sh"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 85, "seconds": 50}, "tag": "linux insane", "line": " Doing some LDAP Requests to see how its all setup"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 94, "seconds": 2}, "tag": "linux insane", "line": " Having the scan.sh scan our box by adding details into the LDAP Database"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 97, "seconds": 10}, "tag": "linux insane", "line": " Setting up an HTTPS Server on port 443, so it can scan it"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 99, "seconds": 0}, "tag": "linux insane", "line": " Using DNSMasq to setup a DNS Server on port 8053, and having IPTables redirect DNS Requests from the target to that port"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 105, "seconds": 0}, "tag": "linux insane", "line": " Starting a SMTPD Server, then creating a malicious certificate so we can exploit the NSE Script and extract an ssh key"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 113, "seconds": 0}, "tag": "linux insane", "line": " Going over the Incident Report, then looking at the PCAP"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 116, "seconds": 15}, "tag": "linux insane", "line": " Starting to parse the meterpreter packets, showing it in wireshark"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 120, "seconds": 50}, "tag": "linux insane", "line": " Using Scapy to extract the meterpreter tcp stream to a file"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 125, "seconds": 30}, "tag": "linux insane", "line": " Starting a python script to parse the meterpreter data"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 130, "seconds": 30}, "tag": "linux insane", "line": " Extracting the TLV for unencrypted packets"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 134, "seconds": 13}, "tag": "linux insane", "line": " Using Bulk_Extractor which extracts the AES Key from the core dump, its able to identify it via Key Expansion"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 139, "seconds": 30}, "tag": "linux insane", "line": " Decrypting the TLV, then adding definitions for TLV Types"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 165, "seconds": 0}, "tag": "linux insane", "line": " Writing the file to disk"}, {"machine": "HackTheBox - Response", "videoId": "-t1UAvTxB94", "timestamp": {"minutes": 169, "seconds": 50}, "tag": "linux insane", "line": " Discovering a small portion of the SSH Private key in a screenshot, after decoding it, we see the Q variable in it! Use RsaCTFTool to rebuild the private SSH Key"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Discovering Grafana and seeing it is ~2 years old"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux medium", "line": " Looking for exploits"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux medium", "line": " Manually performing the exploit"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "linux medium", "line": " Looking for interesting files, extracting Grafana config which lets us log in"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 12, "seconds": 55}, "tag": "linux medium", "line": " Extracting the SQLite3 Database in order to get the MySQL Password"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux medium", "line": " Logging into MySQL and getting SSH Creds from the whackywidget database"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux medium", "line": " Looking at the WhackyWidget application and discovering an Consul API Key"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "linux medium", "line": " Looking for the Consul API Documentation"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 23, "seconds": 5}, "tag": "linux medium", "line": " Playing with the API, examining the Metasploit script and building out our curl request"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "linux medium", "line": " Building a JSON file which will create a Consul Script to send us a reverse shell and getting root"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "linux medium", "line": " Showing the Metasploit Script would work if we port forward"}, {"machine": "HackTheBox - Ambassador", "videoId": "6M_6rapjTL0", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux medium", "line": " Showing another way, we can write to the Consul Config directory and do it manually"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux medium", "line": " Testing the webhook, examining the request the server makes"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux medium", "line": " Trying other URL Wrappers to see how the application behaves"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "linux medium", "line": " Finding the .git sub directory, running git-dumper to extract source code"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "linux medium", "line": " Finding and explaining the LFI Vulnerability"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux medium", "line": " Attempting to use the php filter to extract source code, does not work, turns out there's another website"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Discovering there is a special header requried to access the DEV Website"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " Configuring BurpSuite to add the header for us"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux medium", "line": " Explaining the LFI And why we are going to use a phar file to get code execution"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Attempting to get a shell, when executing our file we get a ERROR 500. Simplify the payload to see it works."}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux medium", "line": " Examining phpinfo to see disabled functions, and discovering system() was blocked"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " Converting the dfunc-bypasser script to PHP, so we can just upload it to the server and have it tell us what is available"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 29, "seconds": 15}, "tag": "linux medium", "line": " Showing off github co-pilot, turns out it didn't exactly give me what I wanted."}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "linux medium", "line": " Uploading our script to check dangerous functions and identifying we can use the proc_open() function"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux medium", "line": " Creating a script to send us a reverse shell, more github copilot finishing our code for us"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "linux medium", "line": " Exploring the developer home directory, finding a setuid python binary that uses input(), exploiting to get developer user"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux medium", "line": " We can run easy_install with sudo, getting root"}, {"machine": "HackTheBox - UpDown", "videoId": "yW_lxWB1Yd0", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "linux medium", "line": " Explaining the Code Execution without dropping a file, by using gadgets with php filters to create text for us"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 1, "seconds": 55}, "tag": "linux easy", "line": " Taking a look at the web page"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Discovering it is NodeJS based upon the error message [MasterRecon]"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux easy", "line": " Performing NoSQL boolean injection (mongodb) to bypass authentication"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux easy", "line": " Working payload for the NoSQL Injection."}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux easy", "line": " Dumping the user database with more NoSQL Injection and using CrackStation to get the password"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux easy", "line": " Using ffuf to find the mattermost.shoppy.htb subdomain"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux easy", "line": " Logging into MatterMost and getting a credential"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux easy", "line": " Log in as the Jaeger user and use strings to get a hardcoded password from the password-manager binary"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "linux easy", "line": " SSH into the box as the Deploy User, discover we can run Docker commands and use that to privesc by starting a new container that mounts the root fs"}, {"machine": "HackTheBox - Shoppy", "videoId": "AJc53DUdt1M", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux easy", "line": " Exploring the Password-Manager binary in Ghidra"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux medium", "line": " Taking a look at the website"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Testing the webhook to see the app will send us information about a web page"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux medium", "line": " Trying to access port 3000, getting blocked by a filter trying to include 127.0.0.1 and 0x7f000001"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux medium", "line": " Playing with the webhook to see if it will send us the entire page"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "linux medium", "line": " Having our webserver redirect to localhost, to see if this bypasses the filter and getting the web page on port 3000"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "linux medium", "line": " The application on port 3000 is gogs 0.5.5 which is from 2014!"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "linux medium", "line": " Setting up a local instance of GOGS so we can build a payload to exploit this"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux medium", "line": " Playing with a union injection, then looking at the database to see number of columns in the user table"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux medium", "line": " Have a basic Union Injection payload, grabbing multiple fields from the SQLite Database"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux medium", "line": " Checking how the password is encoded by examining gogs source"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "linux medium", "line": " Testing out cracking our hash"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 30, "seconds": 5}, "tag": "linux medium", "line": " Passing our SQL Injection payload through SSRF to attack the target and get a user password"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux medium", "line": " Using Pspy to see a cron job running as root that uses artisan to execute a web function"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux medium", "line": " Exploring the web source to discover the webserver uses file_get_contents on monitored url"}, {"machine": "HackTheBox - Health", "videoId": "UBQ1tGdFvKk", "timestamp": {"minutes": 46, "seconds": 30}, "tag": "linux medium", "line": " Poisoning the MySQL Database to have the monitored URL retrieve and send a file"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "windows easy", "line": " Running CrackMapExec to enumerate open file share and downloading a custom DotNet Executable"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "windows easy", "line": " Showing that we can run DotNet programs on our linux machine (will show how I configured this at the end of the video)"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows easy", "line": " Using Wireshark to examine DNS Requests when running this application"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "windows easy", "line": " Using Wireshark to examine the LDAP Connection and discover credentials being send in cleratext"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows easy", "line": " Using the credentials from the program to run the Python Bloodhound Ingestor"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "windows easy", "line": " Playing around in Bloodhound"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 16, "seconds": 10}, "tag": "windows easy", "line": " Discovering the Shared Support Account has GenericAll against the DC"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "windows easy", "line": " Doing a LDAP Search to dump all information and finding a password stored in the Info field of Active Directory"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "windows easy", "line": " Examining what the Support user can do, showing the importance of looking at Outbound Object Control option in bloodhound"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "windows easy", "line": " Explaining how to abuse GenericAll to the Computer object"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows easy", "line": " Downloading dependencies"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows easy", "line": " Starting the attack, checking that we can join machines to the domain"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "windows easy", "line": " Starting the attack Creating a machine account, had some issues will redo everything later"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "windows easy", "line": " Redoing the attack, copying commands verbatim from Bloodhound "}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "windows easy", "line": " Copying the ticket to our machine and then converting it from KIRBI to CCNAME format and using PSEXEC"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 51, "seconds": 50}, "tag": "windows easy", "line": " Extracting the LDAP Password through static analysis"}, {"machine": "HackTheBox - Support", "videoId": "iIveZ-raTTQ", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "windows easy", "line": " Installing DotNet on a linux machine"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Running nmap"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "windows medium", "line": " Running CrackMapExec to enumerate the share"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "windows medium", "line": " Talking about a common misconception about \"Null SMB Authentication\""}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "windows medium", "line": " Downloading a PDF off the open share"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 8, "seconds": 55}, "tag": "windows medium", "line": " Using SWAKS to send an emailw ith a link to see if anything clicks it"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "windows medium", "line": " Exploring the CVE's mentioned in the PDF to see one of them is Folina"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 11, "seconds": 55}, "tag": "windows medium", "line": " Someone clicked our link! The User Agent Shows WindowsPowerShell/5.1.19041.906, which leaks the patch level of the box"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "windows medium", "line": " Building a Folina Payload"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "windows medium", "line": " Using ConPtyShell as our payload for Folina, so we have a proper PTY with tab auto complete on windows rev shells"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "windows medium", "line": " Reverse Shell obtained, discover we are btables and a little enumeration shows we are in a HyperV Container"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "windows medium", "line": " Running SharpHound"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "windows medium", "line": " Importing the results into Bloodhound and seeing we have AddKeyCredentialLink which is a shadow credentials to a user"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "windows medium", "line": " Using Invoke-Whisker.ps1 to create shadow credentials for a user, then using Evil-WinRM to login"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "windows medium", "line": " Running Invoke-Whisker "}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "windows medium", "line": " Discovering we are in WSUS Administrators Group, checking if other tools highlight this"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "windows medium", "line": " Going into a SharpWSUS blog post that talks about adding a malicious windows update"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 46, "seconds": 45}, "tag": "windows medium", "line": " Compiling SharpWSUS"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "windows medium", "line": " Making sure SharpWSUS Runs, copying PSExec to the box"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "windows medium", "line": " Explaining the SharpWSUS Attack Path"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "windows medium", "line": " In typical ippsec fashion, I have a typo in my payload psexec.nexe lol."}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 55, "seconds": 50}, "tag": "windows medium", "line": " The payload did not work, lets simplify it by removing special characters and just executing netcat"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 59, "seconds": 55}, "tag": "windows medium", "line": " Shell returned as admin!"}, {"machine": "HackTheBox - Outdated", "videoId": "TR132R1h3Ds", "timestamp": {"minutes": 61, "seconds": 10}, "tag": "windows medium", "line": " Beyond Root: Enable RDP then showing the WSUS Administration Panel"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 0, "seconds": 35}, "tag": "", "line": " Agenda"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Whoami"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "", "line": " Hacking is an Art"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " The \"Flow Chart\" Problem most People Make"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "", "line": " Keep is Simple, don't go straight to the reverse shell"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "", "line": " Ask Simple Questions, Start of Fuzzing"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Talking about ffuf and giving some demos"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "", "line": " Reading between the lines"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "", "line": " Importance of asking questions"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 19, "seconds": 11}, "tag": "", "line": " How to ask questions"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 21, "seconds": 2}, "tag": "", "line": " Keeping a positive mindset"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 24, "seconds": 3}, "tag": "", "line": " Eliminate the word fail"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "", "line": " Stop doing the bare minimum"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "", "line": " Practice makes perfect"}, {"machine": "HackTheBox UniCTF 2022 Talk - Variable is what you make of It", "videoId": "_EV2Frf5P2E", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "", "line": " It's Holiday CTF Time. Shout outs."}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux hard", "line": " Nmap the box, examining server banners"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "linux hard", "line": " Checking out the website, doesn't seem like anything special "}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux hard", "line": " Using Ffuf to perform a virtual host scan to discover other subdomains and find portal"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux hard", "line": " Discover the Motorcycle Store Portal. Trying to play with a potential LFI but deciding it may be a rabbit hole"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux hard", "line": " Stop of examining rabbit hole."}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux hard", "line": " Registering an account and noticing it goes to an API. Lets test the API Out by fuzzing other functions"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux hard", "line": " Running a GoBuster on the classes directory to find more controllers for the API "}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux hard", "line": " Fuzzing the Users.php file for more functions and discovering Upload"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Using OpenAI to generate an HTML Upload form, so we can see create an HTTP Upload Request"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux hard", "line": " Pasting our upload request and uploading a webshell"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux hard", "line": " Showing a SQL Injection in the Login Function that is vulnerable to Mass Assignment"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux hard", "line": " The intended route: Editing our profile to change our login_type, which is our group. Editing it to be an admin which will reveal the upload form."}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux hard", "line": " Shell on the Docker Container, looking for credentials in the web app"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux hard", "line": " Discovering Truedesk.php which has an apikey, looking online to see how to use this api key"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux hard", "line": " Searching the Truedesk code for more endpoints, finding a stats endpoint which leaks some info about a ticket"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "linux hard", "line": " Finding a voicemail password and instructions of connecting a soft phone. Downloading Zoiper"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 33, "seconds": 25}, "tag": "linux hard", "line": " Running Zoiper and connecting"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "linux hard", "line": " Logging in as hflaccus"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux hard", "line": " Setting up a proxy through SSH so we can connect to the DropCMS"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux hard", "line": " Running TCPDump"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "linux hard", "line": " Going over the wireshark, finding the HTTPS Connection is using an insecure SSL Protocol that doesn't support PFS (port forward secrecy)"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 45, "seconds": 15}, "tag": "linux hard", "line": " Downloading the SSL Certificates and then using wireshark to decrypt the data and getting credentials to login to DropCMS"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux hard", "line": " Uploading a malicious DropCMS Module and getting a shell on this docker container"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux hard", "line": " Shell on the Docker of this container"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux hard", "line": " Finding a script that runs every 45 seconds as root, after looking into this it should allow us to run code as root on the container"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 64, "seconds": 45}, "tag": "linux hard", "line": " Root on this container, we can look for breakouts!"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 67, "seconds": 0}, "tag": "linux hard", "line": " Using the unshare command to exploit a vulnerability which gives us all the capabilities!"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 67, "seconds": 45}, "tag": "linux hard", "line": " Doing a somewhat standard way to execute code with the SYS_ADMIN capability (attacking overlayfs and cgroups) to get root on the host"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 74, "seconds": 15}, "tag": "linux hard", "line": " Showing that we could of skipped playing with TruDesk by using nmap and discovering mongo was open without credentials"}, {"machine": "HackTheBox - Carpediem", "videoId": "piTtOe13SEU", "timestamp": {"minutes": 78, "seconds": 10}, "tag": "linux hard", "line": " Using Mongosh to interact with mongo databases"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 1, "seconds": 58}, "tag": "", "line": " Poking at the web page, examining the request, playing with server headers"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 2, "seconds": 25}, "tag": "", "line": " Discovering an error message, googling it and finding out it is tied to Sping Boot"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "", "line": " Start of FFuf, using a raw request so we can ffuf like we can sqlmap"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "", "line": " Going over the results of FFUF"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Matching all error codes with FFUF which is very important, going over the special characters"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "", "line": " The curly braces return 500 in FFUF, big indication it is going to be SSTI"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Using HackTricks to get a Spring Framework SSTI payload and getting command execution"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 13, "seconds": 5}, "tag": "", "line": " Using curl to download a shell script and then execute it because we are having troubles getting a reverse shell"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Going back to just show the Match Regex feature of FFUF to search for banned characters"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " Searching the file system for files owned by logs, discovering redpanda.log. Using a recursive grep to find out what uses this"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "", "line": " Examining the Credit Score java application and seeing what it does with the RedPanda.log file"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "", "line": " Discovering the Credit Score application gets the Artist variable via ExifData in an image"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "", "line": " With the Artist, the Credit Score application opens an XML File and writes. This is like an Second Order XXE Injection"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Downloading an image, so we can change the exif metadata"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " Using Exiftool to modify the artist"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "", "line": " Building the malicious XML File "}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "", "line": " Putting a malcious entry in the log, waiting for the cron to hit and then checking if we got root key"}, {"machine": "HackTheBox - RedPanda", "videoId": "HqIUffFdjuI", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "", "line": " Showing why our user had the group of logs. On boot the service was started with sudo and assigned us that group"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Navigating to the page "}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " Discovering the forgot password feature enables people to enumerate valid users"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "", "line": " Finding the default credentials for mojo portal and then logging in as admin"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "", "line": " Uploading an ASPX Webshell but finding out the aspx extension is blacklisted"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "", "line": " Looking at the GitHub issues for MojoPortal"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Copying a file to bypass the bad extension filter of uploaded material and getting our webshell"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Showing the importance of redirecting STDERR to STDOUT on web shells to discover why some commands fail"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "", "line": " Failing to run a Powershell Reverse Shell bypassing AV, only to find out it is in ConstrainedLanguage Mode"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "", "line": " Attempting to upload netcat to find out its blocked via group policy"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Enumerating Applocker with Powershell Get-AppLockerPolicy -Effective -xml"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "", "line": " Looking at the Get-BadPasswords directory, finding an NTLM Hash"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "", "line": " Logging into the box via kerberos because NTLM is Disabled"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "", "line": " Using CrackMapExec's Spider_Plus module to enumerate all the files on the share"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 43, "seconds": 20}, "tag": "", "line": " Enumerating the Windows Firewall to discover only bginfo64 will be able to communicate out"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "", "line": " Creating a DLL to use with DLL Injection to 7zip"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 53, "seconds": 45}, "tag": "", "line": " Running a bunch of icacls commands with our DLL to identify permissions"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "", "line": " We have WriteOwner to BGInfo64.exe, which was allowed through the firewall. We can change the owner and then write our netcat on it!"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 69, "seconds": 0}, "tag": "", "line": " Shell returned as GinaWild, finding an encrypted pfx file in the Recycle Bin"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 75, "seconds": 30}, "tag": "", "line": " Cracking the PFX File with CrackPkcs12 to discover it is a code signing certificate"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 82, "seconds": 30}, "tag": "", "line": " Importing the code-signing certificate so we can sign powershell scripts letting us bypass applocker"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 86, "seconds": 50}, "tag": "", "line": " Telling the Get-BadPasswords program to run, and getting a shell as BPassRunner"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 87, "seconds": 30}, "tag": "", "line": " Identifying how Get-BadPasswords pulls the NTLM Hashes and then getting Administrators hash"}, {"machine": "HackTheBox - Hathor", "videoId": "yweDaXZdt4s", "timestamp": {"minutes": 89, "seconds": 50}, "tag": "", "line": " Using Impacket's GetTGT to get a ticket as administrator"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Taking a look at the website"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " Searching the PrestaShop github to find a way to fingerprint the website, discovering INSTALL.TXT then finding the commit that contains our version"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "", "line": " Discovering checkout.shared.htb"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 8, "seconds": 14}, "tag": "", "line": " Examining how the checkout subdomain gets the contents of the shipping cart (cookies), editing the cookie and seeing what happens"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "", "line": " Testing for SQL Injection within the cookie"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Failing to use SQLMap (Debug it at the end of the video)"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "", "line": " Doing the Union SQL Injection manually to enumerate Information Schema then dump the users table and get the passwords"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 18, "seconds": 45}, "tag": "", "line": " Cracking the password for James_Mason and gaining SSH Access"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Finding files modified between two dates on linux and discovering some interesting files"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Grabbing passwords from the web directory"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "", "line": " Discovering iPython is opened every minute based upon the history file"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "", "line": " Telling LinPeas to look for unique processes and discovering the directory iPython is being ran from"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 31, "seconds": 45}, "tag": "", "line": " Creating a malicious profile to gain code execution when ipython is opened and gaining a shell as dan_smith"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Discovering a golang program that utilizes Redis, copying the binary to our box"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "", "line": " Having Redis connect to netcat and getting the password in clear text"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "", "line": " Enumerating Redis"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "", "line": " Creating a malicious Redis Module, loading it within Redis and getting code execution"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 41, "seconds": 25}, "tag": "", "line": " Getting a reverse shell as root"}, {"machine": "HackTheBox - Shared", "videoId": "7LmqyefHgIU", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "", "line": " Going back and getting SQLMap to run. Enabling Debug so we can see the requests SQLMap makes"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Start of nmap, then going over the website"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Examining all the pages on the blog"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "", "line": " Looking at the report parameter, doing some light testing for SQL Injection before moving on to IDOR"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Using ffuf to bruteforce all reports matching upon a word (phrase) on the page"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "", "line": " Attempting to figure out if the md5sum in the logs URL is random by submitting the hash to crackstation"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Discovering a file upload vulnerability, faking a PDF and uploading a PHP Shell"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 18, "seconds": 25}, "tag": "", "line": " When using a PHP Shell System() commands don't work. Uploading PHPInfo to view disabled functions and seeing System is blocked"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Getting code execution through Popen() which wasn't blacklisted"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 26, "seconds": 55}, "tag": "", "line": " Discovering another webserver is running on localhost, turns out to be Wordpress"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "", "line": " Exploiting the wordpress plugin BrandFolder to get a shell as Lexi"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Lexi has an SSH Key, using SSH to access the server and then setting up a tunnel to access the wordpress site and checking out the PWDMS Plugin"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 40, "seconds": 55}, "tag": "", "line": " Using MySQL to reset a wordpress password, so we can log in"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "", "line": " Gaining access to the box as John"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 46, "seconds": 30}, "tag": "", "line": " Finding a Virtual Box file that has an encrypted VDI"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "", "line": " Using Hashcat to crack the VirtualBox VDI File"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 52, "seconds": 55}, "tag": "", "line": " Installing the VirtualBox extension that would allow us to utilize an encrypted VDI"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 56, "seconds": 45}, "tag": "", "line": " Decrypting the VirtualBox VDI Image with VBoxManage"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 58, "seconds": 45}, "tag": "", "line": " Mounting the VirtualBox VDI Image and discovering the hard drive is encrytped with LUKSv2"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "", "line": " Cracking the LUKS v2 Password"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "", "line": " Mounting the Luks Drive then discovering a bunch of scripts"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 63, "seconds": 55}, "tag": "", "line": " Doing some bash-fu to extract all variables and run them against the ent command to display entropy, then discovering the password somewhat sticks out, which gets root"}, {"machine": "HackTheBox - Moderators", "videoId": "V70gFSoh3aU", "timestamp": {"minutes": 68, "seconds": 50}, "tag": "", "line": " Another fun trick to find passphrases. Creating a regex to path for WORDS_seperated-LIKE-this"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Introduction"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Poking at the DNS Server and discovering its hostname when querying itself"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Using dig to show the reverse lookup aswell, then perform a zone transfer with axfr"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux easy", "line": " Just showing dnsrecon to bruteforce a range of IP's, not really relavent to this but figured I'd show it"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Poking at the website and logging into the website"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux easy", "line": " Finding an LFI that allows us to disclose PHP Source code, can't do much else because it appends .php to our string"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "linux easy", "line": " Using SQLMap with the login to extract files"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux easy", "line": " SQLMap only found time injection, changing the levels and specifying the techniques which allows it to find a quicker method"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux easy", "line": " Having SQLMap extract the nginx configuration and discovering another subdomain"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "linux easy", "line": " Checking out the new domain preprod-marketing.trick.htb, discovering an LFI but this time the extension is in the URL!"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux easy", "line": " Going over the source code of the LFI to show why this was vulnerable the ../ strip was not recursive"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux easy", "line": " Using the LFI to discover the user we are running as, then extracting an SSH Key"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux easy", "line": " Showing another way to weaponize this LFI, poisoning the nginx access log"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 27, "seconds": 15}, "tag": "linux easy", "line": " Showing yet another way to weaponize the LFI with sending email to the user, then accessing it with the LFI"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux easy", "line": " Shell on the box, checking Sudo then using find to see files owned by my user/group and seeing I can write fail2ban rules"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 36, "seconds": 10}, "tag": "linux easy", "line": " Editing iptables-multiport.conf to execute a file instead of banning a user and getting root"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux easy", "line": " Showing an alternate way to discover preprod-marketing, using a creative sub domain bruteforce with ffuf"}, {"machine": "HackTheBox - Trick", "videoId": "ai98umjeO8M", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "linux easy", "line": " Checking out why we couldn't read the environ file, turns out it was owned by root and only root readable."}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 1, "seconds": 1}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 2, "seconds": 10}, "tag": "linux medium", "line": " Testing login of the webapp, finding SQL Injection to bypass it"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux medium", "line": " Running gobuster with our cookie so it has access to any authenticated page"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux medium", "line": " Examining the course edit functionality and discovering how the page tells us if our update was a success"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux medium", "line": " Explaning the dangerous thing with update injections, we accidentally changed EVERY row."}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "linux medium", "line": " Extracting information from this Update Injection in MySQL by editing a second column"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux medium", "line": " Standard MySQL Injection to extract table information from Information_Schema, then dumping hashes"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "linux medium", "line": " Showing a second login form, which is also SQL Injectable"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux medium", "line": " Examining the Generate PDF Function"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Verifying we can put HTML in the PDF"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "linux medium", "line": " Going to GitHub Issues and finding issues with MPDF to find vulnerabilities in old versions"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Showing we do have SSRF but this doesn't really give us anything"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "linux medium", "line": " Using Annotations to add loca files into the PDF"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 25, "seconds": 25}, "tag": "linux medium", "line": " Dumping source code of the webapp to find the configuration file, then getting the MySQL Password"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux medium", "line": " Testing the MySQL Password with SSH and logging in as gbyolo"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "linux medium", "line": " Exploiting Meta-Git to gain access to the developer user"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux medium", "line": " Shell as Developer and running LinPEAS"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 38, "seconds": 48}, "tag": "linux medium", "line": " Testing CVE-2022-2588 as a privesc on Ubuntu, it works! (unintended route)"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux medium", "line": " Finding GDB has cap_sys_ptrace permissions, which means we can debug processes running as root"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 43, "seconds": 20}, "tag": "linux medium", "line": " Using MSFVENOM to generate shellcode to perform a reverse shell, which we will inject into a process"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux medium", "line": " Creating a python script to format the shellcode in a way we can just paste it into gdb"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 46, "seconds": 25}, "tag": "linux medium", "line": " Explaining the modulo operator (%) which is how we will pad our payload"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux medium", "line": " Building our payload"}, {"machine": "HackTheBox - Faculty", "videoId": "LGO-dn7668g", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "linux medium", "line": " Payload has been built! Lets inject it into a process and get a shell"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux insane", "line": " Start of nmap"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 2, "seconds": 25}, "tag": "linux insane", "line": " Looking at the website, looks like there's different behavior for extensions"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux insane", "line": " Registering and logging into an account"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux insane", "line": " An unintended way to login, IDOR within the Forgot Password logic, can change usernames"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "linux insane", "line": " Uploading a new product, test XSS, File Upload"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux insane", "line": " Using FFUF with a raw http request to test for potential extensions"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "linux insane", "line": " Using SHTML to test for Server Side Inclusion SSI and leaking web.config"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "linux insane", "line": " Going over the web.config, pulling out sensitive things"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "linux insane", "line": " Decrypting the .aspx Forms Ticket and forging a new one that states we are admin"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 36, "seconds": 50}, "tag": "linux insane", "line": " The Admin page allows us to generate PDF's, testing for XSS"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 38, "seconds": 20}, "tag": "linux insane", "line": " Attempting to redirect the save to pdf function with a meta tag"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "linux insane", "line": " Redirecting to localhost:8000 and discovering the swagger api for encrypt/decrypt"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux insane", "line": " Creating a webform to autosubmit data and allow us to decrypt a string."}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux insane", "line": " Creating a YSOSERIAL Gadget with our ViewState and ViewStateUserKey protecting it"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "linux insane", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 64, "seconds": 0}, "tag": "linux insane", "line": " Discovering port 8009 is open, setting up a tunnel via SSH and discovering its a different version of the website"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 67, "seconds": 54}, "tag": "linux insane", "line": " The ViewState is protected by AutoGenerate for the key, we cannot do deserialization here"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 69, "seconds": 20}, "tag": "linux insane", "line": " Checking out the Password Reset feature and we can edit the token to reveal a Padding Oracle error message"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 72, "seconds": 15}, "tag": "linux insane", "line": " Showing the command injection if we can forge tokens"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 74, "seconds": 5}, "tag": "linux insane", "line": " Using padbuster to create a token that will allow us to perform command injection"}, {"machine": "HackTheBox - Perspective", "videoId": "tmK0GIvnq6s", "timestamp": {"minutes": 84, "seconds": 0}, "tag": "linux insane", "line": " ALTERNATE PRIVESC: Using JuicyPotatoNG, attempting to run it says privileged process failed to communicate with COM Server. Need to run with -s to find a suitable port"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro brief descriptions of Elastic, Kibana, Fleet Management, Endpoint Security, Windows Logging"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 1, "seconds": 40}, "tag": "", "line": " Logging into our Elastic Box and going to https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-22-04"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Changing the Elastic Repo from 7.x to 8.x, then installing Elastic making sure to grab the default credentials"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Making sure our Elastic Database is online with Curl"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "", "line": " Installing Kibana"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "", "line": " Generating an enrollment token for Kibana, adding it to the config and starting Kibana"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Installing NGINX to put in front of Kibana"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "", "line": " Logging into Kibana and setting up the Fleet Integration so we can manage agents"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Copying the Elastic CA Certificate over the fleet, just to make some of our certificates easier"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "", "line": " Installing fleet but adding the --fleet-server-es-ca and --insecure flags "}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "", "line": " Installing the Fleet Agent on our windows box"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Adding the Endpoint and Cloud Security Integration, which has a lot of good alerts for detecting bad things"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Installing the Default Elastic Security Endpoint Rules, without this the Elastic Agent is not monitoring for malicious events!"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "", "line": " Adding the Windows Integration so our agent collects logs"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "", "line": " Uh-Oh We aren't getting any data from our agents. Our elastic endpoint agent is getting an SSL Error when talking to ElasticSearch"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "", "line": " Editing Kibana to let us edit our default fleet settings, so we can modify the Elastic Config on our agents"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "", "line": " Viewing data from our agents! "}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 35, "seconds": 6}, "tag": "", "line": " Viewing sysmon logs, viewing running processes "}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "", "line": " Viewing sysmon logs for DNS Requests"}, {"machine": "Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection", "videoId": "Ts-ofIVRMo4", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "", "line": " Looking at the default Elastic Alerts for our host. Nothing too special since its a new windows box"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 1, "seconds": 18}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux medium", "line": " Identifying a Docker exists based upon the Python Version in NMAP + SSH Version [MasterRecon]"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 4, "seconds": 23}, "tag": "linux medium", "line": " Navigating to the website downloading the source code available, there is a git folder switching branches "}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux medium", "line": " Discovering a vulnerability in the os.path.join command, if we prefix our path with a slash it will overwrite the entire path"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "linux medium", "line": " Attempting to upload a malicious cron, docker isn't running cron so it doesn't work"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 14, "seconds": 37}, "tag": "linux medium", "line": " Adding a new route to the application to execute commands"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux medium", "line": " Able to run commands and get the output"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux medium", "line": " Creating an endpoint to send reverse shells in the webapp"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 21, "seconds": 45}, "tag": "linux medium", "line": " Reverse shell returned"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux medium", "line": " Looking at port 3000 which was previously filtered. Looks like its a Gitea interface but we don't have creds"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "linux medium", "line": " Uploading Chisel and tunneling to access the website"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "linux medium", "line": " Looking at old git commits from the source code and finding credentials"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux medium", "line": " Downloading a SSH Private Key from the Gitea website"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "linux medium", "line": " Using find to search files modified around the time the SSH Key was uploaded to the box in order to see what else happened [Forensics]"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux medium", "line": " Showing how to remove lines from the less view &!"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux medium", "line": " Checking if Git-Sync is executed with the watch command"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "linux medium", "line": " Finding out git executes every minute, setting a pre-commit hook to get root"}, {"machine": "HackTheBox - OpenSource", "videoId": "z6nJNr8AFTU", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "linux medium", "line": " Showing the FSMonitor command in the gitconfig which is another way to execute code, this will run on many other git commands like git status where pre-commit would not"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows medium", "line": " Viewing the website and discovering NTLM is disabled"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "windows medium", "line": " Using Kerbrute to enumerate valid users and then password spray with username"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "windows medium", "line": " Bad analogy comparing Kerberos works with TGT/TGS and Movie Theater Tickets"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "windows medium", "line": " Using Impacket's GetTGT Script to get Ticket Granting Ticket as Ksimpson and exporting KRB5CCNAME so Impacket uses it"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "windows medium", "line": " Using GetUserSPN to Kerberoast the DC with Kerberos Authentication and cracking to get SqlSVC's Password"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 16, "seconds": 40}, "tag": "windows medium", "line": " Both credentials we have cannot access MSSQL"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "windows medium", "line": " Creating a silver ticket to gain access to SQL"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "windows medium", "line": " Using GetPAC to get a Domain SID"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "windows medium", "line": " Showing getting Domain SID with LDAPSearch"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "windows medium", "line": " Creating the Silver Ticket with Impacket's Ticketer"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "windows medium", "line": " Showing Impacket creates the ticket with 10 years instead of 10 hours"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 27, "seconds": 40}, "tag": "windows medium", "line": " We now have MSSQL Access to the box, enabling xp_cmdshell and getting a reverse shell"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows medium", "line": " Using JuicyPotatoNG to escalate privileges because we have SeImpersonate Privilege"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "windows medium", "line": " Running the JuicyPotatoNG Exploit and getting a shell in the unintended way"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "windows medium", "line": " Enumerating the MSSQL Database and finding credentials"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "windows medium", "line": " Using Evil-WinRM to login with Kerberos Auth"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 39, "seconds": 40}, "tag": "windows medium", "line": " Accessing the box as MiscSvc and finding a dotnet Application "}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "windows medium", "line": " Setting up our linux host as a router so our Windows host can communicate to the HTB Network through the linux box"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "windows medium", "line": " Sniffing the traffic from the dotnet application and discovering it talks to port 4411"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "windows medium", "line": " Looking at debug logs and seeing a serialized object"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 52, "seconds": 40}, "tag": "windows medium", "line": " Using YsoSerial.Net to create a malicious base64 object to send us a reverse shell"}, {"machine": "HackTheBox - Scrambled", "videoId": "_8FE3JZIPfo", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "windows medium", "line": " Sending our payload and getting a reverse shell"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "", "line": " Installing Sysmon and the configuration from Neo23x0's Repo"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Explaining the file blocked section"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Viewing the Sysmon log to confirm it is installed and see its EvendID 27"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "", "line": " Creating a Scheduled Task with Event Filter to trigger on Sysmon File Blocked Events"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " Event did fire turns out it is case sensitive"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " Editing the Scheduled Task event by hand to add ValueQueries which allows arguments to be sent from this Event Filter"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Testing the passing of variables by adding them to the message box"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Start of creating some powershell to send this message to Slack"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Have trouble getting arguments into the powershell script because of Base64 Endcoding, change up our script"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "", "line": " Showing a working copy of the powershell script that sends slack messages"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 25, "seconds": 45}, "tag": "", "line": " Deploying our scheduled task through Group Policy"}, {"machine": "Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter", "videoId": "J9owPmgmfvo", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "", "line": " Editing the scheduled task XML file from sysvol"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux hard", "line": " Taking a look at the website"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux hard", "line": " Showing some differences between Ffuf and Wfuzz"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux hard", "line": " Finding a known exploit against the Exam Reviewer Management System"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Explaining the boolean injection then running SQLMap"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux hard", "line": " Using SQLMap to extract databases, tables, and some data"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux hard", "line": " Discovering the OldManagement site, dumping its database then logging in"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "linux hard", "line": " Exploiting the file upload vulnerability in OldManagement by replacing .htaccess"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 28, "seconds": 20}, "tag": "linux hard", "line": " Explaining various ways a developer may handle the file save"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux hard", "line": " Low privilege shell returned, in a docker find credentials in configuration files. Then SSH into the box"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "linux hard", "line": " Examining port 4873 which is Verdaccio, an NPM Registry. Downloading packages to find hard coded credentials"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 51, "seconds": 20}, "tag": "linux hard", "line": " Going over the app startup script which we can run with Sudo. Ubuntu 18 sudo preserves $HOME variable so we can replace the registry in npmrc with one running on our box"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 55, "seconds": 10}, "tag": "linux hard", "line": " Using docker on our system to pull and run verdaccio"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 57, "seconds": 20}, "tag": "linux hard", "line": " Creating a malicious npm package, then getting a shell on the box"}, {"machine": "HackTheBox - Seventeen", "videoId": "U-2nI6wSPOE", "timestamp": {"minutes": 64, "seconds": 40}, "tag": "linux hard", "line": " Exploiting RoundCube 1.4.2 with CVE-2020-12640"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 0, "seconds": 15}, "tag": "", "line": " Talking about how the attack works and why NetBIOS/LLMNR should be disabled"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Running Responder on a linux host and then attempting to browse a file share on a Windows Host and grabbing the Hash"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "", "line": " Cracking the hashes our computer provided to show how easy it is to steal passwords on a network"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Showing how we can perform an LLMNR request in PowerShell"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "", "line": " Combining the Powershell LLMNR Request with our Slack WebMessage hook to send notifications to slack"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "", "line": " Testing the powershell code out and seeing it send a message to Slack"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Creating Scheduled Task to run this powershell code every 5 minutes"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "", "line": " Converting the powershell to powershell friendly (UTF-16LE) Base64 "}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "", "line": " Changing our scheduled task to write to EventLogs instead of Slack, which is better networks that have Centralized Logging"}, {"machine": "Detecting Responder via LLMNR Honey Tasks on User Workstations", "videoId": "h_cWWL-yyb0", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "", "line": " Showing the schedueld task runs every 5 minutes."}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Start of nmap, discovering it is an Active Directory Server and hostnames in SSL Certificates"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows medium", "line": " Running Feroxbuster and then cancelling it from navigating into a few directories"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "windows medium", "line": " Examining the StreamIO Website"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "windows medium", "line": " Finding watch.stream.io/search.php and "}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "windows medium", "line": " Fuzzing the search field with ffuf by sending special characters to identify odd behaviors"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 16, "seconds": 10}, "tag": "windows medium", "line": " Writing what we think the query looks like on the backend, so we can understand why our comment did not work. "}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "windows medium", "line": " Burpsuite Trick, setting the autoscroll on the repeater tab"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows medium", "line": " Testing for Union Injection now that we know the wildcard trick"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 22, "seconds": 15}, "tag": "windows medium", "line": " Using xp_dirtree to make the MSSQL database connect back to us and steal the hash"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 25, "seconds": 15}, "tag": "windows medium", "line": " Extracting information like version, username, database names, etc from the MSSQL Server"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "windows medium", "line": " Extracting the table name, id from the sysobjects table"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 28, "seconds": 45}, "tag": "windows medium", "line": " Using STRING_AGG and CONCAT to extract multiple SQL entries onto a single lane for mass exfil"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "windows medium", "line": " Extracting column names from the tables"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "windows medium", "line": " Using VIM and SED to make our output a bit prettier"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 36, "seconds": 45}, "tag": "windows medium", "line": " Cracking these MD5sum with Hashcat"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 39, "seconds": 55}, "tag": "windows medium", "line": " Using Hydra to perform a password spray with the credentials we cracked"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "windows medium", "line": " Using FFUF to fuzz the parameter name within admin to discover an LFI"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 51, "seconds": 40}, "tag": "windows medium", "line": " Tricking the server into executing code through the admin backdoor, using ConPtyShell to get a reverse shell on windows with a proper TTY"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 59, "seconds": 10}, "tag": "windows medium", "line": " Using SQLCMD on the server with the other database credentials we have to extract information from the Backup Database, cracking it and finding valid creds"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "windows medium", "line": " Running WinPEAS as Nikk37 discovering firefox, then running FirePWD to extract credentials"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 76, "seconds": 30}, "tag": "windows medium", "line": " Running CrackMapExec to spray passwords from Firefox to get JDGodd's password"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 88, "seconds": 20}, "tag": "windows medium", "line": " Running Bloodhound to discover JDGodd has WriteOwner on Core Staff which can read the LAPS Password"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 97, "seconds": 6}, "tag": "windows medium", "line": " Extracting the LAPS Password"}, {"machine": "HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS", "videoId": "qKcUKlwoGw8", "timestamp": {"minutes": 106, "seconds": 10}, "tag": "windows medium", "line": " Showing you could have SQLMapped the login form"}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Simple concept/video but we will build more upon it in the following weeks. "}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 0, "seconds": 30}, "tag": "", "line": " Signing up and installing the client"}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Changing our channel to Private and Installing the Webhook"}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "", "line": " Creating a PowerShell oneliner to send a message to slack"}, {"machine": "Creating Webhooks in Slack and sending messages from Powershell", "videoId": "1w0btuMAvZk", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "", "line": " Giving the message a little flair by changing the username and icon"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro, you should be using centralized logging for this. But if not this hackjob will do"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 1, "seconds": 18}, "tag": "", "line": " Talking about the Sensitve Command Token"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Examining how this all works, creates three registry keys for Image File Execution Options and SilentProcessExit"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Talking about the \"So much offense in my defense\" phrase. Really loved it, showing a blog about using this technique as a persistence "}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "", "line": " Showing the token works and what the email looked like"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Ranting more about \"so much offense in my defense\" and why blue teamers should learn red team techniques"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Creating a new token so we can deploy this one via Active Directories Group Policy"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Opening GPMC and creating a registry entry"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "", "line": " Running gpupdate /force to show the group policy created the registry keys"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Attempting to get the arguments of our process but failing. Never get this part working."}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Referenced Blogs:"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html"}, {"machine": "Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy", "videoId": "xFlH3DV0J7I", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux insane", "line": " Start of nmap"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux insane", "line": " Using MSFVenom to upload a reverse shell to identify what the malware sandbox looks like"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux insane", "line": " Examining the source code of the sandbox"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux insane", "line": " Creating a program in C to see the size of an unsigned long"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux insane", "line": " Creating a program to replace the output of the trace program and exfil data via the return register on the webapp"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux insane", "line": " Creating a python program to automate uploading the file and returning the output"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 27, "seconds": 5}, "tag": "linux insane", "line": " Creating a program in C to perform ls, so we can enumerate the jail"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "linux insane", "line": " Changing our ls to enumerate /proc"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 36, "seconds": 25}, "tag": "linux insane", "line": " Adding a readlink() call to our ls program so we can view symlinks"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux insane", "line": " Discovering an open file descriptor in PID 1, using this to escape the jail and read /etc/passwd"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 44, "seconds": 40}, "tag": "linux insane", "line": " Dumping the Django Database"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux insane", "line": " Using hashcat to crack a custom salted MD5 hash/password"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux insane", "line": " Examining how the sandbox is created on the box itself, explaining how we can abuse setuid binaries because we can write to /lib (path injection)"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 53, "seconds": 20}, "tag": "linux insane", "line": " Using ldd to view all the libraries su needs, copying them to a directory"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "linux insane", "line": " Creating a malicious linux library with a constructor to execute code when it is loaded"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 59, "seconds": 18}, "tag": "linux insane", "line": " Changing our readfile poc to execute su and read the output, discovering we need to modify our malicious library slightly"}, {"machine": "HackTheBox - Scanned - Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor", "videoId": "FoQuNsCyQz0", "timestamp": {"minutes": 62, "seconds": 10}, "tag": "linux insane", "line": " Adding a misc_conv function so our library loads and getting code execution as root"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " **IMPORTANT: The event filter should be 4625 not 4624."}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Going over CanaryTokens"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Scheduled Task Basics"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "", "line": " Switching over to Event Log"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "", "line": " Enabling logging for failures"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "", "line": " Searching Events based upon Event ID via XPATH/XML"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Searching Events based upon data in the Event Log"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Searching a specific field within the event log data"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Adding Boolean Logic to watch multiple events"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Preventing the account from being able to be used by setting login hours to none"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Creating a SPN so the account becomes kerberoastable"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "", "line": " Changing our Search Query to easily find events related to the kerberoasting"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "", "line": " Fixing up how we parsed multiple Event ID's"}, {"machine": "Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!", "videoId": "BT9pT1tAmX8", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "", "line": " Exporting and Importing the task"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Copying the webapp from the server to my local box"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 2, "seconds": 55}, "tag": "", "line": " Intalling the required modules to run the pip modules and running the website locally"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Using SSH Port forwarding to forward MySQL, so we don't have to setup a database"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Changing localhost in the web code to 127.0.0.1 which magically fixes an issue we had connecting to the database"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "", "line": " Getting an administrative login, registering a new user and then updating their role"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "", "line": " Running Visual Studio Code which gives us a nice debugger"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Creating a test payload and seeing why it fails"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "", "line": " Going over what $'' is and why it prevented our command execution if we didn't escape it"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "", "line": " When sending over the single quote, it is html encoded. Editing variables in the debugger to make sure if we bypass this stage we would have command execution"}, {"machine": "Troubleshooting failed RCE Payloads by Debugging Python Web Applications - Noter Beyond Root", "videoId": "eojA9k4px-8", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "", "line": " Intercepting the request in BurpSuite and discovering the HTML Encoding is done client side, by editing the request we can get RCE!"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 0, "seconds": 17}, "tag": "", "line": " Recap, talking about the flask session cookie and showing hashcat won't crack ours"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Looking at Hashcat's source code, finding module 29100 which is flask session and seeing the max length is set to 27"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "", "line": " Checking out the JWT Module (16500) to see what the sizes are set there. Use this module because its similair."}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "", "line": " Downloading the source and compiling"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "", "line": " Testing the new version of hashcat and successfully cracking our Flask Session!"}, {"machine": "Fixing Hashcat Flask Session Module - Just Needed to Update Maximum Length of the Hash", "videoId": "amSgFTzTWPc", "timestamp": {"minutes": 6, "seconds": 5}, "tag": "", "line": " Creating an issue/pull request on the Hashcat repo to get our change into the main repo."}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux medium", "line": " Registering an account"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 2, "seconds": 55}, "tag": "linux medium", "line": " Enumerating valid usernames based upon error message"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux medium", "line": " Using ffuf to match regex to enumerate valid usernames"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "linux medium", "line": " Poking at the web applicaiton trying IDOR/SSTI and failing"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux medium", "line": " Looking at the cookie given by the application and discovering it is a Flask Session Cookie"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "linux medium", "line": " Trying to crack the Flask Session with Hashcat. It fails because I think the payload is too long for hashcat. "}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux medium", "line": " Using Flask-Unsign to crack the session"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 18, "seconds": 45}, "tag": "linux medium", "line": " Using flask-unsign to forge a cookie that says we are the Blue User"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Logged into the application as Blue, get the ftp_admin password"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "linux medium", "line": " Unzipping the source code that came from the ftp server and using diff to compare the two versions"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux medium", "line": " Failing to exploit a command injection vulnerability in the export note function"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux medium", "line": " Going deeper in the export note function to discover it uses a node library md-to-pdf which is vulnerable to RCE"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "linux medium", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "linux medium", "line": " Start of the Raptor Exploit, we pulled a bad version so it isn't immediately going to work for us"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 55, "seconds": 20}, "tag": "linux medium", "line": " Running Show Variables like '%plugin%' which will tell us where we should drop the raptor_udf library file"}, {"machine": "HackTheBox - Noter - Cracking Flask Cookies and performing MySQL Raptor Exploit on Modern Distro RCE", "videoId": "XvoMwz9J6_I", "timestamp": {"minutes": 60, "seconds": 30}, "tag": "linux medium", "line": " Using a different version of raptor which has a do_system_init function, this one lets us execute code"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux hard", "line": " Taking a look at websites, making note of all login prompts (bolt, rocketchat)"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux hard", "line": " Start of looking at Jamovi, using the Rj Editor to execute code and get a reverse shell"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "linux hard", "line": " Using cat to send files over the network to our box and viewing the bolt-administration document"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "linux hard", "line": " Taking a credential from the document and logging into Bolt CMS"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux hard", "line": " Editing a theme in bolt to give us code execution"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux hard", "line": " Using script to get a full PTY since python isn't on this box"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "linux hard", "line": " Looking for passwords for bolt, finding a sqlite database"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 25, "seconds": 45}, "tag": "linux hard", "line": " Getting the ip address of the box via the hostname command since ifconfig and ip were not on the box"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "linux hard", "line": " Using /proc/net/tcp to get listening ports"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "linux hard", "line": " Using the docker container to SSH into the host computer via its docker IP"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 31, "seconds": 25}, "tag": "linux hard", "line": " Using ps -ef --forest to view running processes, can see inside docker containers to find mongo"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux hard", "line": " Using bash to perform a portscan based upon the exit codes of echo'ing data to a network socket"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux hard", "line": " Setting up chisel so we can talk to the mongo port"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux hard", "line": " Using MongoDB Shell to log into mongo and change the user we created to become an administrator on RocketChat"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 44, "seconds": 25}, "tag": "linux hard", "line": " Using Web Hook Integration in RocketChat to get RCE as an authenticated admin"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 49, "seconds": 15}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux hard", "line": " Manually identifying our Docker Capabilities with /proc/self/status"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "linux hard", "line": " Using cat to download files from the network and downloading the shocker exploit which should exploit this capability"}, {"machine": "HackTheBox - Talkative", "videoId": "T0jebq1M_GY", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "linux hard", "line": " Was using the wrong shocker exploit to exploit cap_dac_read_search. Downloading the one to write files and putting our passwd file on the box"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "linux easy", "line": " Enumerating the file server"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Cracking the zip file with John"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux easy", "line": " Cracking the pfx file (PKCS12) with John"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 10, "seconds": 27}, "tag": "linux easy", "line": " Extracting the certificate and key from the pfx file"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 11, "seconds": 24}, "tag": "linux easy", "line": " Using evil-winrm to login with the certificate"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "linux easy", "line": " Checking the PSReadline file and getting another credential"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 16, "seconds": 5}, "tag": "linux easy", "line": " Logging in with svc_deploy, failing to run bloodhound "}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux easy", "line": " Running net user discovering we are in LAPS Group"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux easy", "line": " Running get-adcomputer to get the LAPS Password"}, {"machine": "HackTheBox - Timelapse", "videoId": "gWTGGfl9ajQ", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux easy", "line": " Showing a python script to extract LAPS Passwords"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "", "line": " Talking about what the page parameter does and why its normally vulnerable to LFI"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "", "line": " Running gobuster to get a list of files on the webserver while we poke at the LFI"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "", "line": " Finding an LFI in combination with an EAR (Execute After Read) Vulnerability. Then examining the source code of index.php to see the vulnerability"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " There was an sanitize string function that wasn't recursive, explaining how we could exploit this."}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Discovering beta.html which is a license upload, grabbing the source code and vulnerable application"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Grabbing netstat like information, running processes, and memory maps with our LFI Vulnerability"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "", "line": " Playing with the activate_license executable and finding a buffer overflow"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "", "line": " Using GDB to examine the crash, need to use set follow-fork-mode child to follow the fork"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 22, "seconds": 55}, "tag": "", "line": " Crashing the program with a pattern and finding the offset to RSP"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 23, "seconds": 55}, "tag": "", "line": " Start of creating our exploit script"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "", "line": " Extracting where activate_license and libc exists within memory using the /proc/pid/maps file"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 22, "seconds": 55}, "tag": "", "line": " Using objdump to dump the location of system() within the libc version running on the target"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 27, "seconds": 57}, "tag": "", "line": " Using ropper to search for gadgets, pop rdi - pop rdx - and one to move values from rdx to rdi"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "", "line": " Using readelf to look for a writable space within memory for us to write our malicious command to"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "", "line": " Building the rop chain to write our command to memory, then call system"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 37, "seconds": 43}, "tag": "", "line": " Reverse shell returned running linpeas a"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "", "line": " Failing to run CVE-2022-0847, not sure why"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "", "line": " Discovering a timer that backs up the website as the dev user and its vulnerable to a symlink attack. Grabbing the home directory of dev which has an ssh key"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 46, "seconds": 20}, "tag": "", "line": " Examining the ememu directory in dev which is a C Program"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "", "line": " Talking about Binfms and how we will be able to create an interpreter for extensions that executes code as root"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "", "line": " Talking about the cap_dac_override permission"}, {"machine": "HackTheBox - Retired", "videoId": "1MDqn1kBHQM", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "", "line": " Exploiting our ability to write to the binfmt_misc/register to get root"}, {"machine": "HackTheBox - Late", "videoId": "3s_eVc6KyM8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Time stamps will be added tonight"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap, going over some standard cookies and knowing the web technology behind it"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux medium", "line": " Checking what the main webpage is, discovering an APK File"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux medium", "line": " Analysing the APK file with JADX-GUI"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux medium", "line": " Searching for strings, finding some tokens"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux medium", "line": " Looking at the Gitea API to discover how to use our token"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 14, "seconds": 15}, "tag": "linux medium", "line": " Looking at the Lets Chat API to discover how to use our token and dumping a list of rooms"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux medium", "line": " Using the Lets Chat API to dump messages from a room and discovering credentials"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "linux medium", "line": " Logging into the Catchet webserver finding the version and discovering known vulnerabilities"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "linux medium", "line": " Using a CVE-2021-39174 POC to dump the Catchet Configuration and get a password (SSTI)"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux medium", "line": " Logging into the box as will"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "linux medium", "line": " Discovering a verify.sh script that has a command injection when verifying APK Files"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux medium", "line": " Using apktool to decompile the APK so we can change the name and repackage it"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "linux medium", "line": " Having trouble repacking our APK file, need to update APKTool. Then getting root"}, {"machine": "HackTheBox - Catch", "videoId": "XAZI361XgRU", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "linux medium", "line": " Showing another way to pop the Catchet server, by updating the Cache configuration to point to our REDIS instance and phpggc to create a deserialization gadget"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows hard", "line": " Start of nmap, the Server Header changes based upon DNS"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows hard", "line": " Navigating to the website, discovering the \"New Starter Form\" which has some key information like a welcome password and username convention"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "windows hard", "line": " Password spraying the Powershell Web Access (PSWA), discovering a valid credential but wrong host, word document had another host which is valid for edavies"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "windows hard", "line": " Playing around in the PSWA"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows hard", "line": " Looking at hidden files, discovering c:\\utils\\desktop.ini which states its a directory that is excluded by AV"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows hard", "line": " Making the mistake of running WinPEAS inside the PSWA"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "windows hard", "line": " Setting up ConPtyShell to get a proper PTY reverse shell on windows"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "windows hard", "line": " Making some light modifications to ConPtyShell in order to evade antivirus"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "windows hard", "line": " Getting the ConPtyShell and showing the colors/tab autocomplete"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows hard", "line": " Running WinPEAS to show another user is logged on (and the AV Exclusions)"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 21, "seconds": 55}, "tag": "windows hard", "line": " Switching to Metasploit, because it makes it easier to migrate into an interactive process, which allows us access to view the desktop of the logged in user"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "windows hard", "line": " Using Screenshot and Screenshare inside of meterpreter to record the screen and get a password that was typed onto a terminal (imonks)"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows hard", "line": " Creating a credential object with imonks, so we can Invoke-Command on the domain controller"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows hard", "line": " When specifying the correct configurationname our enter-pssession fails because we can't run measure-object. Running Get-Command and Get-Alias to view what commands we can run"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "windows hard", "line": " Discovering wm.ps1, which we can modify to get a shell as jmorgan on our desktop"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "windows hard", "line": " Creating a powershell one-liner to replace a string in a file with cat and set-content"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 44, "seconds": 40}, "tag": "windows hard", "line": " Screwed up our fail because of a random line break. Playing around with it until we can fix it."}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "windows hard", "line": " Shell returned as JMorgan, dumping the SAM/SYSTEM files and cracking local passwords on the workstation"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 58, "seconds": 30}, "tag": "windows hard", "line": " Looking at other Domain Users, attempting to password spray the users we don't have in order to see if there's password re-use between local desktop and domain"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "windows hard", "line": " We are awallace on the Domain Controller, getting a reverse shell"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "windows hard", "line": " Discovering c:\\Program Files\\KeepMeOn, which is executing .bat files every 5 minutes. Putting our powershell one liner in there and getting a shell as lhopkins"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 71, "seconds": 25}, "tag": "windows hard", "line": " Shell as lhopkins, but still not domain administrator running bloodhound"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 81, "seconds": 40}, "tag": "windows hard", "line": " Going over the Bloodhound Data"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 83, "seconds": 40}, "tag": "windows hard", "line": " Adding edavies to the Site_Admin group"}, {"machine": "HackTheBox - Acute", "videoId": "jDYte7xNY1g", "timestamp": {"minutes": 92, "seconds": 50}, "tag": "windows hard", "line": " Adding imonks to the Site_admin group, then andding ippsec to domain admins"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of nmap"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Downloading the APK"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Running apktool to decode the APK, examining files, don't get much info"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Finding a certificate in the application that gives up the host name"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Trying out another APK Decompiler, Bytecode Viewer"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Start of setting up Genymotion"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Setting up the phone, accidentally choosing an ancient version which won't work"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Dragging the app to install it to the phone, get an error have to manually look at log file"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "", "line": " Setting up a newer phone so we can install the apk"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Installing the APK"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 16, "seconds": 40}, "tag": "", "line": " Configuring our phone to go through BurpSuite"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "", "line": " Changing burpsuite to listen on all hosts"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Showing the app is now going through burpsuite, adding the hostname to our host file"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "", "line": " Finding command injection in the communication between app and server, reverse shell fails"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "", "line": " Putting an SSH Key on the box "}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 28, "seconds": 20}, "tag": "", "line": " Got a shell on the box digging through to figure out the SSH Server, finding something interesting but don't dig in"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "", "line": " Discovering the rules.v6 file for iptables likely isn't changed, discovering this is a way around the firewall block."}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Running LinPEAS but curling it over ipv6, http.server didn't listen, switching to netcat"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "", "line": " Running CVE-2021-3156, sudo baron samedit exploit"}, {"machine": "HacktheBox - RouterSpace", "videoId": "bilgniEPOfs", "timestamp": {"minutes": 43, "seconds": 20}, "tag": "", "line": " Using IPv6 with our bash reverse shell"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction, talking about why I think APT-29 successfully phishing is funny"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "", "line": " Unit42's blog post talking about how the phishing document worked"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "", "line": " Going to google to show APT29 doing the lnk file in a zip since atleast 2016, Mandiant post."}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "", "line": " Talking about why phishers put executables or things to click on in zip/iso/compressed folders"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "", "line": " Talking about why they may use DLL Side Loading to execute the shellcode"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 6, "seconds": 25}, "tag": "", "line": " Showing what the user see's when they open the iso file"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 7, "seconds": 48}, "tag": "", "line": " Talking about why we are starting with shellcode instead of a weaponized document and why red teams like shellcode"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Using MSFVenom to generate a malicious executable with custom shellcode from BRc4"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Opening the executable with x64dbg, so we can extract a program from memory. This is great for when the shellcode is obfuscated through like shikata ga nai"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "", "line": " Setting a breakpoint on LdrLoadDll, showing the memory map is empty"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "", "line": " Running the program, examining memory on LdrLoadDll breakpoint. Showing a weird Execute-Read Permission, which initially was Read-write (screwed up initially explaining it)"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "", "line": " The E_MAGIC (MZ Header) is nulled out, talking about why the brute ratel may do that"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "", "line": " Dumping the memory to a file, copying it to linux where i have ida"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Using hexedit to set the first two bits to MZ, so ida recognizes it as an executable"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "", "line": " Talking about ordinal loading"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 18, "seconds": 5}, "tag": "", "line": " Showing the applicaiton uses ror13 hashes to call functions to avoid strings. Using google to find what the hash goes to"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "", "line": " The coffee string is weird, going into it"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 21, "seconds": 10}, "tag": "", "line": " Looking at a function that looks like it sends strings to the teamserver"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "", "line": " Showing similarities of the coff loader from trusted sec"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "", "line": " Converting another ror13 hash in badger to a function"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 25, "seconds": 25}, "tag": "", "line": " Having ida show all strings"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Looking at the AMSI Patch thing"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 26, "seconds": 35}, "tag": "", "line": " Stumbling across a static encryption key"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "", "line": " Looking at a likely PSExec functionality, maybe an IOC? Service name: ServicesActive"}, {"machine": "Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?", "videoId": "a7W6rhkpVSM", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "", "line": " Looking at the EnableDebug command and explaining why i think all these strings may be in the binary right now, they are likely gone now."}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux medium", "line": " Taking a look at the website"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux medium", "line": " Running gobuster against store.djewelry.htb and discovering a vendor directory that has phpunit"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "linux medium", "line": " Exploiting phpunit to get a shell on the box"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux medium", "line": " Shell recieved on the box as www-data"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux medium", "line": " Looking for files owned by www-data on the box by using find to discover /var/backups/info"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux medium", "line": " Running strings against the /var/backups/info file and discovering a hex string that is a shell script. Using CyberChef to decode it and gain access to steven"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " ssh in as steven, talking about the duplicate users as steven and steven1 have the said uid/gid"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " Talking about timestamps, my favorite way to find tools left behind by hackers"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux medium", "line": " Using find -type f -printf \"%T %p\\n\"to show the full time stamp for files"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 30, "seconds": 45}, "tag": "linux medium", "line": " Using find to find files that were created 00:00:00, which is an indication of time stomping. Discovering a backdoored copy of sshd"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux medium", "line": " Running the backdoored binary in Ghidra and discovering a backdoor in the login function"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "linux medium", "line": " Extracting the backdoor password and using CyberChef to decode it"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "linux medium", "line": " We skipped a step, finding and examining a backdoored apache module"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "linux medium", "line": " The easy way of doing strings and decoding the bsae64 to discover what the backdoor did"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 45, "seconds": 15}, "tag": "linux medium", "line": " Having trouble analyzing this with Ghidra"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux medium", "line": " Switching to Cutter which handles this binary better"}, {"machine": "HackTheBox - Undetected", "videoId": "TNwZAacbQs4", "timestamp": {"minutes": 51, "seconds": 40}, "tag": "linux medium", "line": " Going back to Ghidra and seeing what we missed"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 2, "seconds": 22}, "tag": "linux hard", "line": " Taking a look at the SSL Certificates and website to find blog/forum"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 4, "seconds": 57}, "tag": "linux hard", "line": " Running WPScan, explaining why i like aggressive scanning"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux hard", "line": " Finding public vulnerability in Asgaros Forms (Blind Time Based SQLi)"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "linux hard", "line": " Running SQLMap to confirm the injection"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux hard", "line": " Examining the Wordpress Database structure, so we can run SQLMap to dump very specific things"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux hard", "line": " Cracking wordpress credentials to find out we can't use any because of MFA"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 30, "seconds": 10}, "tag": "linux hard", "line": " Using our SQL Injection to dump a list of activated plugins in wordpress"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux hard", "line": " Finding an exploit in the Download From Files plugin, converting it to ignore SSL Validation Errors"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "linux hard", "line": " Uploading a malicious phtml (php) file to get a shell on the box"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux hard", "line": " Examining how MFA is enabled on SSH/SU by looking at PAM files"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " Discovering the 10.11.12.13 network can bypass MFA, which our host is on."}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux hard", "line": " Using find to show files created between two dates"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "linux hard", "line": " Discovering backups are created in /backups and explaining why we cannot view other users processes (hidepid)"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "linux hard", "line": " Looking in the */local/bin directories to discover an obfuscated shell script (sh.x)"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "linux hard", "line": " Running the script and then examining the /proc/pid directory to find the shell script unobfuscated in the cmdline"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 52, "seconds": 50}, "tag": "linux hard", "line": " Explaining wildcard injection"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux hard", "line": " Exploiting the wildcard injection in rsync"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "linux hard", "line": " Showing how we could of used the SQL Injection to leak all the secrets in the MFA Plugin and generate our own codes"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 59, "seconds": 10}, "tag": "linux hard", "line": " Looking at the MiniOrange MFA Source Code, the uninstall.php shows a lot of good information"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 63, "seconds": 45}, "tag": "linux hard", "line": " Showing how to do a \"pretty print\" or format output better in a MySQL Command (using \\G instead of ;)"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 66, "seconds": 45}, "tag": "linux hard", "line": " Failing to generate a QR Code that we can use google authenticator to login with"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 72, "seconds": 44}, "tag": "linux hard", "line": " Going back to the source code to find another way to generate MFA Codes"}, {"machine": "HackTheBox - Phoenix", "videoId": "Zngo-QzZYtw", "timestamp": {"minutes": 75, "seconds": 45}, "tag": "linux hard", "line": " Fixing our generator script to decrypt the secret which we can paste to oauthtool and get a MFA Code"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux easy", "line": " Checking out what version of Centos is running"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Running Feroxbuster and GoBuster"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "linux easy", "line": " Noticing a X-Backend-SErver header that leaks the virtual host Office.Paper"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux easy", "line": " Showing my favorite nmap script Banner-Plus "}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux easy", "line": " Office.Paper is wordpress, running wp-scan"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux easy", "line": " Discovering a vulnerability that lets us read posts that are in drafts, finding a Rocket Chat Server"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "linux easy", "line": " Discovering a Rocker Chat Bot finding an LFI and getting a password which we can use to ssh"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux easy", "line": " Looking at the ps output of the server to see who the bot runs as"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 20, "seconds": 55}, "tag": "linux easy", "line": " Finding out it is vulnerable to CVE-2021-3560 Polkit Privilege Escalation"}, {"machine": "HackTheBox - Paper", "videoId": "4e4wKDrANog", "timestamp": {"minutes": 22, "seconds": 8}, "tag": "linux easy", "line": " Running the polkit exploit and creating a secnigma user"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux medium", "line": " Running a VHOST enumeration scan"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux medium", "line": " Discovering the Metaview application which is an image upload"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux medium", "line": " Attempting to exploit the file upload, uploading non images. "}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux medium", "line": " Editing the exif metadata to put PHP tags in the image, still failing to get code execution but find XSS"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux medium", "line": " Looking for public exploits against exiftool"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux medium", "line": " Creating a malicious image with CVE-2021-22204 against ExifTool, DjVu exploit"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned, examining the application"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux medium", "line": " Discovering Convert_images directory, using grep to find out if anything uses it and finding a script"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux medium", "line": " Finding the convert_images script uses an old copy of mogrify which uses image magic and has a vulnerability"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux medium", "line": " Exploiting CVE-2020-29599 in mogrify/image magic"}, {"machine": "HackTheBox - Meta", "videoId": "RrclUhMYHh4", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux medium", "line": " Our user can run neofetch with sudo, and XDG_CONFIG_HOME is preserved. Exploiting it by putting a malicious config"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Running feroxbuster and discovering image.php"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 5, "seconds": 5}, "tag": "", "line": " Fuzzing image.php for parameters and discovering an LFI"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "", "line": " Enumerating the WAF to find blacklisted strings and then using a php filter to extract source"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Examing the login.php source code and discovering a timing attack"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Demonstrating attempting to login with valid users takes a longer time so we can bruteforce users"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "", "line": " Creating a python script to enumerate users"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Logging in with aaron:arron (guessed the password)"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Extracting upload.php and admin_auth_check.php to see how we can upload files"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "", "line": " Attempting a mass assignment vulnerability on profile_update.php and discovering we can change our roles"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "", "line": " Discovering a timing attack to discover filenames uploaded, which can be chained with our LFI to execute code"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "", "line": " Using the CLI PHP Interpreter to generate potential filenames"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "", "line": " Uploading a webshell and then generating the filename based upon time"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "", "line": " Executing commands on the box, discovering we can't do reverse shells"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "", "line": " Using my Forward Shell Python script to gain an interactive shell on the box"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 50, "seconds": 40}, "tag": "", "line": " Discovering a backup directory that has the web source but also the git repo"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 51, "seconds": 20}, "tag": "", "line": " SSH in as aaron and discovering he can run the netutils binary with sudo, which uses Axel to download files"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "", "line": " Tricking axel to write to authorized_keys via symlinks"}, {"machine": "HackTheBox - Timing", "videoId": "hmtnxLUqRhQ", "timestamp": {"minutes": 56, "seconds": 40}, "tag": "", "line": " Demonstrating we didn't need that sleep(1) for the initial timing attack where we can enumerate valid users to work"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "linux hard", "line": " Start of nmap, discovering a webserver and filtered port"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux hard", "line": " Discovering a hostname in the 404 not found message in the mailto section"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 5, "seconds": 25}, "tag": "linux hard", "line": " Gobuster VHOST Discoery finds the subdomain db.admirer-gallery.htb which is adminer. Playing with the application and raw SQL Commands"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 7, "seconds": 25}, "tag": "linux hard", "line": " Trying to write files with INTO OUTFILE, also testing the secure file priv default directory for MySQL which is the most reliable"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux hard", "line": " Going to google and finding this version of adminer is vulnerable to a SSRF, but having trouble with this because the login for adminer is different"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "linux hard", "line": " Intercepting the login request, finding a hardcoded password that doesn't really help us"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Installing adminer in a docker container, so we can play with the application locally which helps us understand the SSRF Exploit"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux hard", "line": " Finding a python3 http server redirect example to use for our SSRF"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux hard", "line": " Performing the SSRF Vulnerability failing to extract local files"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "linux hard", "line": " The CSRF is annoying, configuring burpsuite to replace variables in our post automatically so we don't need to manually intercept."}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux hard", "line": " Having the SSRF access localhost:4242 (the filtered port from nmap), we see the OpenTSDB application, finding an exploit"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "linux hard", "line": " Exploit fails, it complains about an invalid metric. Googling to find OpenTSDB API Documentation and finding an endpoint to list metrics"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux hard", "line": " Updating the exploit to use the http.stats.web.hits metric and getting RCE"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux hard", "line": " Finding database credentials in server.php, which also are jennifers credentials. "}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Enumerating Apache configuration files, discovering one webserver runs as devel"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 39, "seconds": 20}, "tag": "linux hard", "line": " Discovering a PHP Object Injection vulnerability in a OpenCats which is a webserver running on localhost, jennifer can login. We can't write to the web directory thoe"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux hard", "line": " Discovering devel can write to /usr/local/etc/ and fail2ban is installed, which has an RCE with whois"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux hard", "line": " Running strace on whois to discover it looks at /usr/local/etc/whois.conf"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Using phpgcc to test our file write to see what the file looks like"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "linux hard", "line": " Looking at an example whois configuration file"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 49, "seconds": 20}, "tag": "linux hard", "line": " Explaining our payload and doing some weird regex termination to get this to work"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "linux hard", "line": " Looking at the whois source code to see it only reads the first 512 bytes of the configuration file"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "linux hard", "line": " Creating the whois configuration file, which starts with ]* to terminate the regex, then puts 500 spaces to get rid of the appended data by the exploit"}, {"machine": "HackTheBox - AdmirerToo", "videoId": "446sWtb5bc4", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "linux hard", "line": " Creating our payload for the fail2ban whois exploit and getting root"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux easy", "line": " Using nmap to scan NMAP"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux easy", "line": " Doing a SNMPWalk talking about SNMP Mibs and how to install them, then using snmpbulkwalk to speed up the scan"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux easy", "line": " Finding all the unique fields in our SNMPWalk with grep, sort, and uniq. Which helps find fields of value"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " SNMP Allowed us to view running processes on a box, a password was in the argument so we can ssh in"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux easy", "line": " SSH into the box and looking at the webserver files and configs"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 20, "seconds": 35}, "tag": "linux easy", "line": " Looking at Apache's config seeing there's a different site available to localhost, doing a SSH Tunnel to access it"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux easy", "line": " Finding an unauthenticated pandora fms exploit via google, playing with the injection manually"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 27, "seconds": 45}, "tag": "linux easy", "line": " Using SQLMap to automatically dump the database of pandora"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 36, "seconds": 45}, "tag": "linux easy", "line": " Testing sessions, should have used wfuzz or something to test all of these quickly"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux easy", "line": " Using the union injection to login as admin by placing a php serialized object that it expects"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux easy", "line": " With admin access to Pandora FMS we can upload a shell and get code execution"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 43, "seconds": 33}, "tag": "linux easy", "line": " Going over LinPEAS Results"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "linux easy", "line": " Finding a custom SetUID File called Pandora_Backup"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux easy", "line": " Running strings against the binary shows the tar command without an absolute path, so it is likely vulnerable to command injection, going into Ghidra to confirm"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 50, "seconds": 45}, "tag": "linux easy", "line": " Showing the path traversal"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "linux easy", "line": " The exploit didn't work because something isn't letting us do a SetUID. Digging into it"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 56, "seconds": 30}, "tag": "linux easy", "line": " Using SSH to log into the box and then running the exploit and seeing it works"}, {"machine": "HackTheBox - Pandora", "videoId": "vSnB0AZDvjM", "timestamp": {"minutes": 59, "seconds": 25}, "tag": "linux easy", "line": " Showing the intended way to exploit Pandora, just finding a valid session cookie, and then a cmd injection vulnerability in ajax.php"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "linux insane", "line": " Start of nmap, checking websites seeing old copyrights"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "linux insane", "line": " Discovering the HTTP Redirect on /login is pretty big, so its likely an EAR Vulnerability"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux insane", "line": " Discovering a LFI that enables us to read source code, chaining it with the proc directory and using wfuzz to discover additional python files"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "linux insane", "line": " While our wfuzz runs testing against a login endpoint to discover an XSS in another webapp"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux insane", "line": " Going over the Python Source code"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 18, "seconds": 35}, "tag": "linux insane", "line": " Discovering Hibernate Query Injection (HQL) on the login page on port 8080"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux insane", "line": " Going over HQL (Hibernate) Injection Using boolean injection to login but need the browser fingerprint of the user"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux insane", "line": " Using our XSS to execute the fingerprint function and sending it to our server"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux insane", "line": " Logging into the application with our custom fingerprint and boolean injection, getting a JWT with a Serialized Base64 Encoded Java Object"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "linux insane", "line": " Examining the Backups Directory and finding Java Sourcecode to the app on port 8080"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux insane", "line": " Going over the javacode we have to discover we can probably craft a deserialization payload to gain code execution"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 51, "seconds": 20}, "tag": "linux insane", "line": " Opening up Eclipse and building our java project which we'll use to create a deserialization gadget"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 72, "seconds": 40}, "tag": "linux insane", "line": " We can now compile our java project, lets creating the first serialized object which tells the server we are an admin"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 76, "seconds": 20}, "tag": "linux insane", "line": " Creating the second part of the Java Payload which puts the malicious code into our username"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 84, "seconds": 40}, "tag": "linux insane", "line": " Our exploit didn't work right awy, going over it again and finding some mistakes"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 91, "seconds": 48}, "tag": "linux insane", "line": " Got our reverse shell, discovering a binary cmatch which lets is exfil files one byte at a time"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 96, "seconds": 40}, "tag": "linux insane", "line": " Creating a python script to use cmatch to bruteforce the file one byte at a time"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 109, "seconds": 30}, "tag": "linux insane", "line": " Downloading the Java App that runs on port 8080 to see the database credentials, which can decrypt the SSH Key retrieved from cmatch"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 118, "seconds": 50}, "tag": "linux insane", "line": " Discovering a flask backup that is a new version of the Webapp on port 80 that has improved authentication"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 119, "seconds": 50}, "tag": "linux insane", "line": " Explaining the flaw of this webapp, it puts the secret after user controlled data, which enables us to bruteforce this one byte at a time"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 121, "seconds": 50}, "tag": "linux insane", "line": " Poorly explaining the bruteforcing the secret of AES ECB one byte at a time"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 126, "seconds": 10}, "tag": "linux insane", "line": " Using the XSS from earlier to steal cookies, which gives us an unprivileged user on the dev app"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 129, "seconds": 8}, "tag": "linux insane", "line": " Using curl on the /profile endpoint to set a new username and show we can have the server give us a new cookie which lets us bruteforce the secret"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 136, "seconds": 20}, "tag": "linux insane", "line": " Creating a python script to bruteforce the secret the server appends to our username before encrypting"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 151, "seconds": 35}, "tag": "linux insane", "line": " Running our script to bruteforce the data"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 153, "seconds": 50}, "tag": "linux insane", "line": " Creating a new username with the secret, which will trick the server into thinking we are an admin"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 157, "seconds": 20}, "tag": "linux insane", "line": " Now that we are logged in, the server runs as root so we can just get the root ssh key"}, {"machine": "HackTheBox - Fingerprint", "videoId": "YBabDbyk3eo", "timestamp": {"minutes": 159, "seconds": 0}, "tag": "linux insane", "line": " Going over the HQL a little more to show we could have extracted the fingerprint"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro "}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "linux medium", "line": " Registering and logging in and examining what a regular user can do"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Playing with the file upload capability"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux medium", "line": " Discovering there is a JWT in our HTTP Request, examining it to see it is RS256 and has a claim"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux medium", "line": " Explaining how we are going to exploit the Claim Misuse vulnerability in this JWT"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux medium", "line": " Creating a JWT Header that will have a modified URL for the claim, website says its an invalid key but doesn't reach out to us"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux medium", "line": " Using the redirect functionality on the web page to allow us to place the websites domain in our JKU Claim "}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "linux medium", "line": " Modifying the JWK File to place our own RSA Key and generating one with ssh-keygen and openssl"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux medium", "line": " Showing us pulling N and E out of the RSA Key"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux medium", "line": " Converting the SSH Public key into a Certificate"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 24, "seconds": 24}, "tag": "linux medium", "line": " Updating the JWT to change our name to admin and finding a LFI Vulnerability"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 27, "seconds": 27}, "tag": "linux medium", "line": " Attempting to use WFUZZ to bypass the filter"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux medium", "line": " Giving up fuzzing wtih wfuzz"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "linux medium", "line": " Explaining why I'm going to try testing for unicode normalization and what it is, grabbing a payload from HackTricks"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux medium", "line": " Exploring /proc/self/ and hunting for the location of the webapp"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 39, "seconds": 2}, "tag": "linux medium", "line": " Finding the python application by using the /proc/self/cwd directory, then grabbing db.yaml and getting SSH Credentials"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "linux medium", "line": " Discovering a TREPORT Binary, which is a compiled python file"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 43, "seconds": 45}, "tag": "linux medium", "line": " Discovering the TREPORT Binary uses curl, which is weird"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "linux medium", "line": " Discovering the TREPORT Binary will allow us to use the file wrapper if we bypass the filter"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 46, "seconds": 50}, "tag": "linux medium", "line": " Bypassing the space filter in the TREPORT Binary using brace expansion in bash and having curl write the flag to /tmp"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux medium", "line": " Downloading a SSH Key and allowing us to login as root"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux medium", "line": " Examining the Web Application to show the Unicode Normalization Vulnerability"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 56, "seconds": 30}, "tag": "linux medium", "line": " Looking at the user table, to discover admin doesn't exist"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 57, "seconds": 58}, "tag": "linux medium", "line": " Finding out the login form was supposed to display errors but didn't because of a lacking some Jinja2 Templating Code"}, {"machine": "HackTheBox - Unicode", "videoId": "2mH6Ri7EAq0", "timestamp": {"minutes": 61, "seconds": 20}, "tag": "linux medium", "line": " Flailing around fixing the template to display error messages"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 0, "seconds": 49}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 2, "seconds": 17}, "tag": "linux medium", "line": " Talking about why dirbusting an API is different. Bruteforce methods instead of extensions and 404 doesn't terminate recursion"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux medium", "line": " Installing the latest version of FeroxBuster"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "linux medium", "line": " Running FeroxBuster with Force Recursion and multiple HTTP methods to discover user endpoints"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux medium", "line": " Downloading all users, creating a single json file, then using JQ to enable us to filter users"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 10, "seconds": 8}, "tag": "linux medium", "line": " Registering an account via the Signup endpoint. Analyzing errors to identify how it wants data"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 11, "seconds": 55}, "tag": "linux medium", "line": " Logging into the application in order to get a bearer token"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 13, "seconds": 8}, "tag": "linux medium", "line": " Using BurpSuite to add the Bearer Token to our HTTP Request and accessing /docs/"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "linux medium", "line": " Playing with the edit endpoint in the docs page"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 16, "seconds": 38}, "tag": "linux medium", "line": " Testing for Mass Assignment, by editing our profile but adding the is_superuser parameter"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 19, "seconds": 15}, "tag": "linux medium", "line": " Using the file endpoint to extract files from the application"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "linux medium", "line": " Creating a bash script to make extracting files easier for us"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "linux medium", "line": " Using the LFI to examine the /proc/ directory to get cmdline of pid and ppid, along with environment variables"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 26, "seconds": 35}, "tag": "linux medium", "line": " Examining the LFI Source Code to identify how the application works and JWT is created"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux medium", "line": " Trying to write files, discovering we need to edit our JWT"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 32, "seconds": 45}, "tag": "linux medium", "line": " Creating a bash script that will update the webserver code to include another endpoint to send a reverse shell"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "linux medium", "line": " Reverse shell returned, reviewing the logs to identify a password was entered as a username"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux medium", "line": " Trying to use Sudo and getting to PAM-Wordle"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 45, "seconds": 5}, "tag": "linux medium", "line": " Analyzing timestamps on the filesystem with find to identify a PAM Module that was manually placed on the file system (not put there by APT)"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 48, "seconds": 25}, "tag": "linux medium", "line": " Running strings on the PAM Module, discovering the wordlist used for wordle is in a user-readable directory"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux medium", "line": " Using the wordlist to cheat wordle and root the box"}, {"machine": "UHC - BackendTwo", "videoId": "QfAh47RlZjw", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "linux medium", "line": " Examining the source code of the box to identify why it is vulnerable to the Mass Assignment"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro talking about why we want to parse Bloodhound Data with JQ to create lists"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 0, "seconds": 43}, "tag": "", "line": " Just examining the data in Bloodhound"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 1, "seconds": 28}, "tag": "", "line": " Writing a Cipher Query to show all enabled users in Bloodhound"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 2, "seconds": 35}, "tag": "", "line": " Showing Bloodhound Debug Mode which will show Cipher Queries when you run them"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 3, "seconds": 28}, "tag": "", "line": " Start of looking at Bloodhound Data"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "", "line": " Digging through the JSON Structure with JQ to get to the Properties of a User"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Showing all the names, if we wanted to remove the quotes, we could use the -r flag for raw"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Using the Select Query in JQ to show only enabled/disabled users"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "", "line": " Outputting multiple fields in JQ so we can show usernames + descriptions"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Using JQ to filter out descriptions with null to only show AD Accounts with a description"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "", "line": " Talking about LastLogon and LastLogonTimeStamp"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "", "line": " Converting integers to string in JQ so we can output them"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Outputting all accounts where a PwdLastSet is Greater than the users last logon"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "", "line": " Using JQ to filter out empty array's which lets use find all accounts that are kerberoastable"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "", "line": " Using JQ to parse the computers and showing operating systems"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "", "line": " Filtering out Operating Systems which may help us find end of life OS's"}, {"machine": "Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers", "videoId": "o3W4H0UfDmQ", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Using JQ to show each computers last logon which will let us view all active computers"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 0, "seconds": 53}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "linux hard", "line": " Using Kerbrute to identify valid users "}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 9, "seconds": 40}, "tag": "linux hard", "line": " Finding credentials for Hope.Sharp in an image on the website"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "linux hard", "line": " Showing Kerbrute paswordspray silently fails when time is out of sync"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Having troubles running the Python Bloodhound Ingestor, a digestmod error"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux hard", "line": " Giving up fixing my environment, creating a python virtual environment to run this script"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux hard", "line": " Uploading data to bloodhound, discovering a kerberoastable (web_svc) account, running GetUserSPN and Cracking the hash"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux hard", "line": " Parsing the raw Bloodhound Data with JQ and dumping all the valid usernames"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux hard", "line": " Using JQ select to show only the users that are enabled, its sql like syntax"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux hard", "line": " Running a password spray with kerbrute to find edgar.jacobs has the same credentials as Web_SVC"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 33, "seconds": 25}, "tag": "linux hard", "line": " Using CrackMapExec (CME) with the spider_plus module to dump all file names, then using JQ to parse the results with map_values(keys)"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Using SMBClient to download files, getting an excel document that has a protected row, modifying the document to remove the password and getting more passwords"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux hard", "line": " Using CME to run a large password spray guessing a single specific password for each user with the no bruteforce flag"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 41, "seconds": 25}, "tag": "linux hard", "line": " Back to Bloodhound, discovering our user can ReadGMSAPassword of an account that can reset password of an administrator"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "linux hard", "line": " Dumping files as Sierra.Frye with CME, discovering certificates, downloading them and then failing to crack them with John"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 49, "seconds": 10}, "tag": "linux hard", "line": " Using CrackPkcs12 to crack the PFX certificate, then loading it into our browser and accessing a Powershell WebConsole"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 57, "seconds": 20}, "tag": "linux hard", "line": " Gaining a powershell webconsole, flailing around a littlebit trying to read the GMSA Password"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 59, "seconds": 43}, "tag": "linux hard", "line": " Using Get-ADServiceAccount on to read information about the GMSA Account and get the password"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 63, "seconds": 0}, "tag": "linux hard", "line": " Running commands as the GMSA User with Powershell and Invoke-Command to reset Tristan.Davies Password... We could of psexec'd after this but I decided to do it the hard way. "}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 68, "seconds": 0}, "tag": "linux hard", "line": " Getting a Nishang Reverse Shell, thought this would be easy but there's quite a bit of AV Evasion we have to do "}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 74, "seconds": 40}, "tag": "linux hard", "line": " Getting rid of some of the reverse shell output allows nishang to bypass AV"}, {"machine": "HackTheBox - Search", "videoId": "c8Qbloh6Lqg", "timestamp": {"minutes": 80, "seconds": 25}, "tag": "linux hard", "line": " Using John to Crack the PFX File, I forgot to use pfx2john prior."}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 2, "seconds": 10}, "tag": "linux easy", "line": " Starting WPSCAN"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux easy", "line": " There's no index.php in wp-content/plugins/, which lets us find a vulnerable plugin (eBook Download 1.1)"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux easy", "line": " Playing with the eBook Download LFI"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux easy", "line": " Doing a full nmap portscan"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux easy", "line": " Using the LFI to extract the process names with curling /proc and doing some cut/sed magic"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux easy", "line": " Downloading the cmdline for the first 1000 PID's"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux easy", "line": " Using find to show us files greater than a couple bytes to show us every valid PID"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "linux easy", "line": " Examining the final output, discovering screen running and gdb"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " Using metasploit to exploit GDB"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "linux easy", "line": " Reverse shell returned, playing with screen to connect to the session"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux easy", "line": " Attaching to the root session, then digging into why this worked"}, {"machine": "HackTheBox - Backdoor", "videoId": "4zrypJMVWpc", "timestamp": {"minutes": 31, "seconds": 40}, "tag": "linux easy", "line": " Digging into wpscan to see how to make it find this"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux insane", "line": " Start of nmap"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux insane", "line": " Discovering backup.toby.htb and discovering GOGS"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux insane", "line": " Discovering a backup project in toby-admin, which is wordpress"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 9, "seconds": 38}, "tag": "linux insane", "line": " Downloading and running php malicious file scanner and finding a backdoor in the web code"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "linux insane", "line": " Finding the backdoor in comment.php and finding out its packed a bunch of times. Using a loop to get it back to the original code."}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux insane", "line": " Analyzing the depacked malware, to see it will run a function on a specially crafted comment"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 22, "seconds": 40}, "tag": "linux insane", "line": " Placing the comment which should trigger the backdoor, then analyzing what happens"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux insane", "line": " Wireshark shows the box starts a request on port 20053, listening and discovering it sends us data encryped with our secret"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 28, "seconds": 20}, "tag": "linux insane", "line": " Changing the secret to be 00, so it doesn't xor anything making it a bit easier for us to analyze"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 29, "seconds": 25}, "tag": "linux insane", "line": " Sending it a command by XOR'ing it with the key the server sends back to us"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux insane", "line": " Creating a python script to automate this"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 40, "seconds": 22}, "tag": "linux insane", "line": " Reverse shell returned python isn't there so using script to get our regular TTY"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 42, "seconds": 15}, "tag": "linux insane", "line": " Looking at /proc to see network information since ifconfig and ip are not on the box"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "linux insane", "line": " Running chisel to setup a proxy back to us"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "linux insane", "line": " Connecting to the MySQL Database to crack wordpress accounts"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 61, "seconds": 10}, "tag": "linux insane", "line": " Logging into the GOGS instance as toby-admin, downloading personal-webapp source code"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux insane", "line": " Making the webapp talk initiate a MySQL Connection back to us"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 66, "seconds": 20}, "tag": "linux insane", "line": " Editing our mysql instance to allow a host, but first we have to reset our mysql root password"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 70, "seconds": 0}, "tag": "linux insane", "line": " Extracting the SALT + Password from wireshark of MySQL Trying to log into us, figuring out how to convert it so we can crack"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 76, "seconds": 38}, "tag": "linux insane", "line": " Converting the SALTS to hex, which is what hashcat needs, then trying to crack the mysql password but failing"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 78, "seconds": 35}, "tag": "linux insane", "line": " Discovering the password used the password generator which is using the epoch time as a seed for random"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 79, "seconds": 30}, "tag": "linux insane", "line": " Copying the PWGenerator code to create a new wordlist of all potential passwords"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 85, "seconds": 49}, "tag": "linux insane", "line": " MySQL Password has been cracked, this provides us ssh access to the MySQL Docker container"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 88, "seconds": 17}, "tag": "linux insane", "line": " Running pspy on the MySQL Container discover an SSH key gets temporarily written"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 90, "seconds": 36}, "tag": "linux insane", "line": " Writing a loop that runs cat against a file until it exists, then stops to get the SSH Key, which gets us on the host"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 93, "seconds": 20}, "tag": "linux insane", "line": " Decrypting the SQLite Database we had found earlier"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 99, "seconds": 50}, "tag": "linux insane", "line": " Hunting for a backdoor on the system by looking at full timestamps, since package managers chop simplify the time, which may make backdoors stick out"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 105, "seconds": 0}, "tag": "linux insane", "line": " Discovering the a pam library and /etc/.bd file"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 107, "seconds": 0}, "tag": "linux insane", "line": " Analyzing the pam library in ghidra to discover it allows a BD password to login, but also allows people to bruteforce the backdoor password 1 character at a time"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 113, "seconds": 20}, "tag": "linux insane", "line": " Explaining how we are going to bruteforce this password"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 116, "seconds": 30}, "tag": "linux insane", "line": " Creating a shell script to bruteforce the password"}, {"machine": "HackTheBox - Toby", "videoId": "XROkuXKgeg8", "timestamp": {"minutes": 120, "seconds": 45}, "tag": "linux insane", "line": " Bruteforcing the password and getting root"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro talking about crowdsec and its multiplayer firewall"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "", "line": " Showing my setup, 3 web servers, 2 attack servers"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Installing Crowdsec"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Going over the command line interface, CSCLI showing decisions"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "", "line": " Showing descisions -a to go over every CrowdSec ban list"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "", "line": " Attacking the webserver, showing it detect the SSH Brute Force"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 8, "seconds": 25}, "tag": "", "line": " Installing the CrowdSec Bouncer, then showing the attack box is now blocked"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "", "line": " Using iptables and ipset to show how CrowdSec Blocks things (with iptables)"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "", "line": " Looking at Collections and Scenarios to see how CrowdSec works "}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Looking at the CrowdSec documentation to understand the inner workings"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 15, "seconds": 13}, "tag": "", "line": " Showing Crowdsec would block us for using GoBuster"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "", "line": " Installing the dashboard to see the fancy graphical reporting from CrowdSec"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "", "line": " Logged into the Dashboard"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 21, "seconds": 25}, "tag": "", "line": " Deleting descisions from CrowdSec to allow IP's to connect again"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "", "line": " Setting up a local crowdsec cluster, so agents talk to eachother"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "", "line": " Setting up the bouncers to all share signatures"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "", "line": " Looking at the bouncer logs, to see why it was broken. Updating the ApiURL, then our local cluster is setup and working"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "", "line": " Showing the cluster is working by having all hosts block simultaniously"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 45, "seconds": 45}, "tag": "", "line": " Showing a gobuster would cause the host to blocked everywhere"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "", "line": " Using the Dashboards SQL Web Client to extract information"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "", "line": " Explaining how our honey pot is going to work"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 52, "seconds": 56}, "tag": "", "line": " Configuring WEB-02 to forward SSH to another host instead of blocking it"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 57, "seconds": 15}, "tag": "", "line": " The final iptables commands to forward traffic"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 58, "seconds": 50}, "tag": "", "line": " Installing Cowrie, the SSH Honey pot"}, {"machine": "Ippsecs First Look and Setting up CrowdSec - Stealthfully Forward Malicious Users to Honeypots", "videoId": "2OEDFCo1VXY", "timestamp": {"minutes": 66, "seconds": 35}, "tag": "", "line": " The final demo, Getting blocked from WEB-01, then attempting to SSH to WEB-02 and immediately going to the honeypot"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 0, "seconds": 53}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux medium", "line": " Examining the webpage, just finding json. Running gobuster to discover /docs and /api"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux medium", "line": " Examining the user and admin endpoint, showing /user/ has a 404 but we can go into it"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux medium", "line": " Talking about why API Discovery differs from normal web, instead of extensions we fuzz methods"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux medium", "line": " Using wfuzz to fuzz endpoints in /user/ with POST Requests to discover /login and /signup"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux medium", "line": " Fuzzing the signup endpoint, reading error messages to identify the fields it wants"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "linux medium", "line": " Showing that curl behaves differently. Lets troubleshoot this by sending our curl and burpsuite to wireshark and seeing why its behaving differently"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 14, "seconds": 24}, "tag": "linux medium", "line": " Attempting to login to the API with the credential we created, discovering we need a urlencoded request"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux medium", "line": " Logging in and getting a JWT Token, accessing /docs/ with it which is swagger documentation"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "linux medium", "line": " Authenticating in the swagger, so we can use the web interface to access private functions"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 19, "seconds": 58}, "tag": "linux medium", "line": " Changing administrators password with the UpdatePass endpoint, which is an IDOR like vulnerability"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux medium", "line": " Logging in with admin, then accessing the admin functionality"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Exploring the /proc/self directory with the LFI and finding where the source code to this app lives"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " Extracting the JWT Secret Key from app/core/config.py, and adding the debug parameter, which enables us to access the /access endpoint"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "linux medium", "line": " Showing we cannot use slashes or pluses on this endpoint"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 28, "seconds": 40}, "tag": "linux medium", "line": " Getting a reverse shell"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 29, "seconds": 29}, "tag": "linux medium", "line": " Discovering the root password in an authentication log, because someone entered a password in a username field"}, {"machine": "UHC - Backend", "videoId": "x6Kpkl0C2xg", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "linux medium", "line": " Just looking at the code briefly. Should have prepared more to do this. Will probably do a separate video showing FastAPI."}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "linux hard", "line": " Taking a look at the website"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux hard", "line": " Examining the AUTH Cookie and talking about why its unique"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "linux hard", "line": " Running FeroxBuster, talking about why I started using it"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux hard", "line": " Examining the length of the cookie with various usernames to discover the cookie length changes"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Discovering the block size"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux hard", "line": " Modifying the cookie and getting an Invalid Padding error message. Which indicates it may be vulnerable to Padding Oracle"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux hard", "line": " Running padbuster to perform the Padding Oracle attack and decrypt the cookie. Then creating a new cookie changing our username"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux hard", "line": " Changing our cookie to the forged one and logging into the application as Administrator"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 21, "seconds": 5}, "tag": "linux hard", "line": " Finding an SQL Injection in the Logs endpoint, using SQLMap to dump everything"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 29, "seconds": 15}, "tag": "linux hard", "line": " Going over the SQLMap history files to view previously dumped data, so we don't have to make more requests to the server"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux hard", "line": " Cannot crack the MD5's in the database, downloading the CMS Made Simple source and doing some quick code review to find out all MD5's have a static salt"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux hard", "line": " Cracking the salted MD5 password of the editor user with hashcat"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux hard", "line": " Going to the devbuild-job.overflow.htb and discover there's an upload resume"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux hard", "line": " Uploading a jpeg results in the server giving us the ExifTool version, finding CVE-2021-22204 which is an exploit against ExifTool to run commands. Getting shell"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "linux hard", "line": " Reverse shell returned, getting developers password and using SSH to login as them"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 56, "seconds": 35}, "tag": "linux hard", "line": " Using find to list files owned by developer to find files owned by developer"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 59, "seconds": 20}, "tag": "linux hard", "line": " Hunting for files owned by tester and discovering commontask.sh, we can exploit this because we have write access over /etc/hosts"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 62, "seconds": 55}, "tag": "linux hard", "line": " Shell as tester"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 64, "seconds": 25}, "tag": "linux hard", "line": " Talking about extended attributes, using getfacl to show them"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "linux hard", "line": " Discovering a SetUID File, every time running it there is the same PIN Code it is prompting us for. Copy it to our local box and seeing if the pincode is the same"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 68, "seconds": 0}, "tag": "linux hard", "line": " Analyzing the binary in Ghidra, to discover there is no srand(), so the seed is always 1 for rand()"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 71, "seconds": 30}, "tag": "linux hard", "line": " Discovering the pin code by setting a break point on the check in gdb"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "linux hard", "line": " Discovering the buffer overflow within the decompiled source, then using pattern_create to find where we overwrite EIP"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 76, "seconds": 30}, "tag": "linux hard", "line": " Looking at functions to set EIP to via ROP. Finding the Encrypt Function"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 81, "seconds": 0}, "tag": "linux hard", "line": " Discovering a timing attack in the encrypt function which lets us read any file"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 84, "seconds": 30}, "tag": "linux hard", "line": " Trying to perform the timing attack replacing a file with a symlink"}, {"machine": "HackTheBox - Overflow", "videoId": "4d87D4zFMEg", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "linux hard", "line": " Apparently we cannot just use /tmp/ for this exploit, we need to be in a directory. Performing the attack and getting root"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro, the stream is here: https://www.twitch.tv/videos/1445106911"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Start of the video, showing what is new about this technique"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 2, "seconds": 17}, "tag": "", "line": " Running through the example, showing we can change the filename in ps to anything we want"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "", "line": " Showing what this looks like in the ps output"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "", "line": " Explaining what I don't like about the example used on the website"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 4, "seconds": 55}, "tag": "", "line": " Explaining what process substitution is, which is a really good way to pass arguments to bash scripts when piping with curl"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "", "line": " Testing process substitution with ddexec locally"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "", "line": " Showing how to execute this with DirtyPipe"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "", "line": " Successful execution of DitryPipe"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "", "line": " Showing a dirtypipe that changes the root password, changing the default password it uses"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "", "line": " Showing we changed the password, and then trolling myself because this box has PAM_WORDLE installed"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Finding a DirtyPipe exploit that modifies a SetUID"}, {"machine": "Executing Linux Binaries Without Touching Disk - Living Off The Land with DDExec and Dirty Pipe Demo", "videoId": "MaBurwnrI4s", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Cheating at our game of Hacker Wordle, to make sure we actually changed the root password earlier."}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 0, "seconds": 47}, "tag": "", "line": " Discovering a weird binary running in /tmp/ but it doesn't exist on disk"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 1, "seconds": 55}, "tag": "", "line": " Start of explaining dd copying things out of memory"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Reading maps to identify where the file is, showing how to covnert hex to decimal in bash"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " File extracted from memory"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "", "line": " Copying the heap from memory and discovering it is mettle/meterpreter based upon strings"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 6, "seconds": 55}, "tag": "", "line": " Showing we don't need to use DD to extract the file, can just use the \"exe\" file in proc/pid/"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "", "line": " Opening the elf in Ghidra and examining its decompiled output"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Showing what the file looks like in Cutter, which has a different decompile view"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "", "line": " Reading the Metasploit source code to identify what it looked like, to confirm what our findings from reversing"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Using MSFVenom to generate our own stager in order to confirm this is indeed what we saw on the box and that we extracted it correctly"}, {"machine": "Basic Linux Memory Forensics - Dumping Memory and Files with DD - Analyzing Metttle/Meterpreter", "videoId": "uYWTfWV3dQI", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "", "line": " Using GDB against the stager to just practice reversing"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux medium", "line": " Running NMAP"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "linux medium", "line": " The footer talks about BMC, explaining why I jumped to IPMI when reading this"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux medium", "line": " Running a Virtual Host (VHOST) Scan with Wfuzz to try and find a domain that points to an ILO"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux medium", "line": " Talking about IPMI"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux medium", "line": " Running Metasploit to dump the IPMI Hash and then crack it with hashcat"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "linux medium", "line": " Running IPMITool to explore the interface, there isn't anything really here"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux medium", "line": " Logging into Zabbix with the credentials and then fumbling around creating a malicious check"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux medium", "line": " Discovering what we were doing wrong, we didn't want to put quotes in the system.run command"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 29, "seconds": 25}, "tag": "linux medium", "line": " Zabbix kills our shell pretty quickly, just running a second command really fast in order to keep a process alive"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux medium", "line": " Attempting to get into the Zabbix database, need to switch to the ipmi-svc user"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 34, "seconds": 57}, "tag": "linux medium", "line": " Showing a cool MySQL command \\G to display results in a table form, useful when dumping a lot of columns"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 36, "seconds": 5}, "tag": "linux medium", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux medium", "line": " No real exploit paths found, checking for exploits in the MYSQL Server and finding CVE-2021-27928 (WSREP)"}, {"machine": "HackTheBox - Shibboleth", "videoId": "tVXGM10kRwY", "timestamp": {"minutes": 41, "seconds": 10}, "tag": "linux medium", "line": " Performing the MySQL WSREP Exploit and getting root"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 1, "seconds": 35}, "tag": "linux hard", "line": " Enumerating the web page, finding a way to validate potential users"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux hard", "line": " Examining the data the website stores in our browser"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux hard", "line": " Attempting type juggling, finding out its not vulnerable"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux hard", "line": " Before we WFUZZ, just playing with PHP to see how it handles numbers. "}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux hard", "line": " Running WFUZZ with the range payload to bruteforce all possible pin code, find out we get blocked."}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux hard", "line": " Searching for ways to bypass rate limits, testing out the X-FORWARDED-FOR header"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "linux hard", "line": " Using WFUZZ with two wordlists in the zip mode, so we can fuzz with pin codes and change the ip address to bypass the ratelimit (FUZ2Z)"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux hard", "line": " Logged into the application, discovering the secret parameter which prevents us from tampering with the request"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 19, "seconds": 45}, "tag": "linux hard", "line": " Doing type juggling to bypass the tamper detection and finding SQL Injection"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "linux hard", "line": " Extracting information out of the database with union injections with group_concat and concat"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "linux hard", "line": " Nothing interesting in the database, dropping a webshell but first we have to view the nginx config to find where the website is"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "linux hard", "line": " Using the INTO OUTFILE command to write a shell to /srv/altered/public/"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 33, "seconds": 55}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "linux hard", "line": " Explaining some basics around dirty pipe and why people use /etc/passwd"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "linux hard", "line": " Using the DirtyPipe exploit that resets root's password to aaron"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "linux hard", "line": " In order to use the \"su\" command, we need to beat wordle with a custom dictionary... Failing to play wordle"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "linux hard", "line": " Using a DirtyPipe exploit to overwrite a SetUID Binary, which bypasses our wordle game"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux hard", "line": " Extra: Revisiting wordle, but now we have the dictionary it uses, so we can cheat and win the game"}, {"machine": "UHC - Altered", "videoId": "a29TXlGO0AA", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "linux hard", "line": " Extra: Fumbling around in the source code, learning some things but failing to enforce authentication on the GetProfile Endpoint."}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " PowerSiem: https://github.com/IppSec/PowerSiem"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Creating PowerSiem: https://www.twitch.tv/videos/1438252177"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Sysmon Configuration File: https://github.com/Neo23x0/sysmon-config"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 0, "seconds": 36}, "tag": "", "line": " Talking about PowerSIEM"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 1, "seconds": 40}, "tag": "", "line": " Installing Sysmon with Florian Roth's default config"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Showing what PowerSIEM does by running it and opening a command prompt, browser, etc"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "", "line": " Explaining the PowerSIEM Script, how it works, and all the current sysmon events"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "", "line": " Setting breakpoints in Powershell ISE"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 8, "seconds": 48}, "tag": "", "line": " Adding data to the Registry Set event"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 11, "seconds": 58}, "tag": "", "line": " Showing just running a SysInternals tool creates a registry key for accepting the EULA"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 13, "seconds": 45}, "tag": "", "line": " Running Impackets PSEXEC, to find out Defender stopps it. Running Sysinternals Version and showing defender allows it."}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "", "line": " Using PowerSIEM to show how the Sysinternals PSEXEC works."}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "", "line": " Disabling AV, Running impacket's version again to show how it differs"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 17, "seconds": 35}, "tag": "", "line": " Creating a Cobalt Strike Beacon and showing some alerts"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 18, "seconds": 25}, "tag": "", "line": " Hiding network connection alerts in PowerSIEM by just commenting out the Write Alert line"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "", "line": " Running a shell command in CobaltStrike and showing what it looks like in PowerSIEM"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Running Mimikatz and talking about its sacrificial process, pipes, and mimikatz accessing LSASS"}, {"machine": "PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis", "videoId": "MvfhIydxFmw", "timestamp": {"minutes": 24, "seconds": 5}, "tag": "", "line": " Showing not everything will be logged"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Into"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "linux easy", "line": " Start of nmap talking about seeing two ports having the same HTTP Banner"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Checking out the webpage to discover source code and some docs"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Always RTFM, Playing with the API to Register a user, login, and check out privilege level."}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux easy", "line": " Renaming our burp repeater tab by just double clicking on the number"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux easy", "line": " Trying to login with a name instead of email"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux easy", "line": " Testing our login token to find out it uses JWT's in a non-standard way"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "linux easy", "line": " Analyzing the source code to see the token is used in a header called \"auth-token\""}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "linux easy", "line": " Looking at git commit history to see there is a hard coded secret in an older commit and forging a token"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux easy", "line": " Changing our tokens user, going back to the source code and seeing \"theadmin\" is a hardcoded administrative user"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux easy", "line": " Talking about the importance of rotating secrets in a web application"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux easy", "line": " Analyzing the private.js which shows a logs endpoint that is vulnerable to RCE"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux easy", "line": " Testing command injection and getting a reverse shell"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux easy", "line": " Noticing we are a user on the box, seeing our shell is /bin/bash, dropping a SSH Key for a second way into the box"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux easy", "line": " Checking NGINX Configuration to see if there is any difference between the two websites (port 80 and 3000), there isnt."}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux easy", "line": " Running LinPEAS, discovering a custom SetUID Binary called count"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux easy", "line": " Running the custom count binary against /etc/shadow, discovering it can read files as root, but not write files as root"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 31, "seconds": 57}, "tag": "linux easy", "line": " Examining the source code, to discover it allows for dump files to be created"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "linux easy", "line": " Failing to kill the linux process with the correct signal"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux easy", "line": " Pulling up the man page to kill and listing all signals, then killing the process with a Segfault (11)"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux easy", "line": " Using apport-unpack to extract the crash report into readable files"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 37, "seconds": 23}, "tag": "linux easy", "line": " Examining the coredump to discover the file read is there! Then doing the same thing with an SSH Key to get root on the box"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux easy", "line": " Showing how file descriptors (/proc/pid/fd) work and failing to pull the ssh key, because the key isn't readable by us."}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux easy", "line": " Failing to dump the the heap memory with DD as a regular user"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 44, "seconds": 10}, "tag": "linux easy", "line": " Back the examining the fd's in proc, showing if we had permission to read the file, that we could bypass the directory permission by cat'ing the file handle"}, {"machine": "HackTheBox - Secret", "videoId": "byYZl9CSFtM", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux easy", "line": " Dumping the heap of the process as the root user to show we can extract the file from the processes memory"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Join Intigriti here: https://go.intigriti.com/ippsec"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro "}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "", "line": " Enumerating the application utilizes Laravel based upon a default cookie name."}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Jumping into a PHP Interpreter to show off the Type confusion bug."}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Trying the same thing in Python, Javascript, Ruby, and showing that they aren't vulnerable in this way."}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Talking about the importance of the Laravel API Middleware"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " Converting the GET request to have JSON Data"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "", "line": " Changing the JSON Data to pass a boolean for password"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "", "line": " Bypassing login with type confusion"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "", "line": " Sponsor highlight Intigriti"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 12, "seconds": 48}, "tag": "", "line": " End of sponsor highlight"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "", "line": " Looking at the Laravel Code to find where the route is for the custom login function"}, {"machine": "PHP Type Juggling - Why === is Important - Bug Bounty Tips", "videoId": "idC5SAsKhlE", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Showing the vulnerable function"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 0, "seconds": 25}, "tag": "", "line": " Why DLL Hijack is my favorite persistence, talk about a few others"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 2, "seconds": 3}, "tag": "", "line": " Going over the source code to our sample applications to talk about DLL Hijacking"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "", "line": " Compiling our executable and dll then transfering it to our windows box"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "", "line": " Using Process Monitor to show standard DLL Hijacking (when a DLL Does not exist)"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "", "line": " Showing the order windows tries to load the DLL (Directory of binary then PATH)"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Talking about a somewhat common mistake when people make edits to the PATH (ex: Java/Python/etc)"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Placing the DLL test.exe is looking for and achieving code execution"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "", "line": " Showing if we can write in c:\\Windows, we can hijack most dll's explorer.exe loads from system32."}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Messing up using Process Monitor for a bit, sorry should have prepped a bit more"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Showing why explorer is unique, then putting CSCAPI.DLL into c:\\Windows\\... This would get ran anytime a user logs into the system"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 17, "seconds": 55}, "tag": "", "line": " DLL Hijacking OneDrive for user level persistence"}, {"machine": "All About DLL Hijacking - My Favorite Persistence Method", "videoId": "3eROsG_WNpE", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "", "line": " Wrapping up, talking about some videos where I talk more about creating DLL's which can help with this"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux insane", "line": " Start of Nmap"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux insane", "line": " Start of gobuster to enumerate VHOST and Files"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux insane", "line": " Showing how I like to find the needles in a haystack when it comes to parsing lots of data."}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 9, "seconds": 40}, "tag": "linux insane", "line": " Using google reverse image search to try to identify what a logo means"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux insane", "line": " Hunting for XSS, putting unique URL's in all fields (check for a callback later)"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 13, "seconds": 45}, "tag": "linux insane", "line": " Going over the Docker Compose file we had downloaded"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "linux insane", "line": " Discover our XSS Attack worked, looking for LocalStack CVE's and discovering one in the dashboard"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux insane", "line": " Start of exploiting the XSS"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux insane", "line": " Creating a CSRF to force the victim to navigate to pages and send us the date, read his email to discover an S3 Domain"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux insane", "line": " Start of looking at creating an AWS Lambda application"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "linux insane", "line": " Using aws cli to create a lambda function"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux insane", "line": " Creating a malicious lambda, then using XSS to send the user to the LocalStack dashboard and trigger our code"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "linux insane", "line": " Reverse shell returned on the docker container. Use PSPY to identify what localstack does when invoking lambda functions and finding an 0day"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "linux insane", "line": " Testing out our 0day, creating a malicious lambda and injecting when localstack creates a docker to run the code"}, {"machine": "HackTheBox - Stacked", "videoId": "aWXfEDIYZu8", "timestamp": {"minutes": 51, "seconds": 50}, "tag": "linux insane", "line": " Got root on the localstack container, abusing our ability to create docker containers to escalate to root on the host system"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux medium", "line": " Start of nmap, getting distribution by googling SSH/HTTP Server headers"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux medium", "line": " Checking out the web page and discovering it is a Laravel PHP Application based upon the cookie "}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "linux medium", "line": " Talking a little bit about Laravel Internals, and why our web request is going to the API Middleware is useful"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux medium", "line": " Showing that Laravel accepts data in the BODY even if it is a GET Request"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 8, "seconds": 25}, "tag": "linux medium", "line": " Changing our content type to JSON which will allow us to send JSON to the Laravel API"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 9, "seconds": 42}, "tag": "linux medium", "line": " Setting the password to the boolean true and bypassing login, explaining why === is important"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "linux medium", "line": " Logging into the application and discovering a zip file that is encrypted with ZipCrypto"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "linux medium", "line": " Showing where I got the inspiration for creating this challenge! An actual leaker made this mistake."}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux medium", "line": " Decrypting the zip with a known plaintext attack with bkcrack"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "linux medium", "line": " Logging into the box with the SSH Key"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux medium", "line": " Looking at the Laravel Source Code to find where the login function is and getting the root password for the box"}, {"machine": "UHC - Ransom", "videoId": "YGoR2gSDaI4", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux medium", "line": " Showing the vulnerable function of the applicaiton, and that using three equal signs instead of two would fix it."}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro "}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux medium", "line": " Poking at the SSH Chat Application"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux medium", "line": " Running a VHOST Scan and discovering pets.devzat.htb"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux medium", "line": " Discovering pets.devzat.htb doesn't have a 404 and is a golang webserver"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "linux medium", "line": " Fuzzing the user input on pets"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "linux medium", "line": " Webapp ignores when a semicolon is at the end of user input, indication to command injection [MasterRecon]"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "linux medium", "line": " Using Gobuster to discover the .git directory and working around the issue of the box having no 404 errors. Use git-dumper to extract."}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Doing some light source code analysis on the Go Binary"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 23, "seconds": 15}, "tag": "linux medium", "line": " Showing it is also an LFI Vulnerability, just incase command injection was patched"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned, examining the git log of the files, don't see anything interesting"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux medium", "line": " Discovering from localhost we can login to chat as anyone, but messages are hidden on Reverse Shells. Switch to SSH and read the messages."}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux medium", "line": " Looking for an InfluxDB vulnerability via exploit-db, changelog, and synk"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 39, "seconds": 40}, "tag": "linux medium", "line": " Going to git, and pulling up the issue created for this issue so we can understand how to exploit it"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux medium", "line": " Using JWT.IO to create a token with a blank signature"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "linux medium", "line": " Testing our authentication bypass with curl, then creating a bash script to make it a bit easier for us to run queries."}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux medium", "line": " Using the HTTP API of InfluxDB to show databses, tables, and dump data to get catherines password"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 53, "seconds": 20}, "tag": "linux medium", "line": " Using the find command to find files owned by catherine, to find a backup of the dev source code"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "linux medium", "line": " Finding all the files that differ between two directories via find, md5sum, and grep"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 59, "seconds": 0}, "tag": "linux medium", "line": " Discovering the hard coded password required for the FILE command in the new devzat application"}, {"machine": "HackTheBox - Devzat", "videoId": "QEgtbzS1Pyc", "timestamp": {"minutes": 60, "seconds": 40}, "tag": "linux medium", "line": " Grabbing roots SSH Key via an LFI in the FILE Command"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 2, "seconds": 25}, "tag": "linux hard", "line": " Identifying it is a windows box via ping and looking at its TTL, and running Gobuster with a lowercase wordlist since windows is not case sensitive."}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux hard", "line": " Looking at HashPass to see it just generates static passwords based upon Name/Website/Master Password "}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux hard", "line": " Identifying a JSESSIONID cookie given when accessing /maintenance/ which enables a weird path traversal vuln [MasterRecon]"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "linux hard", "line": " Identifying the Nuxeo application and searching for the web vulnerability"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 15, "seconds": 55}, "tag": "linux hard", "line": " Testing for SSTI in an error message, normal SSTI doesn't work since it is java. Going to payloadallthethings to get a valid payload"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux hard", "line": " Testing an java EL SSTI Payload to get code execution. Don't get output but can validate we run code via ping"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 21, "seconds": 25}, "tag": "linux hard", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 24, "seconds": 25}, "tag": "linux hard", "line": " Looking at listening ports, running a powershell snippet to get process name and the port they listen on"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 29, "seconds": 15}, "tag": "linux hard", "line": " Looking for an exploit with Unified Remote. Using Chisel to forward the port it listens on to us."}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux hard", "line": " Going over the Unified Remote Exploit script, changing where it writes files to and using msfvenom to generate a malicious exe for us"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux hard", "line": " What i say here is wrong... I did not notice I got a shell back when writing to C:\\Windows\\Temp... lol."}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 39, "seconds": 9}, "tag": "linux hard", "line": " Converting the Unified Remote script to Python3 with some vim macro magic"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " Running WinPEAS and discovering a Firefox credential"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "linux hard", "line": " Using HashPash with the creds WinPEAS displayed to get the development users password. Using chisel to forward WinRM to us and accessing the box as development"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux hard", "line": " Start of RE of the MyFirstApp Binary. Opening Ghidra"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "linux hard", "line": " Searching for Strings to find where Username: is in the program and looking at code around it to see how authentication works"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 60, "seconds": 40}, "tag": "linux hard", "line": " Looking at Encrypt1() and discovering it is just Rot47"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux hard", "line": " Looking at Encrypt2() and discovering it is just AtBash"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 72, "seconds": 45}, "tag": "linux hard", "line": " Logging into the application and discovering what is available to us after auth"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 76, "seconds": 10}, "tag": "linux hard", "line": " Discovering a buffer overflow in the code parameter, then opening it in x32dbg and seeing we overwrite EIP"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 82, "seconds": 55}, "tag": "linux hard", "line": " EIP Overwrote, looking at ESP we only have 10 bytes of space here. Talking about JMP Backwards to get to a spot where we have more space"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 85, "seconds": 0}, "tag": "linux hard", "line": " Start of pwntools script, using x32dbg to show us a JMP ESP "}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "linux hard", "line": " Using msf-metasm_shell to generate shellcode for us"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 92, "seconds": 5}, "tag": "linux hard", "line": " Disabling DEP for our process on our windows box"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 95, "seconds": 10}, "tag": "linux hard", "line": " Showing we can use the JMP ESP, to execute our JMP -70 to get back to the start of our userinput. Its still not large enough for a revshell need to use Socket Reuse to increase buffer size"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 98, "seconds": 20}, "tag": "linux hard", "line": " Setting a breakpoint on a recv() call and looking at the stack.. We will have to mirror this."}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 102, "seconds": 40}, "tag": "linux hard", "line": " Getting the location of the Socket Handle which is ESP+0x48, then writing shell code to save that"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 105, "seconds": 50}, "tag": "linux hard", "line": " When trying to add 48, we get a null byte which is bad. Using an add/sub call to add 48 without null bytes"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 111, "seconds": 20}, "tag": "linux hard", "line": " Moving ESP to the other side of EIP so we don't have to worry about overwriting EIP and buffer overflowing the program again"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 115, "seconds": 30}, "tag": "linux hard", "line": " Getting 0 on the stack by just xor ebx, ebx - Then pushing the size of data we want"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 120, "seconds": 35}, "tag": "linux hard", "line": " Pointing the memory address recv saves data to within our junk data, as this is where the program returns to after the call"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 123, "seconds": 35}, "tag": "linux hard", "line": " Using Ghidra to get the memory address of the RECV() function, so we can call it"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 129, "seconds": 45}, "tag": "linux hard", "line": " Using MSFVenom to generate the shellcode for a reverse shell and testing out the exploit"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 133, "seconds": 50}, "tag": "linux hard", "line": " Showing by setting EXITFUNC=THREAD we don't kill the program when we exit our shell"}, {"machine": "HackTheBox - Hancliffe", "videoId": "kA-bkftyyY0", "timestamp": {"minutes": 135, "seconds": 50}, "tag": "linux hard", "line": " Updating our script to point at the hancliffe machine and getting our shell"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 1, "seconds": 55}, "tag": "windows easy", "line": " Quickly testing SMB, then using CME to get a hostname of the box"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "windows easy", "line": " Testing out the website, discovering admin:admin logs us in. Running gobuster with HTTP Auth "}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 4, "seconds": 55}, "tag": "windows easy", "line": " The website allows us to write to a file share. Going over SCF Files and how we can use them to steal NTLMv2 Hashes by having an external icon"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "windows easy", "line": " Using hashcat to crack the NTLMv2 Hash"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows easy", "line": " Using CME with these credentials to discover we can WinRM to the box"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "windows easy", "line": " Downloading WinPEAS and using our Evil-WinRM shell to execute it"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "windows easy", "line": " Going over the WinPEAS Output and discovering a Ricoh printer driver"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "windows easy", "line": " Going over the Ricoh printer driver exploit"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "windows easy", "line": " Switching to Metasploit, showing an issue with the WinRM Module in MSF"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 26, "seconds": 25}, "tag": "windows easy", "line": " Using MSFVenom to create an executable then having WinRM send us the meterpreter shell"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "windows easy", "line": " Having trouble getting the exploit to run... Switching to a 32 bit payload... then migrating to a interactive process"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 32, "seconds": 5}, "tag": "windows easy", "line": " Using Meterpreter to migrate to an interactive process then suddenly the exploit works"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "windows easy", "line": " Using the powershell PrintNightmare to privesc"}, {"machine": "HackTheBox - Driver", "videoId": "N2ahkarb-zI", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "windows easy", "line": " Showing the two WinRM MSF Scripts operate completely differently."}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "linux medium", "line": " Examining the SSL Certificate to find alternative names"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Discovering PassBolt, but looks like we need an email to login to passbolt"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "linux medium", "line": " Checking the bolt.htb and finding a link to download a custom docker image"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Extracting the docker image and viewing the docker layers"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux medium", "line": " Showing off \"Dive\" which is a tool to navigate docker images"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux medium", "line": " Showing my initial process at analyzing this with a little bash-fu"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "linux medium", "line": " Creating a bash loop to print every file"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux medium", "line": " Viewing config.py, and history files by decompressing the layers they are in"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux medium", "line": " Viewing information in the SQL Lite Database and grabbing a password hash"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux medium", "line": " Logging into the web app"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux medium", "line": " Extracting all of the layers so we can view the source code"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux medium", "line": " ash_history is now empty, which shows there were multiple versions of this file"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " Viewing different versions of routes.py in the docker layers"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux medium", "line": " Exrtacting the invite code from an old version of routes.py, then registering an account on demo.bolt.htb, which also allows for access to mail.bolt.htb"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "linux medium", "line": " Checking the mail and finding out the SSTI Worked"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 34, "seconds": 10}, "tag": "linux medium", "line": " Finding an SSTI Jinja2 Payload on PayloadAllTheThings that we can use for RCE, then getting a reverse shell"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "linux medium", "line": " Grabbing passwords from all the web applications"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux medium", "line": " The PassBolt application doesn't have password hashes for users, but has a PGP Encrypted Secret"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux medium", "line": " Using CME (CrackMapExec) to spray ssh with a list of usernames and passwords and finding Eddie's password which we can use SSH With"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 47, "seconds": 10}, "tag": "linux medium", "line": " Extracting information out of Eddie's Google Chrome and finding data a PGP Private Key"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 50, "seconds": 15}, "tag": "linux medium", "line": " Trying to import the PGP Key from chrome with GPG but it is encrypted"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux medium", "line": " Using John The Ripper GPG2John to crack the PGP Key"}, {"machine": "HackTheBox - Bolt", "videoId": "hLGS52X_zr4", "timestamp": {"minutes": 52, "seconds": 45}, "tag": "linux medium", "line": " Importanting the private key, then decrypting the message to get root's password"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux hard", "line": " Start of nmap, adding earlyaccess.htb to the hostfile"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux hard", "line": " Registering an account to see what features are enabled to regular users"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux hard", "line": " Discovering bad characters of username are only checked upon registration, not changing it from the profile page"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux hard", "line": " Testing the Contact Forms for XSS by sending a message to ourself"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux hard", "line": " Using document.location javascript to steal cookies"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 17, "seconds": 5}, "tag": "linux hard", "line": " Taking the administrators cookie and discovering some new hosts/functionality/key validation script"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 20, "seconds": 7}, "tag": "linux hard", "line": " Going over the key validaiton script"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 23, "seconds": 55}, "tag": "linux hard", "line": " Breaking the first part of the Key which is a simple Bit Shift and XOR to get KEY01"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 30, "seconds": 5}, "tag": "linux hard", "line": " Breaking the second part of the key which calculating every permutation of when two strings equal eachother"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "linux hard", "line": " Showing the lazy way to do the second part, since we never actually need to know every combination"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "linux hard", "line": " Breaking the third part of the key, which has a rotating magic. Discovering the keyspace for magic is only 60"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "linux hard", "line": " Coding the third part to display valid keys for all 60 combinations"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "linux hard", "line": " Breaking G4, which is just a simple XOR"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Talking about how the CheckSum works and how it is similair to the Luhn Check"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "linux hard", "line": " Putting everything togather and building a key generator to give us 60 keys"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 58, "seconds": 50}, "tag": "linux hard", "line": " Allowing our script to attempt to register keys on our behalf"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 71, "seconds": 30}, "tag": "linux hard", "line": " Debugging issues in our script"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 78, "seconds": 40}, "tag": "linux hard", "line": " The issue of our script, we copied the checksum incorrectly"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 82, "seconds": 50}, "tag": "linux hard", "line": " Logging in to play the game and talking about forging scores"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 84, "seconds": 20}, "tag": "linux hard", "line": " Playing with Second Order SQL Injection with our username and scoreboard"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 86, "seconds": 8}, "tag": "linux hard", "line": " Extracting table information from information_schema with our union sql injection "}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 91, "seconds": 50}, "tag": "linux hard", "line": " Extracting hashes from the database than cracking to get the administrators password"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 96, "seconds": 10}, "tag": "linux hard", "line": " Logging into developer admin panel"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 99, "seconds": 0}, "tag": "linux hard", "line": " Fuzzing file.php to discover hidden parameters to find filepath which can be used to extract source code via lfi and php filters"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 102, "seconds": 30}, "tag": "linux hard", "line": " Reading the source code of hash.php to discover we can execute code if we pass a debug parameter"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 105, "seconds": 45}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 108, "seconds": 0}, "tag": "linux hard", "line": " Switching to www-adm user which has the .wgetrc file and can access the api"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 109, "seconds": 10}, "tag": "linux hard", "line": " Downloading a static compile of nmap so we can find the api host"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 113, "seconds": 0}, "tag": "linux hard", "line": " Using python to print the ip address of the box"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 115, "seconds": 40}, "tag": "linux hard", "line": " Parsing the check_db output to get database credentials, which can be used to SSH into the box"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 120, "seconds": 0}, "tag": "linux hard", "line": " Going over linpeas output"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 126, "seconds": 0}, "tag": "linux hard", "line": " Reading the mail to drew, to discover the gameserver will reboot upon crashing. Using static nmap to find the gameserver"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 128, "seconds": 45}, "tag": "linux hard", "line": " Setting up the SSH Port Forward so we can access the gameserver"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 130, "seconds": 20}, "tag": "linux hard", "line": " Creating a script that will execute upon the gameserver restarting to gain root on the docker"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 136, "seconds": 50}, "tag": "linux hard", "line": " Crashing the gameserver by setting the rounds to -1, and getting the root password to docker which is game-adm's password"}, {"machine": "HackTheBox - EarlyAccess", "videoId": "P4KLqTORmIw", "timestamp": {"minutes": 140, "seconds": 25}, "tag": "linux hard", "line": " Abusing the capabilities set on arp to read files on the box"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 1, "seconds": 7}, "tag": "linux hard", "line": " Running nmap, discovering wordpress"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 1, "seconds": 40}, "tag": "linux hard", "line": " Manually looking at the wordpress site, finding a post that has some dynamic content on it... This is weird"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux hard", "line": " Attempting to poison the browser table with php/ssti/etc user agents"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Starting wpscan with enumerating all plugins"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux hard", "line": " WPScan found a backup of the configuration file"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux hard", "line": " Changing the year on the password of the configuration file and discovering MFA"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Talking about the \"Discover Backup\" argument of gobuster, which does find another wp-config.php backup file"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 13, "seconds": 53}, "tag": "linux hard", "line": " Explaining what the XMLRPC Interface to wordpress"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux hard", "line": " Showing the system.listMethods function on the XMLRPC to list all the methods"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux hard", "line": " Switching over to the Python Wordpress XMLRPC Library to play with this interface, creating an object to login"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 21, "seconds": 35}, "tag": "linux hard", "line": " Showing how to dump users, then examine properties of a user"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "linux hard", "line": " Attempting to use this library to upload files, discover we can only upload images"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux hard", "line": " Dumping the posts, and discovering the table we found earlier was using the php-everywhere plugin on a post. Using the XMLRPC Interface to edit the post to host malicious PHP"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux hard", "line": " Creating a PHP File that will write another PHP Shell and lock it down to an IP Address"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "linux hard", "line": " Had an issue with my webshell, running it locally to discover what the issue was and re-uploading"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 42, "seconds": 45}, "tag": "linux hard", "line": " Got RCE! However, reverse shells aren't working enumerating the firewall"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 45, "seconds": 15}, "tag": "linux hard", "line": " Explaining why I am going to use my Forward Shell"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 46, "seconds": 45}, "tag": "linux hard", "line": " Grabbing my Forward Shell Skeleton code, modifying it and getting RCE"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux hard", "line": " Forward shell works! That took next to no time and I explained a lot of it"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 53, "seconds": 20}, "tag": "linux hard", "line": " The date on pkexec is old, it's probably vulnerable. Compiling a POC and uploading it through the XMLRPC, then running it to get root"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "linux hard", "line": " Another PwnKit method, if I didn't have a Forward Shell having pwnkit chmod /root/ to 777 would allow us to read the flag"}, {"machine": "UHC - Pressed", "videoId": "p8mIdm93mfw", "timestamp": {"minutes": 63, "seconds": 10}, "tag": "linux hard", "line": " Going over the WPScan enumerate all plugins to show how beneficial this output would have been"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux easy", "line": " Start of nmap, examining the page discovering its all static with no user input"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux easy", "line": " Examining the source code of the website"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux easy", "line": " Running the javascript through a beutifier so we can easily read this, and finding another web endpoint"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 8, "seconds": 57}, "tag": "linux easy", "line": " Going to api-prod.horizontall.htb, running gobuster and examining the endpoints"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux easy", "line": " Navigating to /admin brings us to a STRAPI login, searching for exploits and finding an RCE"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "linux easy", "line": " Lightly reading the exploit script, we will go more in depth at the end of this video"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux easy", "line": " Reverse shell returned, looking for how the webapp talks to the database"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux easy", "line": " Explaining why this nginx server uses proxy_pass and has a node app listening on port 1337"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "linux easy", "line": " Dropping an SSH Key and using SSH to access this box, no privilege escalation yet just wanted a better shell"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux easy", "line": " Having a lot of trouble with getting data out of the MySQL Database, not exactly sure what went wrong here."}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "linux easy", "line": " Going over the LinPEAS Output and discovering port 8000 running laravel"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "linux easy", "line": " Going over why we cant see processes from other users"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "linux easy", "line": " Using SSH to tunnel port 8000 to our box, allowing us to access laravel, finding out laravel is in debug mode"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 37, "seconds": 52}, "tag": "linux easy", "line": " Finding an exploit and executing code as laravel."}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 41, "seconds": 8}, "tag": "linux easy", "line": " First script didn't work, looking to see if there are others. This one didn't require absolute paths, which allows it to work! Getting root"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux easy", "line": " Looks like there's some bad characters with our reverse shell, switching to a web cradle and getting root"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux easy", "line": " Explaining why this box isn't the box I wanted to show off FeroxBuster (Recursive Searching on API wouldn't work)"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "linux easy", "line": " Looking at the STRAPI Exploit and showing how the patch worked"}, {"machine": "HackTheBox - Horizontall", "videoId": "v0OQowfK9Pk", "timestamp": {"minutes": 56, "seconds": 50}, "tag": "linux easy", "line": " Comparing PHP Exploits"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows insane", "line": " Start of nmap, getting hostname and "}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows insane", "line": " Discovering the Server Header changes for virtualhost, probably navigating to a different box/container/etc [MasterRecon]"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "windows insane", "line": " Getting a good SSTI Fuzz String then identifying this string causes an error on the webserver. Removing parts of the string until we see the type of SSTI"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "windows insane", "line": " Playing with ASP Code in this SSTI or ASP Code Injection... Not sure what the vulnerability is"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "windows insane", "line": " Getting a VBScript One Liner to execute code and then getting a reverse shell"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "windows insane", "line": " Discovering a x509 certificate, decoding it with openssl, and discovering a second hostname"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows insane", "line": " Downloading and running chisel to setup a reverse socks proxy so we can attempt to pivot through this container"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 31, "seconds": 54}, "tag": "windows insane", "line": " Running nmap through the chisel socks proxy with proxychains"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "windows insane", "line": " Setting FoxyProxy to only send specific domains through our proxy"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "windows insane", "line": " Discovering the softwareportal.windcorp.htb attempts to install software on machines, set it to our machine and wireshark to see how 3it connects back to us"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "windows insane", "line": " Using responder to intercept the WinRM Connection and then use hashcat to crack the credentials"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 42, "seconds": 40}, "tag": "windows insane", "line": " Using CrackMapExec with our cracked credentials discovering we can access a file share that has Jamovi Files"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "windows insane", "line": " Installing Jamovi then finding out the XSS and proving RCE with Calc. Setting it to execute javascripts off of our webserver"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 53, "seconds": 20}, "tag": "windows insane", "line": " Creating a web cradle to execute a reverse shell, in typical ippsec fashion have a typo that we will fix later"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 56, "seconds": 20}, "tag": "windows insane", "line": " Fixed up the web cradle, reverse shell returned. Some light enumeration and talking about honey pots that have logon hours set to never"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "windows insane", "line": " Start of certificate exploit, downloading tools certify, rubeus, ADCS, PowerView"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 64, "seconds": 45}, "tag": "windows insane", "line": " Running Certify to find vulnerable certificates, we can edit the certificate template which enables us to enroll a smart card"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 68, "seconds": 0}, "tag": "windows insane", "line": " Running Get-SmartCardCertificate and then checking certificate store to see we didn't have anything. Showing we need to change the script because a weird thing with UPN's on this box"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 70, "seconds": 50}, "tag": "windows insane", "line": " Running Get-SmartCardCertificate again with our fix, then getting the certificate thumbprint and using Rubeus to get the credential"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "windows insane", "line": " Enabling RDP on the box so we can visually see the certificate"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 79, "seconds": 10}, "tag": "windows insane", "line": " Opening up MMC to see the certificate"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 83, "seconds": 20}, "tag": "windows insane", "line": " Doing the Certificate Exploit again but stepping through it all manually using Linux instead of Windows when possible"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 84, "seconds": 20}, "tag": "windows insane", "line": " Showing the vulnerable certificate template before modifying and what the certificate usage is"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 86, "seconds": 30}, "tag": "windows insane", "line": " Showing the certificate template after using Set-ADObject to modify the template"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 87, "seconds": 25}, "tag": "windows insane", "line": " Generating a Certificate Request"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 89, "seconds": 40}, "tag": "windows insane", "line": " Using CertReq to sign the certificate we generated"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 91, "seconds": 30}, "tag": "windows insane", "line": " Showing my Kerberos Configuration"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 92, "seconds": 50}, "tag": "windows insane", "line": " Using CertUtil to output the CA Certificate"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 93, "seconds": 50}, "tag": "windows insane", "line": " Setting up our port forwards so we can communicate with Kerberos"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 97, "seconds": 45}, "tag": "windows insane", "line": " Running kinit to login with our X509 Smart Card Certificate, get error show how to debug KINIT with trace"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 99, "seconds": 40}, "tag": "windows insane", "line": " Changing our time to match the DC and then running KINIT again and getting a session"}, {"machine": "HackTheBox - Anubis", "videoId": "tEwH1FeH1mw", "timestamp": {"minutes": 100, "seconds": 50}, "tag": "windows insane", "line": " Using Evil-WinRM to get a shell with our kerberos certificate"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Running nmap finding a filtered port with some open ones"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Running GoBuster to always have something running in the background"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux medium", "line": " Playing with the Upload Form"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux medium", "line": " Playing with the Upload from URL to see what library connects back to us (SSRF)"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux medium", "line": " The Upload From URL has a blacklisted address, playing with it to discover what is blacklisted"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "linux medium", "line": " Bypassing the URL Blacklist in the SSRF by changing the case of words"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "linux medium", "line": " Running a virtualhost bruteforce within gobuster to discover vhost"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "linux medium", "line": " Bypassing the URL Blacklist in the SSRF by creating a webserver that will send a redirect"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux medium", "line": " Using the SSRF to download admin.forge.htb and discovering ftp creds and another SSRF"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux medium", "line": " Using the SSRF to use FTP "}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "linux medium", "line": " Encoding the IP Address as hex to bypass a blacklist"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 22, "seconds": 10}, "tag": "linux medium", "line": " When specifying a directory in the FTP with SSRF need a trailing slash explaining why"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "linux medium", "line": " Downloading id_rsa and then logging into the machine"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "linux medium", "line": " The user can sudo run a python script, which stands up a debugger on a random port"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 26, "seconds": 13}, "tag": "linux medium", "line": " Doing a nested tmux so we can run the python script and then use netcat to connect"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux medium", "line": " Getting root"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 30, "seconds": 55}, "tag": "linux medium", "line": " Explaining how to harden the blacklist to prevent the easy bypassing"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux medium", "line": " Looking at how admin.forge.htb added FTP Support"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 36, "seconds": 50}, "tag": "linux medium", "line": " Thinking there's an RCE but there isn't, shlex is a good filter"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "linux medium", "line": " Getting frusterated, lets break this down and see whats stopping our RCE"}, {"machine": "HackTheBox - Forge", "videoId": "-BL4uevhERg", "timestamp": {"minutes": 45, "seconds": 40}, "tag": "linux medium", "line": " Playing with Shlex to discover it is what prevents the RCE"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux hard", "line": " Examining the web page, noticing every URL with admin gets redirected to a django login"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux hard", "line": " Creating an account and looking at the page to discover CTF Challenges"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux hard", "line": " CHALLENGE 1: Phished List, a protected excel spreadsheet. Remove protection to see hidden cells"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux hard", "line": " Submitting a writeup, discovering an old version of Firefox talks to us"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux hard", "line": " Checking for Tab Nabbing vulnerability and explaining it"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux hard", "line": " Creating a phishing page by mirroring the page with wget and then using PHP to log submitted credentials"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux hard", "line": " Phishing worked, got the admin's password. Login to Django to see another website (Sentry)"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux hard", "line": " Creating an error message in Sentry to get an error message, which contains a secret key used to encrypt the cookie"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 36, "seconds": 10}, "tag": "linux hard", "line": " Grabbing a django deserialization payload then installing django on python2 to use the payload"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "linux hard", "line": " Changing the payload in the exploit to a reverse shell, avoiding any bad characters for URL and getting a reverse shell"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux hard", "line": " Setting up the reverse shell in a way that works with ZSH, just need to do stty raw -echo; fg on one line"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 46, "seconds": 13}, "tag": "linux hard", "line": " Logging into Sentry Postgres Databae then enumerating tables and dumping the users table and cracking karl's password"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 52, "seconds": 25}, "tag": "linux hard", "line": " Discovering Karl can execute the authenticator binary with sudo, strings shows it is a rust binary. Copy it back to our box"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 56, "seconds": 55}, "tag": "linux hard", "line": " Examing the binary in Ghidra"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 58, "seconds": 55}, "tag": "linux hard", "line": " Discovering a call to Crypto::AES::CTR, using the rust docs to figure out what our variables are"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 61, "seconds": 22}, "tag": "linux hard", "line": " Showing that AES-CTR does not have defined block sizes"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 65, "seconds": 0}, "tag": "linux hard", "line": " Using GDB to help our analysis, showing how to setup break points around what our decompiler shows"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 70, "seconds": 36}, "tag": "linux hard", "line": " Examining memory to confirm our static analysis was correct"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 71, "seconds": 15}, "tag": "linux hard", "line": " Grabbing the encrypted blob the program is comparing against to get the password and getting root"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 75, "seconds": 40}, "tag": "linux hard", "line": " CHALLENGE 2: PSE, an dotnet binary that runs a uses PS2EXE to run powershell to encrypt a string"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 81, "seconds": 20}, "tag": "linux hard", "line": " CHALLENGE 3: Get Lucky, a small binary that rolls a dice. We exploit it mainly in GDB but after recording, probably could have done LD_PRELOAD, im not sure"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 94, "seconds": 50}, "tag": "linux hard", "line": " CHALLENGE 4: RevMe.exe, just open the binary in DNSpy and grab the flag, also show doing this with strings if we change the encoding"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 97, "seconds": 10}, "tag": "linux hard", "line": " CHALLENGE 5: Authentication, another Rust binary. Just have to find the correct spot to set a break point and see the password in memory"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 104, "seconds": 40}, "tag": "linux hard", "line": " CHALLENGE 6: PwnMe, a simple challenge that we can use GDB to find the password"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 109, "seconds": 30}, "tag": "linux hard", "line": " CHALLENGE 7: Easy Encryption, a simple XOR Challenge where we can use known plaintext (or bruteforce) to recover the key"}, {"machine": "HackTheBox - Developer", "videoId": "MjkDCy10BYM", "timestamp": {"minutes": 113, "seconds": 29}, "tag": "linux hard", "line": " CHALLENGE 8: Triple Wamy, another XOR Challenge where we have to just do the XOR's backwards to get the flag"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux easy", "line": " Running GoBuster, discovering the redirects have filesizes"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Showing the Execute After Redirect vulnerability (EAR) by using BurpSuite to hit / and discovering the page"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Using grep to show us only what we want (oP)"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Using BurpSuite to intercept the response to the request so we can disable the redirect (EAR). Then using the webform to create an account (IDOR)"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux easy", "line": " Examining the website source, using grep to look for places with user input"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux easy", "line": " Testing the logs.php page for shell injection, then getting a reverse shell"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "linux easy", "line": " Going into the webconfig to get database creds, then dump and crack creds"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux easy", "line": " Testing local users with the passwords from the database to get m4lwhere's creds"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 20, "seconds": 25}, "tag": "linux easy", "line": " Checking sudo to see something is weird, the env_reset/secure_path is not there. (this is configured in /etc/sudoers)"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 22, "seconds": 10}, "tag": "linux easy", "line": " Explaining Path Injection, then taking advantage of a script in sudo not using absolute paths"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux easy", "line": " Going back to explain things, weird behavior of the webserver always hanging. Maybe it was trying to send me a webshell? idk"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "linux easy", "line": " Fuzzing parameters of accounts.php to create accounts. But first discovering how important the Content-Type header is!"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux easy", "line": " Using WFUZZ to fuzz the confirmation parameter"}, {"machine": "HackTheBox - Previse", "videoId": "LI9mw1rMKVw", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "linux easy", "line": " Explaining how the EAR Vulnerability happened in the code and how to fix it"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " Box will be uploaded to HackTheBox by January 5th."}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Looking at the login, failing normal SQL Injection"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "linux easy", "line": " Start of talking about NoSQL/Mongo Injection"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux easy", "line": " Using the NE operator to create the NoSQL Injection where password is not equal to admin and bypassing login"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux easy", "line": " Showing the REGEX operator and talking about other ones to leak data"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 8, "seconds": 34}, "tag": "linux easy", "line": " Creating a python application to bruteforce passwords from the NoSQL Database one character at a time"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux easy", "line": " Script done, running it going over the code"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "linux easy", "line": " Examining the UPLOAD functionality of the site "}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "linux easy", "line": " Testing for XXE"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux easy", "line": " Replacing our XXE POC to include a file. Then making the application error to get path of webapp, so we can extract source code"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 32, "seconds": 10}, "tag": "linux easy", "line": " Discoving the application utilizes Node-Serialize which is extremely vulnerable to unserialization/deserialization attacks"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux easy", "line": " Proving we have RCE after URL Encoding our entire payload and using double quotes instead of single"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux easy", "line": " Creating a reverse shell one liner that has minimal bad characters and getting a reverse shell"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "linux easy", "line": " Reverse shell returned, we already have the password for SUDO!"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 44, "seconds": 10}, "tag": "linux easy", "line": " ALTERNATE WAY TO GET PASSWORD: Mongodump"}, {"machine": "UHC - NodeBlog", "videoId": "ahzOprfN--Y", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux easy", "line": " Showing application is vulnerable to IDOR's"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Discovering an Apache Tomcat Errror message despite the webserver being Apache"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "linux medium", "line": " Looking at Orange Tsai's 2018 Blackhat talk on Path Normalization "}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 3, "seconds": 55}, "tag": "linux medium", "line": " Explaining the attack and how to bypass apache blocking access to /manager by using /..;/ or ;name=Stuff"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux medium", "line": " Attempting to deploy a WAR File to see that path is blocked by the max upload size being 1 byte"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 6, "seconds": 55}, "tag": "linux medium", "line": " Testing for log4j in Tomcat, discovering a callback"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux medium", "line": " Finding a twitter post that combines JNDI-Injection-Exploit-Kit and Ysoserial to do deserialization attacks with Log4shell/log4j"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux medium", "line": " Explaining whats different about ysoserial modified and why it lets us do reverse shells"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "linux medium", "line": " Running YsoSerial-Modified to generate a CommonsCollections5 payload"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux medium", "line": " Running JNDI Injeection Exploit Kit to setup the LDAP Server"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux medium", "line": " Running the exploit and getting a reverse shell, then looking at port 21 since it was filtered earlier"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux medium", "line": " FTP is running as root and written in Java. Testing for Log4j!"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux medium", "line": " Using JD-GUI to examine the FTP Server source to discover credentials are stored in environment variables!"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux medium", "line": " Explaining why we are going to use Wireshark to view these environment variable leaks"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux medium", "line": " Creating a log4j payload that sends us the ftp_user environment variable, then ftp_password"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 24, "seconds": 25}, "tag": "linux medium", "line": " Using log4j to extract the java class path which may be helpful in creating serialized payloads"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux medium", "line": " Using log4j to extract the java version"}, {"machine": "UHC - LogForge", "videoId": "XG14EstTgQ4", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " Using log4j to extract OS Information"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux hard", "line": " Noticing there is weird behavior on /vpn, it doesn't direct to the folder /vpn/ probably reverse proxy [MasterRecon]"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux hard", "line": " Corrupted GZIP, using zcat to view it and fixgz to repair"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux hard", "line": " Building a Python Script to generate TOTP for MFA (the NTPDate failed because i didn't use -q. Nmap would have worked with -sV)"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux hard", "line": " Talking about things I would be monitoring for on Login Forms [Detection]"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux hard", "line": " Talking about a common issue when layering VPN's (MTU). Won't fix it right now, since I want to display the weird behavior later"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "linux hard", "line": " VPN Connection established, looking at routes. Adding additional routes that don't exist"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux hard", "line": " Going over the NMAP ran from the second VPN"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 30, "seconds": 40}, "tag": "linux hard", "line": " Fully understanding the weird behavior from /vpn earlier on. It is indeed a reverse proxy. [MasterRecon]"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux hard", "line": " Exploiting the fact that XDEBUG is enabled on info.php"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "linux hard", "line": " Running Chisel to create a pivot rhrough web to access mysql "}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " The Multiple VPN MTU Issue explained, demonstrating i can't send big packets because of chunking"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux hard", "line": " Finishing with setting up the chisel tunnel"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 51, "seconds": 45}, "tag": "linux hard", "line": " Switching up chisel to look at PKI."}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 53, "seconds": 34}, "tag": "linux hard", "line": " Running PHuiP-FPizdaM to exploit PHP-FPM/7.1"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 57, "seconds": 23}, "tag": "linux hard", "line": " Changing up our Chisel so we can send a reverse shell through the web box"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 61, "seconds": 45}, "tag": "linux hard", "line": " Looking at the ersatool source code to find a printf/format string vulnerability"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 64, "seconds": 15}, "tag": "linux hard", "line": " Verifying we have the format string vuln and some really basic talk about it"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 67, "seconds": 30}, "tag": "linux hard", "line": " Exploring the memory around our leaked address to defeat ASLR and edit the variable we want"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 70, "seconds": 30}, "tag": "linux hard", "line": " Start of a pwntools script to exploit format string"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 75, "seconds": 48}, "tag": "linux hard", "line": " Pwntools successful leak and calculating offset to the string we want to manipulate... cleaning up the script a little"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 79, "seconds": 5}, "tag": "linux hard", "line": " Explaining how we are going to write to an address and why the null byte is a small problem"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 87, "seconds": 15}, "tag": "linux hard", "line": " Overwriting the ERSA_DIR variable"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 93, "seconds": 55}, "tag": "linux hard", "line": " Tons of funny failing trying to verify this exploit worked"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 98, "seconds": 0}, "tag": "linux hard", "line": " Updating and explaining our chisel tunnel since we are proxying a lot of traffic bidirectionally through this web box"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 105, "seconds": 30}, "tag": "linux hard", "line": " Using cat to transfer a file over /dev/tcp, the trick is to base64 encode"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 110, "seconds": 50}, "tag": "linux hard", "line": " Using socat to have a binary (ersatool) listen on a TCP Port, so we can use pwntools to exploit it"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 112, "seconds": 45}, "tag": "linux hard", "line": " Updating pwntools to use a TCP Socket"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 115, "seconds": 50}, "tag": "linux hard", "line": " We can't execute out of /dev/shm, updating script to use /tmp"}, {"machine": "HackTheBox - Static", "videoId": "XZd-pQTu4vU", "timestamp": {"minutes": 131, "seconds": 0}, "tag": "linux hard", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Into"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 0, "seconds": 49}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "linux medium", "line": " Discovering admin login page, running SQLMap and discovering it is SQL Injectable"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux medium", "line": " Testing for SQL Injections in the username and password, discovering injection in the username"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux medium", "line": " The adminsitrative interface lets us upload images, failing to upload a PHP Shell"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux medium", "line": " Using the SQL Union Injection to extract source code via Load_file, then creating a python script to automate it"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 17, "seconds": 35}, "tag": "linux medium", "line": " Creating a Regular Expression in Python to grab only the data we want and be multiline"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "linux medium", "line": " Downloading a good LFI Wordlist and then using it with our python script to find interesting files"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "linux medium", "line": " Finding the apache configuration which gives us where the web application lives"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "linux medium", "line": " Updating our LOAD_FILE command to utilize TO_BASE64 in order to get around the web application doing HTML Entity Encoding"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux medium", "line": " Discoving an hardcoded password in the python flask web application"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 35, "seconds": 5}, "tag": "linux medium", "line": " Discovering command injection in how the web application handles URL's"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "linux medium", "line": " Simplifying our reverse shell by using a base64 cradle"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 40, "seconds": 4}, "tag": "linux medium", "line": " Having troubles uploading the image, create the image manually on our box, so the image upload form creates the request for us. Then getting a shell"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux medium", "line": " Discovering another database password within the second web application, cracking a password then switching to the Kyle user"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux medium", "line": " Using find to find files owned by a group"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 51, "seconds": 45}, "tag": "linux medium", "line": " Examaning the Postfix config to see it executes the Disclaimer script as John and is editable by our gorup. Edit the file, then sent an email to get shell as John."}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux medium", "line": " Showing John doesn't get all the groups assigned to him from the Postfix shell. SSH allows this group to be assigned to him"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 57, "seconds": 24}, "tag": "linux medium", "line": " Write access to apt.conf.d, creating a pre-invoke script which is a persistence technique to run code whenever apt is ran"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 61, "seconds": 4}, "tag": "linux medium", "line": " Showing the intended route of this box by editing a python script over SMB"}, {"machine": "HackTheBox - Writer", "videoId": "MkvDid7xO7o", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux medium", "line": " Using the Image Upload form as a SSRF in order to access the second web application listening on localhost"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux hard", "line": " Discovering the webserver is apache, despite nmap saying it is nginx"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux hard", "line": " Every request with /admin gets a 401, indication that nginx location may not end with /"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux hard", "line": " Doing the nginx lfi to grab apache server-stats and leak the /admin_staging/ directory"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux hard", "line": " Running gobuster in /admin_staging/ to discover more php scripts"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "linux hard", "line": " Testing index.php for lfi with a php filter"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux hard", "line": " Looking at the source and seeing it is using include() which allows for RCE if we can get it pointed at php code"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "linux hard", "line": " Playing with the LFI, eventually finding info.php which tells us open_basedir is set to /var/ which prevents the LFI from going out of that directory"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 16, "seconds": 35}, "tag": "linux hard", "line": " Using wfuzz with an LFI wordlist to search for files we can chain with this LFI, discovering ftp logs"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux hard", "line": " Poisoning the FTP log with a php reverse shell then using the LFI to trigger it"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "linux hard", "line": " Looking at the /opt/pokeapi directory to find a LDAP credentials"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 25, "seconds": 45}, "tag": "linux hard", "line": " Using ldapsearch to dump information out of the linux ldap server to get pwnmeow's credentials"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 28, "seconds": 25}, "tag": "linux hard", "line": " Using ftp with pwnmeow's credentials, then running linpeas"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 32, "seconds": 35}, "tag": "linux hard", "line": " Examining the CSVUpdate cron and finding a code injection vulnerability in the perl script"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "linux hard", "line": " Going over why perl will execute a variable starting or ending with | with an open() command"}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux hard", "line": " Creating a revers shell file that begins with | "}, {"machine": "HackTheBox - Pikaboo", "videoId": "4tXFHoeOytE", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux hard", "line": " Uploading our malicious file via FTP and getting root"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 1, "seconds": 2}, "tag": "windows medium", "line": " Start of nmap, discover Active Directory and a web server"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "windows medium", "line": " Doing some common checks against a Domain Controller"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "windows medium", "line": " Discovering PDF's with filenames based upon the date"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 5, "seconds": 25}, "tag": "windows medium", "line": " Building a customized wordlist based upon the date with the date command"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "windows medium", "line": " Downloading the PDF's with wget and then examining metadata"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "windows medium", "line": " Using Kerbrute to validate the usernames in the metadata are correct"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "windows medium", "line": " Using pdftotext to convert all the PDF's into text files, so we can grep through text"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "windows medium", "line": " Finding the password NewIntelligenceCorpUser987, then using KerBrute to perfrom a passwordspray"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "windows medium", "line": " Running CrackMapExec Spider_Plus while we do some other CME things"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "windows medium", "line": " Running Python Bloodhound with the credentials we got from the password spray"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "windows medium", "line": " Using JQ to parse the data from CME's spider_plus module to discover a powershell script"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "windows medium", "line": " Importing the bloodhound results and then searching for attack paths"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows medium", "line": " Discovering we probably need to get access to the SVC_INT GMSA (Group Managed Service Account)"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "windows medium", "line": " Going back over the powershell script we downloaded, and then creating a DNS Record with krbrelayx's dnstool"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 28, "seconds": 57}, "tag": "windows medium", "line": " Using dnstool to create an A Record on an Active Directory Server"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "windows medium", "line": " Using the MSF Capture http_ntlm module to capture an NTLMv2 Hash of people that access our webserver (Responder also would work but was broke on my box)"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 36, "seconds": 35}, "tag": "windows medium", "line": " Using John to crack the ntlmv2 hash and gaining access to the Ted Graves account"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 42, "seconds": 19}, "tag": "windows medium", "line": " Using gMSA Dumper to extract the svc_int hash"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 43, "seconds": 43}, "tag": "windows medium", "line": " Using impacket's getST to generate a SilverTicket which we can use for impersonating an administrator"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "windows medium", "line": " Using NTPDate to syncronize the time to our domain controller"}, {"machine": "HackTheBox - Intelligence", "videoId": "Jg_BjkxdtsE", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "windows medium", "line": " Using our ticket with psexec to gain access to the server"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro the best box to practice SQL Union Injections but I may be bias"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux medium", "line": " Start of nmap discovering nginx with PHP"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "linux medium", "line": " Doing recon on the website"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux medium", "line": " Starting recon in the background GoBuster/SQLMap"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux medium", "line": " Manually examining the player submission page"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "linux medium", "line": " Manualling testing for SQL Injection, why its important to test with a query that returns data"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux medium", "line": " Testing for union injection, then pulling up MySQL Documentation and looking at the Information_Schema database"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux medium", "line": " Testing out the Union Injection by extracting a single database name"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux medium", "line": " Showing that we can return more than one row with the GROUP_CONCAT function"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux medium", "line": " Changing up the union to extract table and column information"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux medium", "line": " Prettying up the output by setting some delimiters with GROUP_CONCAT, then extracting data from the tables"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux medium", "line": " Submitting the flag and discovering our IP Address can now ssh into the box"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "linux medium", "line": " Using the LOAD_FILE command to extract files from the server, discovering credentials in the config.php file"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Using SSH to access the server and then looking at how the webserver allowed our IP Address access to the server"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "linux medium", "line": " Adding the X-FORWARDED-FOR header to our request to firewall.php and discovering command injection"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "linux medium", "line": " Changing our command injection from sleep to a reverse shell"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "linux medium", "line": " The www-data user can use sudo to run any command, using sudo to run a shell"}, {"machine": "UHC- Union", "videoId": "z5pdizHDvt8", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux medium", "line": " Going over my filter to break SQLMap"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Running nmap, doing all ports and min-rate"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Poking at the website to discover a static site"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux easy", "line": " Starting up a gobuster to do some recon in the background"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux easy", "line": " Discovering log_submit, and finding out it is vulnerable to XXE (XML Entity Injection)"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux easy", "line": " Verified it is vulnerable to XXE, attempting to extract a file"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux easy", "line": " Chaining a PHP Filter to convert files to base64, which lets us avoid bad characters and leak source"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux easy", "line": " Start of coding out a program to automate this LFI"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 17, "seconds": 45}, "tag": "linux easy", "line": " XXE LFI POC Done, improving it by adding the cmd module"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux easy", "line": " Reading source code of pages, getting nothing"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 21, "seconds": 35}, "tag": "linux easy", "line": " Finding db.php from out gobuster, leaking the source and getting a password"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 22, "seconds": 5}, "tag": "linux easy", "line": " Grabbing /etc/passwd in order to build a userlist to password spray"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "linux easy", "line": " Using CrackMapExec (cme) to perform a password spray over SSH and discovering creds"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 23, "seconds": 35}, "tag": "linux easy", "line": " With shell on the box we can do sudo against a python file, doing some manual code analysis"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "linux easy", "line": " Switching to VSCode to debug our exploit script"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux easy", "line": " Exploit file works, copy it to our target and run it to get a root shell"}, {"machine": "HackTheBox - BountyHunter", "videoId": "5axsDhumfhU", "timestamp": {"minutes": 39, "seconds": 44}, "tag": "linux easy", "line": " Taking a step back and Verifying the bad characters in our XXE"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Begin of nmap "}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "linux medium", "line": " Browsing to the website and doing some light fuzzing"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "linux medium", "line": " Adding the uri_hex (url encoder) to our wfuzz to fuzz special characters"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux medium", "line": " Taking a look at port 8080, discovering gitbucket and registering an account"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "linux medium", "line": " Exploring the infra repository on gitbucket, going over its Ansible Scripts"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux medium", "line": " Taking a look at the Seal Market Repository and discovering NGINX has mutal auth configured"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Discovering tomcat credentials in a previous commit"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "linux medium", "line": " Going over an Orange Tsai SSRF Talk from 2018, showing the Tomcat SSRF when behind NGINX"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux medium", "line": " Testing the SSRF Exploit to discover we can hit protected pages"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux medium", "line": " Logging into tomcat, then showing another SSRF"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "linux medium", "line": " Using MSFVenom to generate a malicious war file to exploit tomcat"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned, uploading pspy to discover a cron running a playbook"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux medium", "line": " Going over the playbook to show how we can exploit this playbook to copy an ssh private key with a symlink"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux medium", "line": " Creating the symlink to extract the SSH Key"}, {"machine": "HackTheBox - Seal", "videoId": "wCfztTcioU8", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux medium", "line": " SSH in with Luis, discovering we can run ansible with sudo, then creating a malicious playbook to run a reverse shell"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows insane", "line": " Start of nmap, downloading files over FTP"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 5, "seconds": 25}, "tag": "windows insane", "line": " The contents of all the PDF's don't really help. Using exiftool to extract authors."}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows insane", "line": " Using Kerbrute to bruteforce valid users and getting ASREP Hash. It is ETYPE 18, which hashcat doesn't support. Use downgrade to generate ETYPE 23 and crack the hash"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "windows insane", "line": " Going into what ETPE Means"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 16, "seconds": 40}, "tag": "windows insane", "line": " Using CrackMapExec to dump a list of file shares, then using Spider_Plus plugin to dump files"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "windows insane", "line": " Doing some JQ Magic navigate the Spider_Plus data"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "windows insane", "line": " Converting the Outlook Message Files (MSG) to plaintext with msgconvert"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "windows insane", "line": " Running Restart-Oracle.exe with Process Monitor to find out the process is writing to a TEMP Directory"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "windows insane", "line": " Removing delete permissions on the Windows Temp Directory, so the Restart-Oracle program can't delete the files out of temp, finding based64 and getting another EXE"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "windows insane", "line": " Running the extracted executable with Process Monitor to discover it loads dotnet"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "windows insane", "line": " METHOD 1: Opening the extracted executable in x64debug, setting it to break upon EXIT then examining its memory to find the dotnet executable"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 38, "seconds": 48}, "tag": "windows insane", "line": " METHOD 1: Opening the dotnet in DNSPY to discover the password"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 40, "seconds": 25}, "tag": "windows insane", "line": " METHOD 2: Using API MONITOR to examine the API Calls the program makes and finding the password (Sorry for audio glitches here, chrome did weird things)"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 47, "seconds": 41}, "tag": "windows insane", "line": " Fixing the permissions on our TEMP Directory with icacls so our user can delete files again"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 49, "seconds": 45}, "tag": "windows insane", "line": " Using CrackMapExec to dump a list of all users because the Oracle credentials we got from reversing did not work."}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "windows insane", "line": " Discovering the MSSQL User and changing oracles password scheme to fit MSSQL"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 55, "seconds": 25}, "tag": "windows insane", "line": " Downloading Alamot's MSSQL_Shell and getting a shell on the box (unintended way, do more with this at the end)"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 58, "seconds": 40}, "tag": "windows insane", "line": " Downloading and running MSSQL Proxy, which will let us create a SOCKS Proxy through the MSSQL Service"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 72, "seconds": 10}, "tag": "windows insane", "line": " Setting proxychains up to utilize MSSQL Proxy and using Evil-WinRM to get a shell on the box, then downloading and cracking a Keypass Database"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 80, "seconds": 40}, "tag": "windows insane", "line": " Using SSH to get into the box, the trick here is telling our SSH Client to not use public key authentication"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 82, "seconds": 15}, "tag": "windows insane", "line": " Running Bloodhound.py to get Bloodhound data from Active Directory"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 87, "seconds": 20}, "tag": "windows insane", "line": " Examining bloodhound data to discover our user can reset passwords on several users, and showing Dr.Zaiuss can reset Superfume... Resetting each password to get to Superfume then downloading another exe out of developers"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 97, "seconds": 50}, "tag": "windows insane", "line": " Using DNSpy to edit the compiled dotnet program to print the password after it decrypts it"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 99, "seconds": 50}, "tag": "windows insane", "line": " Back to bloodhound with the new credential! Discovering Jari can reset Gibdeon who can add groups to LAPS"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 106, "seconds": 0}, "tag": "windows insane", "line": " Loading PowerView up in Evil-WinRM and Bypassing AMSI, then resetting Gibdeon's pw and adding him to groups"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 113, "seconds": 30}, "tag": "windows insane", "line": " Attempting to get the LAPS Password with Get-ADComputer and failing"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 115, "seconds": 20}, "tag": "windows insane", "line": " Using a Python Program to dump LAPS Password, then using PSExec to log into the box as administrador!"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 120, "seconds": 15}, "tag": "windows insane", "line": " Unintended method! Unconstrained delegation with the SQL User. Upload rubeus, use tgtdeleg "}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 127, "seconds": 20}, "tag": "windows insane", "line": " Copying the ticket and using TicketConverter to conver the ticket from KIRBI to CCACHE then setting KRB5CCNAME to the ticket and having impacket use the ticket"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 130, "seconds": 32}, "tag": "windows insane", "line": " Impacket doesn't work because of clock skew, it doesn't tell us the error, showing CrackMapExec will display the error"}, {"machine": "HackTheBox - PivotAPI", "videoId": "FbTxPz_GA4o", "timestamp": {"minutes": 131, "seconds": 10}, "tag": "windows insane", "line": " Using NTPDate to sync our time to the AD Server, then running secretsdump"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "linux easy", "line": " Weird SSH Banner saying its Banana Studio, google tells us this is Android"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Doing a script scan against all open ports, and googling what each open port is"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "linux easy", "line": " Port 59777, brings us to ES File Explorer which has an exploit out"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 5, "seconds": 16}, "tag": "linux easy", "line": " Running the ES File Explorer exploit with getDeviceInfo to confirm it works"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux easy", "line": " Listing files, pictures, and eventually downloading a picture"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux easy", "line": " Opening the picture reveals some credentials, can ssh into the box with them"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux easy", "line": " Installing ADB, so we can do adb connect to port 5555"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux easy", "line": " Setting up an SSH Port forward so we can access port 5555"}, {"machine": "HackThebox - Explore", "videoId": "ptJIUHQa4zM", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux easy", "line": " Extra Content: Playing with the exploit script to understand what it does"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro Hacking a Command and Control Server"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 1, "seconds": 7}, "tag": "linux hard", "line": " Running nmap and discovering two different SSH Instances, guessing one is Docker"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux hard", "line": " Looking at robots.txt which includes a link to the implant, looking at the error message and discovering its a cpp binary"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux hard", "line": " Using Wireshark to discover it makes a DNS Request to Spooktrol.htb, then walking through the C2's handshake"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "linux hard", "line": " Using BurpSuite and socat to proxy the connection of our binary"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux hard", "line": " Using BurpSuites find and replace to edit the Task that is getting to our C2"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Opening up the binary in Ghidra"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 14, "seconds": 15}, "tag": "linux hard", "line": " Looking at the decompiled output for the main function, which calls Spooky. Setting a break point on the XOR Function and discovering the first flag"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux hard", "line": " Discovering the Case Statement and analyzing Task number 1 (Exec)"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux hard", "line": " Stepping through each other task to discover what each function does"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux hard", "line": " The Perform Upload function builds a curl command"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "linux hard", "line": " Breaking after the curl string is assembled to show the full command it runs (Using BurpSuite to get to this part of the code)"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux hard", "line": " Accessing Task 3 a different way, breaking at the switch statement and editing the JMP."}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 32, "seconds": 45}, "tag": "linux hard", "line": " Editing the filename in the PUT Command to perform directory traversal and upload an SSH Key"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux hard", "line": " Logging into the C2, and inspecting the database to discover another beacon is running, which is on the Host Operating System"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux hard", "line": " Inserting a task into the database to ask the rogue beacon to execute a reverse shell for us"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 39, "seconds": 25}, "tag": "linux hard", "line": " Extra Content: Exploiting the box with no reverse engineering! Using an LFI to dump the source code to the application"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "linux hard", "line": " The server.py file has been leaked, grabbing all the other python scripts"}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 43, "seconds": 20}, "tag": "linux hard", "line": " The application is now running on our box! Can identify the file upload functionality and how to exploit it."}, {"machine": "UHC - Spooktrol", "videoId": "pc-_tK6CWnA", "timestamp": {"minutes": 51, "seconds": 45}, "tag": "linux hard", "line": " Extra Content: Going over the CPP code which shows how the implant works."}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux hard", "line": " Adding spider.htb to our host file so we can access the domain name"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux hard", "line": " Playing with the registration of the website and examining the cookie"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux hard", "line": " Putting a bunch of bad characters for our username and discovering odd behaviors"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 10, "seconds": 5}, "tag": "linux hard", "line": " Dumping the configuration via SSTI, can't do a complex SSTI due to username limit"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux hard", "line": " We have the cookie secret, using Flask-Unsign to create malicious cookies and discover SQL Injection"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "linux hard", "line": " Sending our SQL Injection Payload to the server and confirming it is SQL Injectable"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 18, "seconds": 5}, "tag": "linux hard", "line": " Using the Eval Parameter of SQLMap to have SQLMap Sign the payloads it sends and dump the database"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "linux hard", "line": " Getting Chiv's password from SQLMap then logging into the web application"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux hard", "line": " Testing SSTI on the admin panel that we got to from Chiv and discovering a WAF (Web Application Firewall)"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "linux hard", "line": " Using wfuzz to enumerate the bad characters which trigger the WAF"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux hard", "line": " Playing with wfuzz encoders to URLEncode everything from our wordlist"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "linux hard", "line": " Obfuscating our SSTI Payload so the bad characters are not present and getting a reverse shell"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 41, "seconds": 10}, "tag": "linux hard", "line": " Using SSH to setup a port forward which allows us to hit 127.0.0.1:8080 on the remote host"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "linux hard", "line": " Examining the authentication cookie and discovering a XML within the cookie"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux hard", "line": " Testing for XML Entity Injection"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "linux hard", "line": " Using Payload All The Things to help us craft an XML Entity Injection payload to read files"}, {"machine": "HackTheBox - Spider", "videoId": "7vWY60pARUQ", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "linux hard", "line": " Grabbing the SSH Private Key via XML Entity Injection and logging in as root"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap discovering the distribution of Ubuntu based upon SSH Headers"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux medium", "line": " Looking at the WebPage and discovering credentials"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux medium", "line": " Checking No-IP's documentation for updating Dynamic DNS Names"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux medium", "line": " Using Curl to create a dynamic DNS Name"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux medium", "line": " Testing for Command Injection"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "linux medium", "line": " Enumerating the bad character and explaining why we could not use periods"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "linux medium", "line": " Converting the IP Address to a format that won't have periods (Hex)"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Reverse Shell returned, checking out the web source"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "linux medium", "line": " Discovering hosts from *.infra.dyna.htb can ssh into the box if there is a private key and finding the private key in the support directory"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "linux medium", "line": " Using SSH-Keygen to get the SSH Keys fingerprints to make sure private and public key match"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux medium", "line": " Attempting to create the DNS Record with the DNS Key that was in the web source"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 36, "seconds": 35}, "tag": "linux medium", "line": " Finding a second DNS Key, which can update Infra's subdomains"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "linux medium", "line": " SSH in as bindmgr and discover we can execute a bash script with sudo, exploiting a wild card argument"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 45, "seconds": 35}, "tag": "linux medium", "line": " Testing the cron without doing anything malicious"}, {"machine": "HackThebox - Dynstr", "videoId": "csxP6Vpp5js", "timestamp": {"minutes": 47, "seconds": 55}, "tag": "linux medium", "line": " Creating the file --preserve=mode, which the cp command will treat as an argument letting us drop a SetUID Binary and have it owned by root"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 3, "seconds": 5}, "tag": "linux hard", "line": " Looking at the webste, getting a VirtualHost and then navigating to the page and confirming Wordpress"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux hard", "line": " The wp-content/plugins directory doesn't have an index, don't even need to use wpscan"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "linux hard", "line": " Testing the LFI with the plugin"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "linux hard", "line": " Using wpscan to enumerate wordpress users"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux hard", "line": " Explaining the /proc/ directory and why we can use this to enumerate running processes "}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 13, "seconds": 44}, "tag": "linux hard", "line": " Creating a curl script to enumerate all running processes on the box"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux hard", "line": " Pulling apache's configuration to discover another virtual host"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux hard", "line": " Trying the wordpress credentials in cacti for password re-use and then exploiting Cacti with a CVE to get a shell"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux hard", "line": " Manually enumerating the SQL Databases, using /G to select large amounts of data in a human readable format"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "linux hard", "line": " Discovering the .backup directory in Marcus's home but we can't list contents. Grepping directories for .backup to see if any files are referenced"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 34, "seconds": 25}, "tag": "linux hard", "line": " SSH with the Marcus user and a quick refresher on SSH Port Forwarding"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Using gobuster to discover Apache OfBiz was running on 8443"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux hard", "line": " Using ysoserial to exploit Apache OfBiz via java deserialization"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 47, "seconds": 50}, "tag": "linux hard", "line": " Shell returned on the container! We are root doing some light enumeration to discover cap_sys_module"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "linux hard", "line": " Compiling the LKM to get a reverse shell"}, {"machine": "HackTheBox - Monitors", "videoId": "-loZwD39ifc", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "linux hard", "line": " Inserting the kernel module and getting root on the box"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "", "line": " Showing malleable c2 configs"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 6, "seconds": 55}, "tag": "", "line": " Creating a Hello World in C++ then creating a 2000 byte variable"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 10, "seconds": 25}, "tag": "", "line": " Adding JSON Support to our program"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "", "line": " Creating a Struct and function to initialize the config"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 17, "seconds": 55}, "tag": "", "line": " Having our main function parse the config"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "", "line": " Not sure what happened to my config.h, retyping it"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "", "line": " JSON Parsing done"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Creating a Python Program to replace the embedded config"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " XOR'ing our config in python so we avoid strings"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "", "line": " XOR'ing in our agent to read the \"encrypted\" config"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 34, "seconds": 34}, "tag": "", "line": " Opening it up in Ghidra and doing some extremely light reversing"}, {"machine": "DIY C2 - Malleable Agent Config", "videoId": "FiT7-zxQGbo", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "", "line": " Showing what happens if we strip the binary"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux easy", "line": " Start of nmap and doing some recon against FTP"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux easy", "line": " Having trouble finding a release date, using WGET and examining metadata to see how old a page is"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "linux easy", "line": " Examining the web applicaiton"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux easy", "line": " Testing and finding the IDOR Vulnerability"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux easy", "line": " Examining the PCAP Downloaded through the IDOR Vulnerability to find FTP Creds"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 12, "seconds": 12}, "tag": "linux easy", "line": " SSHing into the box with the credentials from FTP"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "linux easy", "line": " Running LINPEAS, examining the source code of the webapp while it runs"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux easy", "line": " Going over the LINPEAS output finding python has the ability to setuid"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "linux easy", "line": " Using the os libary to setuid to root"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Showing off zeek which would help analyze larger pcaps"}, {"machine": "HackTheBox - Cap", "videoId": "O_z6o2xuvlw", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "linux easy", "line": " Changing the Zeek FTP Configuration to show passwords."}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro going over the attack chain, SSRF to Protocol Smuggling to OMIGod"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 1, "seconds": 17}, "tag": "linux hard", "line": " Using nmap and then checking out the website and adding the DNS Names to our host file"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux hard", "line": " Running GoBuster to discover the /docs directory, which is swagger documentation"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Reading the documentation and explaining JARM Signatures"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux hard", "line": " Explaining the front-end which just makes accessing the backend pretty"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux hard", "line": " Using Shodan to search JARM Hashes, which would be useful if you're looking for specific attack servers or collisions"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 11, "seconds": 55}, "tag": "linux hard", "line": " Dumping all the JARMS by abusing sequential ID's with a for loop and curl"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 14, "seconds": 4}, "tag": "linux hard", "line": " Whoops... Copied the wrong JARM, this was not cobalt strike lol."}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux hard", "line": " Running ncat with ssl, and checking if it is malicious... It's not malicious because the metadata was not there"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux hard", "line": " Using metasploit to show it would detect it as malicious"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 18, "seconds": 40}, "tag": "linux hard", "line": " Using IPTables to change the port on every 11th request with iptables -I PREROUTING -t NAT -p tcp --dport 443 -d 192.168.1.230 -m statistic --mode nth --every 11 --packet 10 -j REDIRECT --to-port 8443"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "linux hard", "line": " Showing Gopher connecting to our ncat "}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 23, "seconds": 25}, "tag": "linux hard", "line": " Finding a way to enumerate ports listening on localhost and discovering 5985 and 5986 are open"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 26, "seconds": 5}, "tag": "linux hard", "line": " Using wfuzz to bruteforce all ports (1-65535)"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "linux hard", "line": " Downloading the OMIGod Exploit to grab the payload which we will use later"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux hard", "line": " Using openssl to generate private certificates for our python webserver."}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 33, "seconds": 25}, "tag": "linux hard", "line": " Creating a python webserver that listens on https"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "linux hard", "line": " Testing adding a Gopher HTTP Redirect on our custom python webserver "}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "linux hard", "line": " Explaining that Gopher adds two bytes to the end of the Smuggled Request"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "linux hard", "line": " Using burpsuite to build the payload for us and convert it all to URL Encoding"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux hard", "line": " Updating our payload to have the correct URL for our gopher request "}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux hard", "line": " Showing how to reset the iptables counter"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 46, "seconds": 40}, "tag": "linux hard", "line": " Showing how to do this exploit with Metasploit by coding a listener"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 52, "seconds": 40}, "tag": "linux hard", "line": " Debugging the MSF Module we created"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 56, "seconds": 10}, "tag": "linux hard", "line": " Our MSF Module is done, running our listener and viewing all its headers"}, {"machine": "UHC - Jarmis", "videoId": "R5aNxdD0_bs", "timestamp": {"minutes": 60, "seconds": 50}, "tag": "linux hard", "line": " Pasting our MSF Url into burpsuite and getting a reverse shell"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro the important thing about this box is recon"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 1, "seconds": 28}, "tag": "linux medium", "line": " Start of nmap discovering an nginx server header"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux medium", "line": " The SSL Certificate leaks an important hostname"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux medium", "line": " Running an SNMPWalk which has a bunch of important information, notably the HTML Directory"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "linux medium", "line": " Discovering the SeedDms51x Directory, trying to enumerate version (Failing)"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux medium", "line": " Creating a python script to help with bruteforcing"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux medium", "line": " Script done, looking at SNMP to get other usernames"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux medium", "line": " Brutefocing michelle's password to get in and seeing the SeedDMS Version"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux medium", "line": " The SeedDMS Patch used htaccess, server is nginx so its still vulnerable. Uploading a shell"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux medium", "line": " Grabbing the MySQL Password from SeedDMS Config and trying it against other services. Gain access to cockpit which gives access to michelle user"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "linux medium", "line": " The SNMP is executing a program every time snmp is ran, we can trick SNMP to execute our code to get root"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 56, "seconds": 20}, "tag": "linux medium", "line": " Start of Explaining SELinux"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 3600, "seconds": 40}, "tag": "linux medium", "line": " SELinux Using audit2why to show us why reverse shells were blocked from reverse shells"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 4080, "seconds": 50}, "tag": "linux medium", "line": " SELinux Checking why SNMP could not read /root/root.txt"}, {"machine": "HackTheBox - Pit", "videoId": "IF5uhe1qR2I", "timestamp": {"minutes": 81, "seconds": 11}, "tag": "linux medium", "line": " Explaining more about the SNMP vectors of this box"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro, how to install and configure auditd"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "", "line": " Installing Auditd"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Downloading a good baseline ruleset from github "}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "", "line": " Going over the baseline file to understand how logging works"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " What the -p flag does with files. Logging read/write/execute/attribute change events"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "", "line": " If you want CWD in your logs, uncomment this line"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "", "line": " Logging priv_esc events"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "", "line": " Excluding system accounts from log captures"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "", "line": " Fun detections to find recon and suspicious activity"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "", "line": " Logging when users fail to access files in special directories"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 24, "seconds": 16}, "tag": "", "line": " Running the omigod exploit and getting a reverse shell echo/base64"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 25, "seconds": 5}, "tag": "", "line": " Running ausearch to detect what we had done by searching for commands ran by root"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "", "line": " Using some bashfu to show only commands ran by a ppid"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "", "line": " Looking for the suspicious activity"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 30, "seconds": 40}, "tag": "", "line": " Analyzing a detection rule for this and understanding the importance of not excluding CWD from logs"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 34, "seconds": 15}, "tag": "", "line": " Checking if mkfifo is detected... yep"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "", "line": " Installing Laurel to convert Auditd's multiline format to singleline JSON"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "", "line": " Installing Rust then compiling Laurel"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "", "line": " Removing End Of Event from Auditd config to see if that fixes the Laurel bug (IT DOES!)"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 46, "seconds": 56}, "tag": "", "line": " Viewing our Auditd logs in JSON Format! SIEMS will love this!"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "", "line": " Going over aureport to show some things"}, {"machine": "Detecting Exploits - OMIGod (Linux Logging with Auditd)", "videoId": "lc1i9h1GyMA", "timestamp": {"minutes": 50, "seconds": 30}, "tag": "", "line": " Looking for why we have so many syscall failures"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux insane", "line": " Start of nmap, finding version of gunicorn is from 2019"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux insane", "line": " Enumerating the Gitea version (the 404 error page shows it)"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "linux insane", "line": " Trying to find the Gitea version another way (HTTP Files)"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux insane", "line": " Downloading jquery.js, grabbing the md5, then using VirusTotal to get an idea when it was released"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux insane", "line": " Looking at the second website (Running on gunicorn)"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux insane", "line": " Testing for IDOR Vulnerabilities in the /notes/, can confirm a note exists but not read anything"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "linux insane", "line": " Start of explaining the HTTP Smuggling"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux insane", "line": " Adding non-ascii characters to Burpsuite Requests via Base64 Decoding"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux insane", "line": " Explaining HTTP Chunking"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux insane", "line": " Smuggling request created, re-explaining the attack and importance of Content-Length"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 26, "seconds": 55}, "tag": "linux insane", "line": " Sending the Smuggling request in BurpSuite then getting the cookie of another user"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 28, "seconds": 25}, "tag": "linux insane", "line": " Explaining why the attack is unreliable in BurpSuite then using Python to do it"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "linux insane", "line": " The administrator can read three new notes with some saved credentials. Logging into Gitea"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 44, "seconds": 40}, "tag": "linux insane", "line": " Looking at git history to find an SSH Key, then logging into the server"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 49, "seconds": 40}, "tag": "linux insane", "line": " Enumerating AWS using the CLI"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 50, "seconds": 40}, "tag": "linux insane", "line": " Enumerating AWS logs using the CLI to identify some secret rotation events"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 54, "seconds": 30}, "tag": "linux insane", "line": " Enumerating AWS SecretsManager using the CLI to get another users password"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 58, "seconds": 45}, "tag": "linux insane", "line": " Utilizing AWS KMS to Decrypt a file"}, {"machine": "HackTheBox - Sink", "videoId": "8gf5YvvY1yc", "timestamp": {"minutes": 69, "seconds": 20}, "tag": "linux insane", "line": " Extra Content, explaining some unique iptables routing that went into this box to make it stable"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of installing OMI Locally"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " Downloading the exploit, but get a connection error because it cannot talk to OMI"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "", "line": " Editing the OMI Configuration to set it to listen on 5986"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "", "line": " The exploit still isn't working debugging to find it is missing a namespace"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "", "line": " Finding the SCX Package Name and using a Index.Of Google Dork to find it on an open HTTP directory"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Installing the SCX Agent and getting code execution"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 11, "seconds": 13}, "tag": "", "line": " Setting the exploit to go through BurpSuite so we can understand how it works"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "", "line": " Going over the blog post to understand why it was vulnerable"}, {"machine": "Playing with Exploits - OMIGod", "videoId": "TXqi1BKtcyM", "timestamp": {"minutes": 16, "seconds": 35}, "tag": "", "line": " Talking about how the researchers may have found it. MS Patched it without major announcement and it was in the Git Changelog!"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro, sorry for double upload. First one missed the last 5 minutes."}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 0, "seconds": 38}, "tag": "linux easy", "line": " Start of nmap, discovering SSH/HTTP are different operating systems"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux easy", "line": " Testing the website"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux easy", "line": " Intercepting the registration and testing for SQL Injection on the Country"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 4, "seconds": 19}, "tag": "linux easy", "line": " Discovering a static cookie is returned that is a MD5Sum of the UserName"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux easy", "line": " Our single quote country caused an Second Order SQL Injection testing Union Injection"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 8, "seconds": 8}, "tag": "linux easy", "line": " Using our Union Injection to drop a webshell"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux easy", "line": " Revrse Shell Returned"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux easy", "line": " Getting the database password out of the webconfig, and its also the root user"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux easy", "line": " Explaining how I gave \"dedicated\" containers to each player"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 13, "seconds": 35}, "tag": "linux easy", "line": " Going over the Kernel Module I wrote to do routing based upon the last octet of an IP Address"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux easy", "line": " Going over the code around SQL Injection and how to do prepared statements in PHP with SQL"}, {"machine": "UHC - Validation", "videoId": "UqoVQ4dbYaI", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux easy", "line": " Creating middleware with Flask so SQLMap can exploit this second order sql injection"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro FreeBSD Box"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "linux medium", "line": " Start of nmap explaining why versions are useful"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 4, "seconds": 54}, "tag": "linux medium", "line": " Discovering hostname on the box, then adding it to our host file"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux medium", "line": " Using GoBuster to bruteforce virtual hosts and discovering moodle"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux medium", "line": " Searching Moodle on github to find a way to identify Moodle Version"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 11, "seconds": 27}, "tag": "linux medium", "line": " Reading the Moodle Security Announcements since the Moodle Version"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux medium", "line": " Enrolling in the Math Course the announcement hints at XSS"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux medium", "line": " Testing for XSS in our Moodle Net Profile"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 19, "seconds": 55}, "tag": "linux medium", "line": " Changing our HTML to load an external script and then stealing cookies via document.write"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux medium", "line": " Performing CVE-2020-14321 to escalate from Teacher to Manager in moodle"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "linux medium", "line": " Enabling plugin installation, then uploading a malicious moodle plugin"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "linux medium", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "linux medium", "line": " Pulling ht MySQL Password from Moodle's configuration and then cracking hashes for users"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 51, "seconds": 10}, "tag": "linux medium", "line": " SSH as Jamie, and then using gtfobins and fpm to privesc without setting up a repository"}, {"machine": "HackTheBox - Schooled", "videoId": "bUfZlBMFJ2I", "timestamp": {"minutes": 58, "seconds": 40}, "tag": "linux medium", "line": " Doing the privesc the intended way by setting up a pkg repository"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux hard", "line": " Downloading and installing the deb package with dpkg, then fixing the host file"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 6, "seconds": 35}, "tag": "linux hard", "line": " Running wireshark when examining the unobtainium application then examining the HTTP Requests"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "linux hard", "line": " Proxying the unobtainium app through Burpsuite by creating a new proxy listener and updating the host file"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "linux hard", "line": " Playing with the LFI on /todo and discovering we can only cause errors or include files in the local directory"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux hard", "line": " Using FFUF to attempt to find other JS Files with this LFI"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "linux hard", "line": " Copying the index.js source code and looking for vulnerabilities"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux hard", "line": " Discovering hard coded credentials, examining the administrator password to see there would be too much entropy to bruteforce"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 17, "seconds": 45}, "tag": "linux hard", "line": " Analyzing the upload functionality to discover an RCE if we can upload"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux hard", "line": " Discovering a merge command and looking up Prototype Pollution to potentially update our user object with the upload permission"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 23, "seconds": 55}, "tag": "linux hard", "line": " Giving ourself the Upload Functionality then performing the RCE in Upload"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 25, "seconds": 53}, "tag": "linux hard", "line": " Ping works, now lets get a reverse shell"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux hard", "line": " Reverse shell returned, confirming we are in kubernetes downloading peirates and kubectl"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 32, "seconds": 49}, "tag": "linux hard", "line": " Using kubectl to do basic enumeration of kubernetes, switching our namespace then listing pods"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "linux hard", "line": " Demonstrating Peirates which makes the enumeration of kubernetes easier by providing a menu to list/switch namespaces and get pods"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 38, "seconds": 15}, "tag": "linux hard", "line": " Exploiting the same application in dev which gets us a different kubernetes token"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 41, "seconds": 15}, "tag": "linux hard", "line": " Doing the enumeration with kubectl again but this time we can utilize the Kube-System namespace to list secrets and taking an admin token"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 43, "seconds": 45}, "tag": "linux hard", "line": " Using our stolen token and discovering we can create pods using kubectl auth can-i create pods -n kube-system -token=(token)"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 44, "seconds": 22}, "tag": "linux hard", "line": " Explaining the attack we are about to do to create a pod with host disk mounted in the pod, then doing it in Peirates"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Looking at the Peirates source code to see how the attack works"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 48, "seconds": 55}, "tag": "linux hard", "line": " Doing the attack manually with kubectl"}, {"machine": "HackTheBox - Unobtainium", "videoId": "UgHt_Y3vdNg", "timestamp": {"minutes": 52, "seconds": 55}, "tag": "linux hard", "line": " The malicious pod is created now lets go into it and look at the root disk"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro, box is playable on HackTheBox!"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 1, "seconds": 9}, "tag": "linux medium", "line": " Start of nmap and enumerating the page on port 80"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "linux medium", "line": " Discovering Port 8080"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux medium", "line": " Using ffuf to fuzz and discover SSTI"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux medium", "line": " Showing wfuzz doesn't need nearly as many parameters"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux medium", "line": " Reading up on GoLang SSTI"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "linux medium", "line": " Using GoLang {{ . }} to dump all variables and get password"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 11, "seconds": 54}, "tag": "linux medium", "line": " Logging in to get the Source Code and finding the DebugCmd Function"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux medium", "line": " Showing RCE through the GoLang SSTI"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " The Docker is an internal docker, showing a bunch of hints towards AWS"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux medium", "line": " Using the aws commands to list buckets and upload a webshell via S3"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux medium", "line": " Getting a reverse shell"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " Examining the NGINX Configuration -- LocalStack (used for s3) hack to enable authentication"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 26, "seconds": 26}, "tag": "linux medium", "line": " The \"Command on\" flag is for port 8000 in nginx config, googling it to see its a backdoor (NginxExecute)"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 28, "seconds": 28}, "tag": "linux medium", "line": " The backdoor isn't working, running strings against the module to see system.run was changed to ippsec.run and getting RCE as root"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux medium", "line": " Converting the RCE to a shell by uploading an SSH Key"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux medium", "line": " Entering the golang container to show some more about the SSTI Configuration, hoping to make the first step make sense"}, {"machine": "UHC - Gobox", "videoId": "sbUqjCPDk2k", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "linux medium", "line": " Opening the nginx module in Ghidra"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "linux easy", "line": " Running GoBuster before we start poking at the site"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 3, "seconds": 33}, "tag": "linux easy", "line": " Discover the x-powered-by header says its a weird php version, going to google"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 4, "seconds": 5}, "tag": "linux easy", "line": " Finding a blog post about php-8.1.0-dev being backdoored"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux easy", "line": " Looking at the backdoor"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 5, "seconds": 55}, "tag": "linux easy", "line": " Failing to use the backdoor because of a bad header"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 8, "seconds": 24}, "tag": "linux easy", "line": " Finding the issue, the backdoor uses the header User-Agentt (note the two t's)"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux easy", "line": " Shell returned"}, {"machine": "HackTheBox - Knife", "videoId": "93JnRTF5sQM", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "linux easy", "line": " Discovering we can run knife with sudo, and finding a GTFOBin"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows hard", "line": " Start of nmap and checking the website"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "windows hard", "line": " Looking at the web console which shows the page making a request to Products-Ajax.php then playing with the parameters"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 10, "seconds": 5}, "tag": "windows hard", "line": " If the hash parameter is missing the application errors and leaks the secret key and identifying how it signs"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "windows hard", "line": " Using SQLMaps Eval parameter to automate the secure hash generation (Calculated Parameter Bypass)"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows hard", "line": " Logging into the application with a password from the database and discovering a LFI"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "windows hard", "line": " Creating a python script to automate the LFI Exploitation"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "windows hard", "line": " Script done attempting to perform RFI"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "windows hard", "line": " Another Stack Trace, identifying a race condition in their check for examining malicious php files"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "windows hard", "line": " Using SMB to steal the hash of the user running the webserver"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 40, "seconds": 50}, "tag": "windows hard", "line": " Exploiting the race condition with inotify to get the server in order to execute our PHP Code"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "windows hard", "line": " Reverse shell returned! Finding the GoLang Program"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "windows hard", "line": " Opening the binaries in Ghidra (prior to installing the golang plugin)"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "windows hard", "line": " Installing GoTools to make reversing goland suck less"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 61, "seconds": 30}, "tag": "windows hard", "line": " Start of reversing the client binary, explaining some golang oddities"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 72, "seconds": 0}, "tag": "windows hard", "line": " Running the programs on our local windows machine to identify if we reversed it correctly"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 74, "seconds": 15}, "tag": "windows hard", "line": " Back to Ghidra and reversing server.exe to see what it does to clean files"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 79, "seconds": 50}, "tag": "windows hard", "line": " Using IO Ninja Pipe Monitor to snoop in on the pipes"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 87, "seconds": 50}, "tag": "windows hard", "line": " METHOD 1: Stealing the flag by cleaning, copying off, then decrypting locally"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 95, "seconds": 50}, "tag": "windows hard", "line": " METHOD 2: Creating symlinks to trick the server in copying root.txt to a directory we own"}, {"machine": "HackTheBox - Proper", "videoId": "yqNSTM9oGZE", "timestamp": {"minutes": 110, "seconds": 15}, "tag": "windows hard", "line": " METHOD 3: Tricking server.exe into writing into system32, then using WerTrigger to elevate privileges"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux insane", "line": " Start of nmap and poking at website. Browser Developer Window shows WebSockets + Hostname"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "linux insane", "line": " Setting up full portscan and gobuster while we poke at the box, to always have recon running"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "linux insane", "line": " Ussing ffuf to fuzz for emails (Forgot to set header here, we look at it later)"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux insane", "line": " Playing with the websockets in BurpSuite, discovering SQL Injection"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "linux insane", "line": " Creating a python program to aid our SQL Injection"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 29, "seconds": 15}, "tag": "linux insane", "line": " SQL Injection: Enumerating information_schema to pull out table information"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "linux insane", "line": " Going back to test our previous ffuf to find out i forgot the header flag"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux insane", "line": " Using ffuf to fuzz parameters for the passwordreset php script and trying the token from Sql Injection"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux insane", "line": " Enumerating our SQL Users permissions and then including files"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 49, "seconds": 20}, "tag": "linux insane", "line": " RelayD configuration shows a new domain crossfit-club.htb, failing to sign up with an account"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 57, "seconds": 40}, "tag": "linux insane", "line": " Using grep to extract /api/ endoings from javascript files"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 63, "seconds": 0}, "tag": "linux insane", "line": " Discover the signup endpoint, only administrators can create accounts."}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 66, "seconds": 20}, "tag": "linux insane", "line": " Grabbing unbound secret keys which will let us create DNS Entries on the box"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 70, "seconds": 8}, "tag": "linux insane", "line": " Creating a domain name with unbound and then editing the Host header in the password reset"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 73, "seconds": 0}, "tag": "linux insane", "line": " Explaining the DNS Rebind attack to get around the server examining our DNS Name"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 79, "seconds": 30}, "tag": "linux insane", "line": " Start of XSS to have the user register an account for us"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 86, "seconds": 40}, "tag": "linux insane", "line": " Hitting the start of our XSS to debug, explain bypassing CORS based upon not escaping the period in the URL"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 94, "seconds": 20}, "tag": "linux insane", "line": " Changing our unbound request to use a domain name that bypasses CORS "}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 97, "seconds": 15}, "tag": "linux insane", "line": " Appending a slash to the host header to bypass a regex"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 99, "seconds": 5}, "tag": "linux insane", "line": " The final XSS Payload to have an administrator create an account for us. Checking out the chat applicaiton"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 107, "seconds": 20}, "tag": "linux insane", "line": " Start of creating XSS to steal Direct Messages from chat application"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 111, "seconds": 0}, "tag": "linux insane", "line": " Creating a second account, so we can examine how DM's work in the chat application (use wireshark to do this)"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 114, "seconds": 50}, "tag": "linux insane", "line": " Finishing off the XSS Script to steal DM's by hooking private_recv"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 121, "seconds": 10}, "tag": "linux insane", "line": " Finding a message that contains a password and SSHing into the box"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 123, "seconds": 50}, "tag": "linux insane", "line": " Using find to show files owned by a group"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 125, "seconds": 0}, "tag": "linux insane", "line": " Examining the Statbot NodeJS Script, then exploiting a library injection vulnerability"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 132, "seconds": 30}, "tag": "linux insane", "line": " Reverse shell returned, finding another binary to reverse"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 136, "seconds": 20}, "tag": "linux insane", "line": " Going over why i hate reversing BSD Binaries, comparing Ghidra and Cutter decompiler output"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 143, "seconds": 15}, "tag": "linux insane", "line": " Viewing backups on BSD and discovering root's ssh key is being backed up to /var, so the log binary can read it!"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 145, "seconds": 0}, "tag": "linux insane", "line": " SSH is still asking for a password after using SSH Key, confirming it accepted our key, then viewing sshd/login config on BSD to see what its asking for"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 147, "seconds": 0}, "tag": "linux insane", "line": " Downloading YubiKey Secrets then failing to get it to generate a key for a bit"}, {"machine": "HackTheBox - Crossfit2", "videoId": "OUjdPa11tGw", "timestamp": {"minutes": 163, "seconds": 0}, "tag": "linux insane", "line": " Using YKPARSE to examine our key, then change the session and generate a valid MFA"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 1, "seconds": 2}, "tag": "linux easy", "line": " Running nmap against all ports"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 4, "seconds": 55}, "tag": "linux easy", "line": " Attempting to enumerate the initial web page (Voting System)"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux easy", "line": " Nmap finished, checking staging.love.htb from the SSL Certificate"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 10, "seconds": 5}, "tag": "linux easy", "line": " Finding an SSRF Vulnerability in the file scanner"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux easy", "line": " Having trouble using WFUZZ to fuzz all ports"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 17, "seconds": 45}, "tag": "linux easy", "line": " Switching to FFUF and still having trouble to fuzz all ports"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux easy", "line": " Fuzzing takes too long, trying ports from nmap to see if any page is restricted by IP and findig creds"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 29, "seconds": 45}, "tag": "linux easy", "line": " Attempting to use an exploit script for Voting System (More at end of video)"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 39, "seconds": 40}, "tag": "linux easy", "line": " Enough with the exploit script, manually exploiting the application with an image upload"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 43, "seconds": 43}, "tag": "linux easy", "line": " Using Nishang to get a reverse shell, then running WinPEAS"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "linux easy", "line": " Seeing AlwaysInstallElevated is set on the system, using msfvenom to build an msi"}, {"machine": "HackTheBox - Love", "videoId": "V_7ubkfnPK4", "timestamp": {"minutes": 54, "seconds": 45}, "tag": "linux easy", "line": " Box Done - Going back to the exploit script and getting it working"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux medium", "line": " Start of nmap "}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux medium", "line": " Checking out the webpage, trying to identify the language running the page"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "linux medium", "line": " Exploring how Add Note works and testing SSTI/SQL/XSS"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Checking out the cookie to see how the JWT is encoded"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux medium", "line": " JWT.IO shows the JWT is RS256 and there's a URL for the privKey"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux medium", "line": " Editing the PrivKEy, I'm not sure why i didn't do this within the JWT.IO website..."}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux medium", "line": " Confirming the server goes to us to get the PrivateKey"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "linux medium", "line": " Using ssh-rsa/openssl to create a RSA Key and forging the JWT"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 14, "seconds": 55}, "tag": "linux medium", "line": " Exploring the IDOR Vulnerability to see if unauthenticated users can access notes"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 18, "seconds": 45}, "tag": "linux medium", "line": " Uploading a PHP File to confirm code execution then a reverse shell."}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 21, "seconds": 23}, "tag": "linux medium", "line": " Identifying when the box was created by looking at SSH Host Keys, then using find to list files created around that time"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "linux medium", "line": " My reverse shell keeps crashing, doing the finds without the PTY Trick to find a backup that has an SSH Key"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux medium", "line": " SSH into the box with the SSH Key and discovering we can use sudo to access Docker"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 31, "seconds": 40}, "tag": "linux medium", "line": " Exploring the docker for sensitive information that could be used to access other users on the box "}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 34, "seconds": 25}, "tag": "linux medium", "line": " Looking at the Docker Version to see it from 2018 and finding a vulnerability"}, {"machine": "HackTheBox - TheNotebook", "videoId": "S4FrlMTY0GY", "timestamp": {"minutes": 36, "seconds": 10}, "tag": "linux medium", "line": " Performing CVE-2019-5736 to get root"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux easy", "line": " Start of the box, showing a quick way to nmap"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "linux easy", "line": " Looking at web page"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Looking for Drupal Scanners"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Showing how I would fingerprint opensource apps if there was no scanner"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Using DroopeScan to scan the site"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux easy", "line": " Starting to use Drupalgeddon2 to get a shell"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "linux easy", "line": " Installing gems so DrupalGeddon works"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "linux easy", "line": " Drupalgeddon2 works, going from a webshell to reverse shell"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " Confused about OSError: out of pty devices when improving the shell, give up eventually"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux easy", "line": " Looking for users on the box, then hunting for the Drupal configuration"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux easy", "line": " Cannot find the drupal configuration, going to google and asking for how to change the SQL Password"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "linux easy", "line": " Logging into the Drupal MySQL Database then dumping the Drupal Hash but have trouble getting it to work since we don't have a TTY"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux easy", "line": " Cracking the Joomla Password, then testing the password with ssh and logging in"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux easy", "line": " Our user can install Snap Packages with sudo, so building a malicious snap"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "linux easy", "line": " Installing FPM which lets us build packages, building a lot of bad packages until we find one that works"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "linux easy", "line": " Our malicious packages aren't working, switching to a non-malicious one to test the exploit"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 40, "seconds": 16}, "tag": "linux easy", "line": " Having our snap attempt to grab the root flag, turns out i was just impatient before"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 43, "seconds": 43}, "tag": "linux easy", "line": " Moving bash to avoid system directories and setting it to setuid"}, {"machine": "HackTheBox - Armageddon", "videoId": "8ikdbyOQsLg", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux easy", "line": " Explaining what snap is"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "windows hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "windows hard", "line": " Poking at the website"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows hard", "line": " Quickly testing for SQL Injection and coming up with nothing"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "windows hard", "line": " Creating an account and checking what regular users can do"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 14, "seconds": 15}, "tag": "windows hard", "line": " Using BurpSuite Sequencer to identify low entropy within login cookies"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "windows hard", "line": " Finding the 302 redirect still outputs the page, its just that the browser doesn't want to show it"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 21, "seconds": 10}, "tag": "windows hard", "line": " Creating a simple PHP File to be uploaded"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "windows hard", "line": " Finding the /books/ url and checking the book search page again to find LFI"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "windows hard", "line": " Building a quick python script to automate the LFI"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "windows hard", "line": " Windows is really weird with SSH, need to disable PubKeyAuth in order to login with a password"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "windows hard", "line": " Looking at the fileController php file to see who can upload files"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "windows hard", "line": " Looking around the source code to examine how PHP Sessions are built, so we can impersonate Paul"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 46, "seconds": 35}, "tag": "windows hard", "line": " Running makesession with all permutations so we can get Pauls login cookie"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 50, "seconds": 15}, "tag": "windows hard", "line": " Logged in as Paul, now we need to modify the JWT token to say we are Paul"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 53, "seconds": 50}, "tag": "windows hard", "line": " We can now upload php files! Some light AV Evasion and have a reverse shell with Nishang"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "windows hard", "line": " Finding Juliette's password within the web application and SSH'ing into Windows"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 62, "seconds": 20}, "tag": "windows hard", "line": " Hunting for Microsoft Sticky Notes and finding the Developer Password"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 70, "seconds": 50}, "tag": "windows hard", "line": " Logged in as Development, finding a linux app to reverse in ghidra"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 74, "seconds": 50}, "tag": "windows hard", "line": " Mimicing the curl requests by the linux app to port localhost:1234, so using SSH to forward that. (the localhost screws things up)"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 79, "seconds": 3}, "tag": "windows hard", "line": " Our curl still isn't working, figuring out the master key to see if the linux application works."}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 81, "seconds": 50}, "tag": "windows hard", "line": " The localhost in our SSH Port Forward is causing weird issues, changing it to 127.0.0.1 fixes it"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 83, "seconds": 10}, "tag": "windows hard", "line": " The app works, testing for SQL Injection"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 85, "seconds": 10}, "tag": "windows hard", "line": " Using information_schema to dump information about the database (databases, tables, columns), then extracting all info"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 88, "seconds": 40}, "tag": "windows hard", "line": " Using cyberchef to decrypt the AES Blob from the database"}, {"machine": "HackTheBox - Breadcrumbs", "videoId": "gLPnIIGa0FU", "timestamp": {"minutes": 90, "seconds": 45}, "tag": "windows hard", "line": " PSExec isn't working (av?), switching to wmiexec and getting a shell."}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "windows medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "windows medium", "line": " Running RPCDump which shows if this is vulnerable to PrintNightmare (Exploit it later)"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows medium", "line": " Examining the webpage"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "windows medium", "line": " Explaining why i use lowercase wordlists on against Windows Webservers"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows medium", "line": " Listing shares with smbclient to find an open share"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "windows medium", "line": " Decompiling the Electron installer/app with asar"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows medium", "line": " Everything is extracted looking at package.json and main.js to find electron-updater"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "windows medium", "line": " Searching for exploits within Electron"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "windows medium", "line": " Using MSFVENOM to build a reverse shell"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "windows medium", "line": " Editing our installer YAML to point to our reverse shell"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows medium", "line": " Putting the files on the share and getting our reverse shell"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "windows medium", "line": " Exploring the box to find PortableKanban "}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "windows medium", "line": " Copying the config to our box so we can extract the database password"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "windows medium", "line": " Using CyberChef to decrypt the Portable Kanban password"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 28, "seconds": 20}, "tag": "windows medium", "line": " Authenticating to Redit-CLI and dumping the user information to get administrator password"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "windows medium", "line": " Using rundll32 to create a memory dump of LSASS so we can extract a password"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "windows medium", "line": " Downloading lsass.dmp with evil-winrm"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "windows medium", "line": " Using Pypykatz to parse the dump file and get Jason's password"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "windows medium", "line": " Building our environment to perform CVE-2021-1675 (PrintNightmare)"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "windows medium", "line": " Using PrintNightmare to connect to our netcat to verify it is vulnerable"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "windows medium", "line": " Building a DLL to send a reverse shell"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 46, "seconds": 50}, "tag": "windows medium", "line": " Having trouble with Impacket's SMBServer, configuring our local SMBD to work with this exploit"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 49, "seconds": 20}, "tag": "windows medium", "line": " Reading more errors from impacket to verify we do have code execution"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "windows medium", "line": " Giving a file that doesn't exist to see another error... More verifying that this is working"}, {"machine": "HackTheBox - Atom", "videoId": "1OC2eRVX0ic", "timestamp": {"minutes": 51, "seconds": 20}, "tag": "windows medium", "line": " Giving it our ReverseShell DLL to get a reverse shell"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux medium", "line": " Start of nmap, looking at release date of tomcat"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux medium", "line": " Starting a bruteforce of /manager login to run in the background"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 6, "seconds": 55}, "tag": "linux medium", "line": " Playing with the YAML Parser, sending special characters leads to a stack trace showing the library"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux medium", "line": " Testing a YAML Deserialization payload for Snake YAML"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "linux medium", "line": " Start of weaponizing the payload"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux medium", "line": " Having a lot of trouble with building out a payload due to special characters"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux medium", "line": " Making it simple, just downloading a script then executing it"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "linux medium", "line": " Finally got a shell"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "linux medium", "line": " Going into how we know the sudoers file is non-default by date or filesize"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux medium", "line": " Finding out install date of a linux machine by SSH Host Key"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux medium", "line": " Finding where tomcat is installed and then grabbing the password out of the config tomcat-users"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux medium", "line": " Trying the tomcat password with the admin user"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux medium", "line": " Going over the go source code which can be ran with sudo"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux medium", "line": " Downloading the web assembly so we can decompile the wasm into a wat then edit it"}, {"machine": "HackTheBox - Ophiuchi", "videoId": "9-AQQkJA1X4", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux medium", "line": " Got Root, showing why i used metasploit to bruteforce tomcat password (lockouts)"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Start"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Nmaping the box"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Checking out the web pages, discovering Wordpress"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux easy", "line": " Getting the username of wordpress by looking at the blog post author"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Running WpScan with Plugins-detection"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 8, "seconds": 25}, "tag": "linux easy", "line": " Finding an open directory on the testing site, accessing a backup"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "linux easy", "line": " Attempting to login with MySQL but cannot due to the account only being allowed on localhost"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux easy", "line": " Logging into wordpress with administrator and the devteam01 password"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 13, "seconds": 25}, "tag": "linux easy", "line": " Getting a shell through WordPress by editing an unused theme"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux easy", "line": " Failing to get a reverse shell..."}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux easy", "line": " Using a common PHP Reverse Shell"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "linux easy", "line": " Discovering we are on a ChromeBook"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "linux easy", "line": " Discovering a password in autologin"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "linux easy", "line": " Using the password with local users on the box"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "linux easy", "line": " Logging in with Katie then seeing she can run sudo initctl"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "linux easy", "line": " Failing to play with init files, switching to a simpler method of testing code exec"}, {"machine": "HackTheBox - Spectra", "videoId": "mC7G3i2gV54", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "linux easy", "line": " Putting a python reverse shell inside of init and getting root"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux hard", "line": " Running nmap and giving it capabilities so we don't need to use sudo"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux hard", "line": " Discovering an email on the SQUID Page"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "linux hard", "line": " Running GetNPUsers since Kerberos is running, end up getting a hash we can't crack"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux hard", "line": " Attempting to enumerate DNS, coming up with nothing"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "linux hard", "line": " Using GoBuster to bruteforce DNS Names"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux hard", "line": " Using Curl to send requests through Squid to the new Domains"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux hard", "line": " Mistake here, swapped the IP Addresses :("}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux hard", "line": " Using ProxyChains to create a proxy through Squid"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "linux hard", "line": " Nmaping through our ProxyChains, need to use the -sT flag"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux hard", "line": " Enabling Quiet Mode of ProxyChains to make it less verbose"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "linux hard", "line": " Comparing nmap banners/version to see if these ports go to anything new"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux hard", "line": " Adding the third Squid Proxy and checking if we get anywhere else"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux hard", "line": " Downloading the wpad file to discover some new domains"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux hard", "line": " Using DNSRecon to perform a reverse lookup of a range of domains"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "linux hard", "line": " Running nmap against the new host to discover SMTP"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "linux hard", "line": " Running the Python OpenSMTPD Exploit Script CVE-2020-7247"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 48, "seconds": 15}, "tag": "linux hard", "line": " Troubleshooting payloads with the exploit"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux hard", "line": " Giving python the capability to listen on privilege ports, so we don't need sudo with http.server"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 52, "seconds": 40}, "tag": "linux hard", "line": " Now my proxychains isn't working... Turns out capabilities breaks proxychains?"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 56, "seconds": 44}, "tag": "linux hard", "line": " Shell on the box! Lets run LinPEAS"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 62, "seconds": 15}, "tag": "linux hard", "line": " Finding the msmtprc file which contains a password"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "linux hard", "line": " Configuring our parrot box's kerberos to connect to Tentacle's KDC"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 68, "seconds": 20}, "tag": "linux hard", "line": " Running NTPQ / NTPDate to sync our time with the server"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 69, "seconds": 30}, "tag": "linux hard", "line": " Running kinit to generate a kerberos ticket that lets us into SSH"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 74, "seconds": 45}, "tag": "linux hard", "line": " SSH into the box as j.nakazawa then discovering a Cron that lets us write into ~admin"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 77, "seconds": 0}, "tag": "linux hard", "line": " After failing to put an SSH Key, putting a .k5login file which behaves similiarly"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 81, "seconds": 50}, "tag": "linux hard", "line": " Running find to show files owned by the user/group of admin and discovering the KeyTab File"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 85, "seconds": 45}, "tag": "linux hard", "line": " Using the KeyTab file to become users in it, taking an admin cred to create a new root principal"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 87, "seconds": 25}, "tag": "linux hard", "line": " Box done, let's explain whats going on and what the \".local\" binaries let you do if you root a KDC"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 90, "seconds": 0}, "tag": "linux hard", "line": " Creating a new Kerberos user, kerberoasting again to see if John The Ripper can crack it"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 93, "seconds": 55}, "tag": "linux hard", "line": " Showing what is in the KeyTab File and doing a bad job parsing it by hand"}, {"machine": "HackTheBox - Tentacle", "videoId": "kKhuUXPmJ_o", "timestamp": {"minutes": 107, "seconds": 20}, "tag": "linux hard", "line": " Finding scripts to dump hashes out of KeyTab"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux medium", "line": " Discovering wordpress, fixing our host file"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux medium", "line": " Running wpscan to enumerate wordpress via aggressive mode"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "linux medium", "line": " Manually enumerating wordpress users by listing blog posts by author"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux medium", "line": " Discovering Sator.php, then using GoBuster to discover hidden backups to find Sator.php.bak"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "linux medium", "line": " Start of looking at the php source to see its a basic deserialization challenge."}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "linux medium", "line": " Building the deserialization gadget to write a file"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux medium", "line": " Uh oh. Made a typo, thankfully can find it quickly and get RCE"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 16, "seconds": 24}, "tag": "linux medium", "line": " Going back a step and showing a proper way to troubleshoot it"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux medium", "line": " Getting a reverse shell then examining wordpress config to get some credentials"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "linux medium", "line": " Testing the credentials with SSH and logging in with neil"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux medium", "line": " Discovering Neil can run enableSSH.sh with sudo, which has a race condition"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux medium", "line": " Writing a bash loop to exploit the race condition"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "linux medium", "line": " Exploiting the race condition more elegantly by using inotify to be notified when files are created"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux medium", "line": " Googling for an example written in C"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " Going over the program"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 30, "seconds": 12}, "tag": "linux medium", "line": " Modifying the code to write a file upon discovering create"}, {"machine": "HackTheBox - Tenet", "videoId": "LhdE7dXbTQw", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "linux medium", "line": " Think i forgot to free th pointer, so it segfaults. Writing PleaseSubscribe to prove it worked."}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux easy", "line": " Running nmap"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "linux easy", "line": " Using Firefox Developer Tools to inspect the page and see its a Python webserver"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux easy", "line": " Fuzzing parameters with ffuf to see if anything sticks out"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "linux easy", "line": " Ffuf isnt giving expected output, lets send the request to BurpSuite to find out we are missing a HTTP Header"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux easy", "line": " Adding the Content-Type header to ffuf and finally fuzzing special characters"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " There is a MSFVenom CVE and it looks like the webpage uses MSFVenom"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux easy", "line": " Editing the MSFVenom exploit to place a reverse shell but the exploit keeps failing"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux easy", "line": " Using curl to test the RCE"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "linux easy", "line": " Validated we have RCE, building out a web cradle with our curl to execute code"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "linux easy", "line": " Reverse shell returned as kid user"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "linux easy", "line": " Looking at the web application and discovering a logs directory"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "linux easy", "line": " Using stty to fix up our reverse shell so vim/nano works"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "linux easy", "line": " Running GoSPY to examine processes on the box"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux easy", "line": " Ha. GoSpy found the MSFVenom RCE"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "linux easy", "line": " Examining the scanlosers.sh script to find a RCE"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "linux easy", "line": " Having trouble exploiting scanlosers, taking a deeper look at the script"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux easy", "line": " Reverse shell as pwn returned"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "linux easy", "line": " pwn can run metasploit with sudo, executing commands by just specifying a binary in MSF"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "linux easy", "line": " Showing the IRB console within metasploit which would give us another way to execute commands"}, {"machine": "HackTheBox - ScriptKiddie", "videoId": "Yn3iGF8xMQI", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "linux easy", "line": " Taking a look at the MSFVenom exploit"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 1, "seconds": 17}, "tag": "windows hard", "line": " Start of nmap, showing having valid hostnames will give more information"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 3, "seconds": 54}, "tag": "windows hard", "line": " Error message on source.cereal.htb leaks a path"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows hard", "line": " Showing .git doesn't exist in DirectyList but does in Raft"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 8, "seconds": 2}, "tag": "windows hard", "line": " Using Git-Dumper to download the .git directory and view the source"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "windows hard", "line": " Looking at Git History shows where deserialization happens and a hard coded JWT "}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 12, "seconds": 8}, "tag": "windows hard", "line": " Using the hard coded JWT To build our own token in dotnet."}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "windows hard", "line": " Trying to use our JWT to access authenticated pages"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 25, "seconds": 42}, "tag": "windows hard", "line": " Going through the React JavaScript to see the token is stored in our browsers local storage"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "windows hard", "line": " Our browser keeps clearing the storage lets just intercept a request in BurpSuite and do what we need"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "windows hard", "line": " Start of the Desrialization, BadWords Filter to prevent ySoSerial, but we can manually create our own deserialization payload"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "windows hard", "line": " Finding the name of our JSON Library then finding a blackhat talk on abusing it, to build our payload"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 40, "seconds": 11}, "tag": "windows hard", "line": " More examining javascript to find routes that leaks pages of the pplication"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 42, "seconds": 15}, "tag": "windows hard", "line": " Using npm audit to find an XSS Vulnerability on /admin due to an out of date plugin react-marked-markdown"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 46, "seconds": 10}, "tag": "windows hard", "line": " Testing the XSS Vulnerability with a simple payload"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "windows hard", "line": " Putting it all togather, writing notes on how we are going to build the exploit"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 51, "seconds": 15}, "tag": "windows hard", "line": " Start of exploit script making python requests not care about SSL, then building our JWT with pyJwt"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "windows hard", "line": " Testing out bad character evasion with Base64 by using a benign XSS Payload first"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 66, "seconds": 20}, "tag": "windows hard", "line": " Adding stage 1 to our script to send the deserialization payload"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 68, "seconds": 22}, "tag": "windows hard", "line": " Changing our payload to use XMLHttpRequest to force the browser to make a request to perform the deserialization which bypasses the RestrictIP Policy"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 73, "seconds": 8}, "tag": "windows hard", "line": " Our script did not work, troubleshooting it"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 77, "seconds": 57}, "tag": "windows hard", "line": " Script worked, lets now host a ASPX File for it to download"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 79, "seconds": 20}, "tag": "windows hard", "line": " Using our webshell to download the SQLite Database"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 82, "seconds": 45}, "tag": "windows hard", "line": " Our Powershell One-Liner to convert the database to b64 just fails. Lets copy the database to the web directory so we can download it without encoding it"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 85, "seconds": 0}, "tag": "windows hard", "line": " Showing IIS isn't allowing us to download files that end in .db"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 87, "seconds": 45}, "tag": "windows hard", "line": " Showing odd behavior with SSH not prompting us for password due to it treating PubKey as login attempts. Fix is tell SSH to not us pubkey"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 93, "seconds": 0}, "tag": "windows hard", "line": " Discovering port 8080, forwarding that port and discovering GraphQL. Installing GraphQL Playground"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 97, "seconds": 20}, "tag": "windows hard", "line": " Using GraphQL Playground to dump data out of the database, then use a mutation to trigger the SSRF"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 99, "seconds": 30}, "tag": "windows hard", "line": " Downloading GenericPotato so we can use this SSRF to steal the Token"}, {"machine": "HackTheBox - Cereal", "videoId": "04ZBIioD5pA", "timestamp": {"minutes": 104, "seconds": 20}, "tag": "windows hard", "line": " Running Generic Potato in HTTP Mode triggering the SSRF and getting a root shell"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 0, "seconds": 46}, "tag": "linux easy", "line": " Starting with nmap"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "linux easy", "line": " Enumerating the website to see links to the HelpDesk and Mattermost"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux easy", "line": " Attempting to enumerate the version of osTicket"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "linux easy", "line": " Searchsploit json output shows the date"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " No exploits found, lets open a new ticket and see it gives us a way to update the ticket via email"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux easy", "line": " Creating an account on Mattermost with the email of the helpdesk to get the activation link"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux easy", "line": " Viewing the internal chat and seeing a password, then SSHing to the server"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux easy", "line": " Using hashcat to create a wordlist with its internal rule system"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux easy", "line": " Going over how Hashcat Rule files work"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 15, "seconds": 20}, "tag": "linux easy", "line": " Root #1: Running sucrack to bruteforce the root users password"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux easy", "line": " Root #2: Cracking the Mattermost Password"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux easy", "line": " Using hashcat to crack the Mattermost Password"}, {"machine": "HackTheBox - Delivery", "videoId": "gbs43E71mFM", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "linux easy", "line": " Going over how i set up the email server on this box"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "linux medium", "line": " Start of nmap discovering gitlab"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Registering for an account, then finding the version"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux medium", "line": " Searching the GitLab commit history to see the patch changing how localhost is verified"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux medium", "line": " Using the import repo from URL feature to force the server to make a request"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "linux medium", "line": " Attempting SSRF Attacks with Gopher"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux medium", "line": " Successfully got the server to connect back using git with line breaks"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux medium", "line": " Finding a gitlab RCE Path from SSRF using Redis"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux medium", "line": " Failing to gttempting to get RCE"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "linux medium", "line": " Ping isn't working, trying Whoami with NC"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux medium", "line": " Finally get RCE with whoami and putting a space at the end of our payload"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "linux medium", "line": " Attempting to get a Reverse Shell"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux medium", "line": " Using CyberChef to get rid of the plus in our base64 paylaod"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux medium", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux medium", "line": " DeepCE didn't give us much, running linPEAS again"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "linux medium", "line": " Finding the SMTP Password in a backup which is the root password"}, {"machine": "HackTheBox - Ready", "videoId": "bHVVYBzOX54", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "linux medium", "line": " Mounting the hosts disk to get root"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux insane", "line": " Showing a tmux keybinding to "}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 3, "seconds": 6}, "tag": "linux insane", "line": " Setting up an IPTables rule to log new connections"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux insane", "line": " Using SWAKS to send an email "}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux insane", "line": " Starting up a python SMTP Server so we can see the email coming back to us"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 12, "seconds": 23}, "tag": "linux insane", "line": " Finding a VIM RCE and verifying it works by using ping"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "linux insane", "line": " Testing a python2 web cradle within the VIM Exploit"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux insane", "line": " Explaining how our C2 is going to work and why what we are doing it uniquely"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux insane", "line": " Quick high level overview of the C2 Program we are creating"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "linux insane", "line": " Start coding the C2"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "linux insane", "line": " Demoing the C2 Keeping the HTTP Request alive until a command is sent"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux insane", "line": " Updating our Client/Implant to work with the new C2"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 41, "seconds": 45}, "tag": "linux insane", "line": " Updating the Web Cradle with our improved agent and getting a shell as Guly"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 44, "seconds": 10}, "tag": "linux insane", "line": " Discovering an SSH Config, updating it to put our web cradle in ProxyCommand to get shell as Freshness"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 59, "seconds": 15}, "tag": "linux insane", "line": " Start of analyzing the AuthKeys binary"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 69, "seconds": 10}, "tag": "linux insane", "line": " Installing OpenBSD"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 75, "seconds": 16}, "tag": "linux insane", "line": " Getting GEF on OpenBSD to help with reversing"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 77, "seconds": 30}, "tag": "linux insane", "line": " Back to analyzing the binary, examining the registers after Base64"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 82, "seconds": 10}, "tag": "linux insane", "line": " Using Pattern Create with a large string to crash the program and find out what registers we control"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 85, "seconds": 50}, "tag": "linux insane", "line": " Controlling RIP and dealing with an annoying python3 oddity that makes me use Python2"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 91, "seconds": 10}, "tag": "linux insane", "line": " Start of talking about ROP Chains and looking up the Execve Syscall information"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 92, "seconds": 39}, "tag": "linux insane", "line": " Comparing OpenBSD to Linux Syscall numbers and realizing why linux segfaulted (different codes!)"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 95, "seconds": 0}, "tag": "linux insane", "line": " Using Ropper to print gadgets"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 96, "seconds": 30}, "tag": "linux insane", "line": " Start of RAX Gadget, finding SHR and NOT"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 99, "seconds": 0}, "tag": "linux insane", "line": " Showing the start of base64 decode is hard coded at a memory address"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 100, "seconds": 52}, "tag": "linux insane", "line": " Explaining how to create any number with just the NOT and SHR instructions."}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 108, "seconds": 10}, "tag": "linux insane", "line": " Start of RDI Gadget (movss and cvtss1si)"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 114, "seconds": 40}, "tag": "linux insane", "line": " Start of creating our exploit program and prove we can set RAX"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 124, "seconds": 15}, "tag": "linux insane", "line": " Adding the ability to set RDI which requires putting some data on the stack"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 133, "seconds": 30}, "tag": "linux insane", "line": " Explaining our writing to the stack"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 149, "seconds": 0}, "tag": "linux insane", "line": " Explaining the SSH Public Key Format/Algorithm and adding the header"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 162, "seconds": 10}, "tag": "linux insane", "line": " Having trouble with our format, generating a large SSH Key to steal its structure"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 160, "seconds": 0}, "tag": "linux insane", "line": " Switching out our webshell for a reverse shell because its having weird issues..."}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 182, "seconds": 0}, "tag": "linux insane", "line": " Crap... forgot to put a null byte on the reverse shell code got a reverse shell"}, {"machine": "HackTheBox - Attended", "videoId": "ABVR8EgXsQU", "timestamp": {"minutes": 183, "seconds": 30}, "tag": "linux insane", "line": " Testing against our target to get a reverse shell. The C2 Web Cradle did not work because Requests was not installed."}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "windows hard", "line": " Running CrackMapExec to discover null authentication and an open share"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows hard", "line": " Running Spider_Plus with CME then JQ to parse the output"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "windows hard", "line": " Looking into KanBan"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "windows hard", "line": " Using smbclient to download files"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "windows hard", "line": " Running Impacket's SMBServer so we can easily copy things between our linux and windows VM"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "windows hard", "line": " Editing the KanBan config to perform a \"password reset\", log into kanban and then decrypt the passwords."}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "windows hard", "line": " Using DnSpy to decompile KanBan (dotnet) and then extract the Crypto Keys"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "windows hard", "line": " Creating a python script to decrypt items in the KanBan config"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 31, "seconds": 10}, "tag": "windows hard", "line": " Using CME to password spray with the credentials from KanBan, running spider plus again then downloading files"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "windows hard", "line": " Using DnSpy yet again to decompile the new executables, discovering dotnet remoting and credentials"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "windows hard", "line": " Looking into exploiting .net remoting to discover ExploitRemotingService and Ysoserial.net "}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "windows hard", "line": " Sharing the OpenVPN Connection from Linux with Windows so we can have two boxes connected simultaniously"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 55, "seconds": 12}, "tag": "windows hard", "line": " All the commands needed to turn our linux machine into a router with NAT"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 57, "seconds": 48}, "tag": "windows hard", "line": " Getting a reverse shell by executing the ExploitRemotingService Binary with the payload from ysoserial .net"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 59, "seconds": 20}, "tag": "windows hard", "line": " Using Compress-Archive to zip up the WCF Directory then copy it to our linux and windows machines"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "windows hard", "line": " Analyzing the WCF Source in Visual Studio to discover we can execute powershell"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 67, "seconds": 20}, "tag": "windows hard", "line": " Attempting to run the binary but get login failure, using net use with /netonly to run the binary with the lars creds"}, {"machine": "HackTheBox - Sharp", "videoId": "lxjAZELJ96Q", "timestamp": {"minutes": 69, "seconds": 50}, "tag": "windows hard", "line": " Running the InvokePowerShell method with a reverse shell to get system"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux medium", "line": " Start of nmap discovering the HTTP Site bucket.htb"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Poking at the website, using the developer console to discover s3.bucket.htb"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux medium", "line": " Using curl to view HTTP Headers and discovering amazon"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux medium", "line": " Oh god... I forgot to edit the URL in this gobuster! Actually created a feature request in GoBuster to fix this mistake from happening."}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "linux medium", "line": " Installing AWS CLI"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Using the aws to connect to a custom endpoint, then configure credentials"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux medium", "line": " Exploring the S3 Bucket "}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "linux medium", "line": " Using S3 to add a reverse shell to the website"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux medium", "line": " Reverse Shell returned, spending some time to start taking notes."}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux medium", "line": " End of notes, poking around on the terminal to find"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Discovering some weird ports, checking the apache configuration to see if they are related"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 20, "seconds": 55}, "tag": "linux medium", "line": " The Apache mpm_itk_module specifies the site is running as root and not www-data"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux medium", "line": " Poking at DynamoDB to get user credentials"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "linux medium", "line": " Doing some jq fu to get exactly the information we want and building a username/password list"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux medium", "line": " Explaining extended file attributes and using getfacl to see Roy can access bucket-app"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux medium", "line": " Exploring the bucket-app to see it pull information from DynamoDB to build PDF's"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 35, "seconds": 5}, "tag": "linux medium", "line": " Using Flameshot to explain exactly what is happening in the code"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux medium", "line": " Looking at pd4ml (library used to make PDF) to see we can attach a file"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 41, "seconds": 45}, "tag": "linux medium", "line": " Doing a port forward to forward port 8000 back to our box"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "linux medium", "line": " Creating the alerts table in DynamoDB"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "linux medium", "line": " Creating the JSON Document we want to insert into the alert table"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 48, "seconds": 10}, "tag": "linux medium", "line": " Using AWS dynamodb --put-item to put the document into the table"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 49, "seconds": 50}, "tag": "linux medium", "line": " Creating the PDF and pulling /etc/passwd from the server"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "linux medium", "line": " Because this is java if we fopen a directory, we get a listing, discovering .ssh"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "linux medium", "line": " Pulling the SSH Key"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 54, "seconds": 22}, "tag": "linux medium", "line": " Exploring our notes to see what else we wanted to do"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 56, "seconds": 20}, "tag": "linux medium", "line": " Showing off the timeline plugin in obsidian"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of nmap, looking at SSL Certificates to get a hostname"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Examining the website"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Getting git.Laboratory.htb out of the certificate and checking that host"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "", "line": " Registering for a GitLab Account then poking at gitlab"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Getting the GitLab Version and finding a Vulnerability"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Creating two issues, so we can perform the LFI"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "", "line": " Using the LFI to extract the application secret then b"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 15, "seconds": 55}, "tag": "", "line": " Installing a vulnerable gitlab docker so we can build our serialized payload"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " Starting the docker container, then executing bash inside of it"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 17, "seconds": 55}, "tag": "", "line": " Changing the docker secret to the one of Laboratory"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 18, "seconds": 25}, "tag": "", "line": " Restarting with gitlab-ctl restart, then entering the console with gitlab-rails console"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "", "line": " Creating the serialization payload"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 22, "seconds": 10}, "tag": "", "line": " Reverse shell as git returned. Discovering we are inside of docker"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Running the automated docker script DeepCe "}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "", "line": " Playing with the gitlab console to turn our user into an admin"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "", "line": " Sorry for the abrupt cut, phone went off and edited that out poorly."}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 27, "seconds": 15}, "tag": "", "line": " Viewing projects on gitlab as admin to find an SSH Key"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "", "line": " Shell as dexter, running LinPEAS"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 34, "seconds": 5}, "tag": "", "line": " SetUID Binary docker-security found, searching for strings then running ltrace"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "", "line": " ltrace shows the binary does not use absolute path, doing a PATH HIJACK to trick the program into executing a shell"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 36, "seconds": 50}, "tag": "", "line": " Going over notes"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 1, "seconds": 42}, "tag": "windows insane", "line": " Start of nmap and poking at the webserver"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "windows insane", "line": " Looking into MSRPC, showing MSF info overflow which is why I had historically ignored it"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "windows insane", "line": " Poking at RPC with Impacket's RPCMap"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "windows insane", "line": " Converting a RPC Script to get IPv6 address from Python2 to Python3"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "windows insane", "line": " Using nmap to scan the IPv6 Address"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "windows insane", "line": " Showing how I would enumerate a Firewall, nothing works here but something I do."}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "windows insane", "line": " Finding SMB accepts anonymous users and contains an Active Directory Backup"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 32, "seconds": 45}, "tag": "windows insane", "line": " Using Impacket's SecretsDump to extract the NTDS.DIT with password last set, user status, and history"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 41, "seconds": 15}, "tag": "windows insane", "line": " Using KerBrute to enumerate valid users on the box based upon the AD Backup"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 49, "seconds": 15}, "tag": "windows insane", "line": " Using PyKerbrute to bruteforce Henry.Vinson's account"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 64, "seconds": 0}, "tag": "windows insane", "line": " Using Socat + CrackMapExec to enumerate IPv6 (if i updated CME, it would be able to do IPv6)"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 68, "seconds": 0}, "tag": "windows insane", "line": " Using Impacket's reg.py to query Windows Registry remotely from linux"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 77, "seconds": 30}, "tag": "windows insane", "line": " Using Evil-WINRM to run WinPEAS/Seatbelt and bypass AMSI"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 86, "seconds": 0}, "tag": "windows insane", "line": " Some good information talking about LmCompatibilityLevel and NetNTLMv1"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 89, "seconds": 15}, "tag": "windows insane", "line": " Unintended method. Using Defender to make a SMB Request then decrypting the NetNTLM-v1 hash"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 90, "seconds": 50}, "tag": "windows insane", "line": " Editing responder to use a pre-set challenge (1122334455667788 used by Crack.SH)"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 95, "seconds": 30}, "tag": "windows insane", "line": " Modifying RoguePotato to allow for IPv6"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 101, "seconds": 15}, "tag": "windows insane", "line": " RoguePotato flagged by defender... Some weird AV Bypass..."}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 108, "seconds": 30}, "tag": "windows insane", "line": " Showing the Compiler flags will make RoguePotato undetectable by defender"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 118, "seconds": 5}, "tag": "windows insane", "line": " RoguePotato working, lets start modifying impacket to allow us to stand up an RPC Server"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 141, "seconds": 3}, "tag": "windows insane", "line": " Start debugging our impacket studd with pdb set_trace"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 150, "seconds": 0}, "tag": "windows insane", "line": " Got the NetNTLM v1 hash from Rogue Potato"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 159, "seconds": 50}, "tag": "windows insane", "line": " Cleaning up notes"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Poking at the website"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "", "line": " Finding a way to generate error messages"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "", "line": " Researching the error message"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " Throwing a random exploit from the internet and getting a new error"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "", "line": " Trying another exploit but this one will make a HTTP Request back to our server"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Testing RCE with this exploit with a simple ping"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "", "line": " RCE Confirmed switching to a reverse shell"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 18, "seconds": 4}, "tag": "", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 22, "seconds": 40}, "tag": "", "line": " Exploring the custom System Backup Timer Service"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "", "line": " Editing the Timer Backup Shell Script to get Root"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 26, "seconds": 25}, "tag": "", "line": " Extra Content - Explaining some forensics with time stamps"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "", "line": " Writing a quick script to search our path for files with full time stamps"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 31, "seconds": 25}, "tag": "", "line": " Cleaning up our notes."}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Introduction"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Starting nmap, using min-rate to speed up things and explaining why I don't normally show this"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Doing basic recon on /, noticing authentication isn't required everywhere find robots.txt"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "linux easy", "line": " Taking a look at port 9001, searching for default credentials"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "linux easy", "line": " Once logged into Supervisord, we can examine processes see HTTP is using LUA"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux easy", "line": " Using FFUF to fuzz the /weather/ endpoint based upon the Supervisord and robots.txt "}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux easy", "line": " Using FFUF to fuzz the city parameter of /weather/forecast for special characters"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux easy", "line": " Confirmed injection, failing to get it to work"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "linux easy", "line": " Going back to FFUF to fuzz for another character after the single quote. We can now inject into the LUA"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "linux easy", "line": " Reverse shell returned, attempt to crack the hash on my VM and crash my VM... Reboot use John to crack it"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "linux easy", "line": " Using the webapi_user in order to access the webserver"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 42, "seconds": 40}, "tag": "linux easy", "line": " Looking into the arguments for HTTP Running on port 3001, since we can hit that directly from our reverse shell"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 49, "seconds": 45}, "tag": "linux easy", "line": " Looks like nginx supports going into home directories, looking at r.michaels to get his ssh key"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 53, "seconds": 10}, "tag": "linux easy", "line": " Looks like r.michaels has some PGP Keys associated with his account, finding a tar backup and decrypting"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "linux easy", "line": " The encrypted tar had a different password for webapi_user, decrypting it and using doas to get root"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 57, "seconds": 50}, "tag": "linux easy", "line": " Box done, cleaning up notes"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "linux insane", "line": " Installing Obsidian which lets us take notes in Markdown format"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux insane", "line": " Running nmap to see FTP over SSL and it has certificates"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux insane", "line": " Using openssl to grab the SSL Certificate from FTP"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "linux insane", "line": " Going over the web page extracting emails, people, and user input locations"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux insane", "line": " Installing flameshot, which helps us take better screenshots"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux insane", "line": " Testing each contact form with XSS Cross Site Scripting"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "linux insane", "line": " XSS in blog-single.php Triggers an security error saying admins will be looking over our request, attempt to attack admins"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "linux insane", "line": " Putting XSS Payloads in the User Agent"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 25, "seconds": 25}, "tag": "linux insane", "line": " XSS Attempting to steal cookies with a basic payload, failing here. Document.location is lazy, should do document.write to write an image so the user is not redirected."}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux insane", "line": " Using ffuf to bruteforce domains via the CORS Origin header to discover FTP"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 33, "seconds": 35}, "tag": "linux insane", "line": " XSS Using XMLHttpRequest to use the victims browser like a proxy and return web pages to us"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 38, "seconds": 20}, "tag": "linux insane", "line": " XSS Using XMLHttpRequest to grab a CSRF Token then send a post request to create a user"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 46, "seconds": 50}, "tag": "linux insane", "line": " Using lftp to login to the ftp and upload a webshell to development-test"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 57, "seconds": 50}, "tag": "linux insane", "line": " Shell returned as www-data, finding a Hank's password in /etc/ansible/playbooks"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 76, "seconds": 5}, "tag": "linux insane", "line": " SSH as hank and examine the send_updates.php file to find command injection "}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 84, "seconds": 40}, "tag": "linux insane", "line": " Finding credentials for ftpadm which lets us create a file to trigger the command injection"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 93, "seconds": 40}, "tag": "linux insane", "line": " SSH as Isaac and doing some basic enumeration, explaining why we can't see processes from other users hidepid is set on /proc"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 95, "seconds": 50}, "tag": "linux insane", "line": " Using find to do a bunch of IR to find what is unique about hank"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 97, "seconds": 50}, "tag": "linux insane", "line": " Using find to look for files modified between two dates and dbmsg stands out"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 102, "seconds": 10}, "tag": "linux insane", "line": " The dbmsg stands out due to its timestamp having nanoseconds, it is the only file like this in /usr/bin"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 111, "seconds": 0}, "tag": "linux insane", "line": " Going over DBMSG in Ghidra, explaining the SRAND setting seed to current time"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 116, "seconds": 15}, "tag": "linux insane", "line": " Attempting to name variables based upon what we think they are"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 123, "seconds": 0}, "tag": "linux insane", "line": " Attempting to explain how we are going to get code execution through symlinks"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 127, "seconds": 50}, "tag": "linux insane", "line": " Creating a C Program to set the seed to be the next minute + 1 second and call RAND()"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 133, "seconds": 40}, "tag": "linux insane", "line": " Incorrectly putting data into database in order to trigger the file write exploit"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 141, "seconds": 40}, "tag": "linux insane", "line": " Changing up how we put things into the database and hoping we write the key correctly"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 147, "seconds": 45}, "tag": "linux insane", "line": " Explaining why we broke the ssh key up into multiple variabes. The fputsc(0x20) is the spaces"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 148, "seconds": 50}, "tag": "linux insane", "line": " Cleaning up our notes"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 163, "seconds": 10}, "tag": "linux insane", "line": " using cat to combine all pages into one, then exporting to PDF"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "windows hard", "line": " Start of NMAP"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "windows hard", "line": " Gobuster using a case insensitive wordlist because windows"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "windows hard", "line": " Checking out the application on port 8080, wallstant"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "windows hard", "line": " OWA Discovering the Exchange version based upon login interface"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows hard", "line": " OWA How the \"User Enumeration\" of Exchange may work... It's time based "}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "windows hard", "line": " Troubleshooting the Metasploit Module, SSL Error prevents it from loading ECONNRESET SSL_CONNECT"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "windows hard", "line": " Using Wallstant to build a username list to perform password spray"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "windows hard", "line": " Using Username Anarchy to take our list of names and build a wordlist of usernames"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "windows hard", "line": " For some reason when using Metasploit's OWA Password Spray, OWA_2010 is broken... but settiing it to OWA_2013 works."}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "windows hard", "line": " Showing SprayingToolkit to bruteforce OWA without metasploit"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 39, "seconds": 10}, "tag": "windows hard", "line": " Sending an email address to all users and seeing if anyone clicks the link"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "windows hard", "line": " Using Responder to attempt to force the user's computer to give up an NTLMv2 Hash over HTTP"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "windows hard", "line": " Cracking the NTLMv2 Hash of k.svensson"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 49, "seconds": 50}, "tag": "windows hard", "line": " Failing to use Evil-WinRM to access the box, switching to powershell on linux"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 54, "seconds": 10}, "tag": "windows hard", "line": " Using Powershell on Linux to Enter-PSSession on a Windows Box then finding out we are in constrainedlanguage mode"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 56, "seconds": 20}, "tag": "windows hard", "line": " Breaking out of ConstrainedLanguage Mode by creating a function"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "windows hard", "line": " Getting a reverse shell in FullLanguage mode, then looking at some PSRC and PSSC files"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 64, "seconds": 20}, "tag": "windows hard", "line": " Finding a link to StickyNotes on the desktop"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 66, "seconds": 50}, "tag": "windows hard", "line": " Doing a hex dump of the stickynote log to see there is a password written"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 68, "seconds": 30}, "tag": "windows hard", "line": " Attempting to use the JEA_TEST_ACCOUNT but failing without ConfigurationName parameter due to JEA"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 71, "seconds": 50}, "tag": "windows hard", "line": " Using an LFI Vulnerability in the function JEA can do in order to access any file"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 73, "seconds": 30}, "tag": "windows hard", "line": " Using the LFI to get root.txt"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "windows hard", "line": " Box is done.. Trying to dump the proces and flailing, never get it working but figured people may still enjoy it."}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 2, "seconds": 10}, "tag": "linux medium", "line": " Identifying this is likely Ubuntu Xenial"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Attempting basic SQL Map"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux medium", "line": " Failing to find a way to enumerate CuteNews version"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 6, "seconds": 55}, "tag": "linux medium", "line": " Looking over an exploit script from SearchSploit"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux medium", "line": " Finding there is a page that exposes a bunch of user hashes... wat?"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "linux medium", "line": " Copying a bunch of PHP Blobs, then using grep to only show us the hashes"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux medium", "line": " Going back to looking over the exploit script"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Sent the exploit script through burpsuite and looking at each request"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "linux medium", "line": " Getting a reverse shell and fixing out TTY"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Searching CuteNews PHP Files for passwords"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 20, "seconds": 35}, "tag": "linux medium", "line": " Decoding the php files within the users directory to get password hashes"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux medium", "line": " Writing a nasty bash one liner to go over all the files and output the base64, then use grep to only show what we want to get hashes"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux medium", "line": " Using Hash Identifier to get an idea what the hash is, then using CrackStation to quickly crack"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux medium", "line": " The Cred we decrypted was for John, using SU to switch to the john user"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux medium", "line": " Oddly enough the SSH Public key is John's directly wasn't generated by him... Validating that is the public key to the private key"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux medium", "line": " Using Nadav's key to SSH into the box"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 31, "seconds": 48}, "tag": "linux medium", "line": " Exploring VIMINFO to see some forensics on what this user has done"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 34, "seconds": 14}, "tag": "linux medium", "line": " Looking for USBCreator Privesc's"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux medium", "line": " Running the GDBus command to copy files and get root."}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux easy", "line": " Start of nmap"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Adding academy to our host file, then taking a look at the web page"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux easy", "line": " Discovering a weird port (33060), attempting to enumerate it manually"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "linux easy", "line": " Discovering admin.php from our gobuster results"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux easy", "line": " Playing with having spaces in usernames, then seeing roleid in the parameter"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux easy", "line": " Creating and logging in with an admin to see a new vhost"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux easy", "line": " Looking for Laravel Exploits, finding a metasploit module"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux easy", "line": " Getting the APP_KEY from the laravel error page, which is needed for exploitation"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux easy", "line": " Using metasploit to exploit Laravel and send the requests through burpsuite so we can analyze the exploit"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux easy", "line": " Analyzing the exploit, going to CyberChef to decrypt the payload"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux easy", "line": " Reverse Shell returned"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "linux easy", "line": " Looking at .env files to get passwords, then failing at logging into the database"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux easy", "line": " Creating a list of users on the box"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 36, "seconds": 10}, "tag": "linux easy", "line": " Running crackmapexec with users and the password we found"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 38, "seconds": 45}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "linux easy", "line": " We are in the ADM Group so taking a look at /var/log"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "linux easy", "line": " Looking at AuditD logs, then running aureport to get more details"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 54, "seconds": 30}, "tag": "linux easy", "line": " Finding mrb3n can run sudo, then doing a simple GTFOBin with composer to get root"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Start of nmap digging into Version numbers of applications"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux hard", "line": " Finding Tomcat is an old version"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Checking out the web page "}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux hard", "line": " Playing with the file upload, uploading an EICAR to test virus scanning"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux hard", "line": " Finding if we put a directory or nothing for filename we get an error message"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux hard", "line": " Looking at Tomcat exploits to see that we may be able to perform a deserialization attack by uploading a serialized object"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux hard", "line": " Using ysoserial to generate a CommonsCollection payload"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux hard", "line": " Showing a trick to copy binary content into BurpSuite"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux hard", "line": " Testing RCE by making the application ping us"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Failing to get a reverse shell, going through a lot of issues, attempting to encode our command to avoid bad characters"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 29, "seconds": 20}, "tag": "linux hard", "line": " Attempting to use a different one-liner to get a shell"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "linux hard", "line": " Giving up using one liners, sometimes two payloads are better than one. Downloading a script and then executing it."}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux hard", "line": " Discovering Docker is running on this box"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 40, "seconds": 35}, "tag": "linux hard", "line": " Finding out SALT is running on this box, which did have an unauth RCE recently (Salt Stack)"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 44, "seconds": 40}, "tag": "linux hard", "line": " Running chisel to forward SALT Ports which are listening on localhost (firewall bypass)"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "linux hard", "line": " Downloading a different exploit as the one we had doesn't seem to be working"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "linux hard", "line": " Getting a reverse shell with the SALTSTACK exploit and using script to log all the output of our reverse shell"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux hard", "line": " Reverse shell returned and we are in a Docker Container. This is weird."}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 57, "seconds": 55}, "tag": "linux hard", "line": " Running LinPEAS and discovering it has docker.sock exposed in it, along with .bash_history works."}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 58, "seconds": 50}, "tag": "linux hard", "line": " Exploring the Docker Web API, which we can access through the exposed docker socket"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 63, "seconds": 25}, "tag": "linux hard", "line": " Doing some redirection magic to allow the Web API Request to be sent to our box which automatically does JQ to prettify it"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 65, "seconds": 50}, "tag": "linux hard", "line": " Creating a JSON File which we will use in our HTTP Request to create a new docker container"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 67, "seconds": 30}, "tag": "linux hard", "line": " Using CURL To make the request and send our JSON File"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 68, "seconds": 45}, "tag": "linux hard", "line": " Fixing up our terminal with the STTY command as our line wrapping is behaving oddly"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 72, "seconds": 0}, "tag": "linux hard", "line": " Having trouble running the CMD, changing it up the command"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 79, "seconds": 15}, "tag": "linux hard", "line": " Finally getting the command right and getting a reverse shell"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "linux medium", "line": " Start of nmap, going into why it needs sudo"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux medium", "line": " Checking Phusion Passenger version"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux medium", "line": " Downloading the source code from port 8000 (GitWeb)"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux medium", "line": " Using Brakeman to analyze the source code to the RAILS App"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "linux medium", "line": " Checking Rails release date to see it is old"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "linux medium", "line": " Researching CVE-2020-8165 and checking if our application is vulnerable"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux medium", "line": " Performing the CVE-2020-8165 serialization exploit"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " Fixing my APT from expired: signature could not be verified because public key is not available NO_PUBKEY"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux medium", "line": " Installing RAILS Then building our deserialization"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux medium", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "linux medium", "line": " LinPEAS showed some password hashes, lets check out those files to see if there was more passwords"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "linux medium", "line": " Cracking the passwords, then finding sudo requires a 2FA Password"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "linux medium", "line": " Finding .google_authenticator"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux medium", "line": " Installing oathtool"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "linux medium", "line": " Using OathTool to read out google_auth file to generate the One Time Pad (OTP)"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "linux medium", "line": " Switching to TOTP Mode, then lots of issues because of AM/PM"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 51, "seconds": 51}, "tag": "linux medium", "line": " Changing the timezone of our box to Europe/London to get away from conversions"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux medium", "line": " Our date went up an entire day! Fixing the day then getting a shell"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux easy", "line": " Start of Nmap"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 1, "seconds": 40}, "tag": "linux easy", "line": " Poking at the website and doing Gobuster/SQLMap In the BG"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux easy", "line": " Registering an account and enumerating the new features, looking for XSS"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux easy", "line": " Testing if the box will click links, discovering Curl reaches back to us"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux easy", "line": " Finding command injection in the URL, finding a way to execute commands with spaces"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 13, "seconds": 37}, "tag": "linux easy", "line": " Brace expansion isn't working, but IFS allows us bypass space being a bad character"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux easy", "line": " Trying to get a reverse shell but failing due to bad characters"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 18, "seconds": 47}, "tag": "linux easy", "line": " Using Curl to download a rev shell script and then execute it in order to avoid bad characters"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux easy", "line": " Transfering site.db to our box, so we can view the contents and attemp to crack the admins password"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux easy", "line": " Finding out we are part of the ADM Group and can read logs! Log contains a password"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "linux easy", "line": " Checking the Splunk Version and looking for exploits"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 34, "seconds": 55}, "tag": "linux easy", "line": " Didn't see anything in SearchSploit googling for an exploit then getting root"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 38, "seconds": 22}, "tag": "linux easy", "line": " Unintended: Exploring the SSTI Vulnerability"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "linux easy", "line": " Using Basic SSTI to identify what framework the website is using"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "linux easy", "line": " Creating an SSTI Jinja2 Reverse Shell payload and getting a shell"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux easy", "line": " Exploring the CURL Vulnerability"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux easy", "line": " Deep dive into the SSTI Vulnerability and patching it"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows medium", "line": " Start of nmap"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "windows medium", "line": " Checkign out the open SVN Port"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "windows medium", "line": " Adding the discovered domains to /etc/hosts and checking out the websites"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "windows medium", "line": " Some grep magic to show only what we want, which is URLS"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "windows medium", "line": " Using GoBuster to see if there are any more more VHOSTS"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "windows medium", "line": " Checking out the SVN and seeing creds in a previous revision (commit)"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "windows medium", "line": " Logging into Azure Devops (devops.worker.htb) and discovering the pipelin to deploy master branch to a server"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "windows medium", "line": " Pushing our webshell to the git master branch and getting shell on the box"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 16, "seconds": 10}, "tag": "windows medium", "line": " Choosing the revshell out of the tennc github page"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "windows medium", "line": " Creating a powershell one liner to get a reverse shell via Nishang"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "windows medium", "line": " Discovering SVN Credentials and using CrackMapExec to find valid passwords"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "windows medium", "line": " CrackMapExec was giving me issues, installing it from source with Poetry"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows medium", "line": " Using CrackMapExec to test a list of credentials without bruteforcing all passwords to all users"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 32, "seconds": 10}, "tag": "windows medium", "line": " Using WinRM to get a shell as Robisl"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "windows medium", "line": " Logging into Azure Devops as Robisl and discovering we can edit the build pipeline"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "windows medium", "line": " Copying our reverse shell to the box, so we can easily execute it from the build pipeline and getting admin"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "windows medium", "line": " UNINTENDED: Doing the box via RoguePotato"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "windows medium", "line": " Poorly explaining why we need to use chisel"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "windows medium", "line": " Running Chisel to setup a reverse port forward between the target and our box"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 52, "seconds": 15}, "tag": "windows medium", "line": " Setting up SoCAT to go through our tunnel"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 52, "seconds": 50}, "tag": "windows medium", "line": " Executing RoguePotato to get an admin shell"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "windows medium", "line": " Explaining the tunneling again in MSPaint. Hope this helps."}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 61, "seconds": 40}, "tag": "windows medium", "line": " Doing RoguePotato without socat, just a single Chisel tunnel"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux hard", "line": " Start of nmap, discover web and ssh. Discover litecart, fail to find a way to identify version"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux hard", "line": " Running GoBuster to find the backup directory"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux hard", "line": " Examining the tar archive"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux hard", "line": " Talking about the unix time being 32-bit timestamps but tar did not keep entire timestamp"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "linux hard", "line": " Using find with printf to sort files by modified time"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux hard", "line": " Discovering the admin/login.php file was modified to drop the credentials to disk"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux hard", "line": " Logging into LiteCart as admin"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux hard", "line": " Finding exploits on searchsploit, then manually running through the exploit because its Python2 with some annoying libraries"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux hard", "line": " Uploading our PHP Shell but it doesn't work, checking for PHP Disabled functions by using a simple php file. Then doing phpinfo() to see other functions"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux hard", "line": " Running through Chankro even thoe it wouldn't work."}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux hard", "line": " Uploading large binary files in BURPSUITE by pasting base64 and decoding it within burpsuite"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 25, "seconds": 33}, "tag": "linux hard", "line": " Chankro wont work due to putenv being disabled. Looks like there's a PHP 7.0 - 7.4 bypass. Trying this!"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux hard", "line": " Attempting a reverse shell but it doesn't work. Viewing iptables configuration"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 29, "seconds": 45}, "tag": "linux hard", "line": " Using my Forward Shell script to get a TTY on the box"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "linux hard", "line": " Again, talking about 32-bit timestamps to find files that were put into /lib/ not by a Apt"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "linux hard", "line": " Discovering the PAM Backdoor (pam_unix.so), then reversing it to get a skeleton password"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "linux hard", "line": " BOX COMPLETED. Doing USER/ROOT a different way"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux hard", "line": " Generating a Weevely Reverse shell which will let us do more things in PHP"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Discovering MySQL has a bash shell"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "linux hard", "line": " Discovering the MySQL has a UDF (User Defined Function) that allows for code execution"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "linux hard", "line": " Dropping an SSH Key, then seeing a strace-log.dat file which acts as a keylogger on linux. Also the 32 bit timestamp sticks out"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 60, "seconds": 15}, "tag": "linux hard", "line": " Discovering a LD_PRELOAD Rootkit (libdate.so),reversing it to see a hidden privesc"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux insane", "line": " Start of nmap"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux insane", "line": " Checking out the webpages, find Gitlab and Page about a custom chrome"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "linux insane", "line": " Viewing the Git log for the custom v8 javascript project and finding the vulnerability"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux insane", "line": " Finding an XSS in Contact Us"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux insane", "line": " Using the banners to find what version of Ubuntu the target is using"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux insane", "line": " Building v8 in Ubuntu 18.04"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux insane", "line": " Warning about needing 4 gigs of memory."}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux insane", "line": " Everything is compiled! Start of the exploit, looking at some webpages that help out"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux insane", "line": " Starting v8 in gdb, then examining some memory structures"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux insane", "line": " Explaining Smi, Immediate Small Integer"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux insane", "line": " Starting our helper script with number conversions (float/bigint/hex)"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 34, "seconds": 10}, "tag": "linux insane", "line": " Doing DebugPrints on our float arrays to examine memory"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "linux insane", "line": " Digging into the memory to see where Map/Property/Elements/Length are in the memory"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "linux insane", "line": " Showing Objects in memory"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 58, "seconds": 15}, "tag": "linux insane", "line": " Precursor material to AddrOf and FakeObject, why type confusion leads to memory shenanigans "}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 66, "seconds": 30}, "tag": "linux insane", "line": " Finding GetLastElement() behaves different on object arrays"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 77, "seconds": 0}, "tag": "linux insane", "line": " Doing Faiths AddrOf and troubleshooting why it doesn't work in ours "}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 82, "seconds": 27}, "tag": "linux insane", "line": " Recoding the AddrOf, to start out with an array not object"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 86, "seconds": 45}, "tag": "linux insane", "line": " Explaining the FakeObj Primative"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 93, "seconds": 20}, "tag": "linux insane", "line": " Doing the Read Memory portion"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 97, "seconds": 50}, "tag": "linux insane", "line": " Coding the Write Memory function"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 100, "seconds": 40}, "tag": "linux insane", "line": " Using Web Assembly to create RWX"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 102, "seconds": 30}, "tag": "linux insane", "line": " Doing some memory analysis to find where our RWX location is"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 106, "seconds": 30}, "tag": "linux insane", "line": " Doing some memory analysis to find where the Backing Store address is"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 110, "seconds": 10}, "tag": "linux insane", "line": " Using MSFVenom to create some shellcode to touch a file"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 114, "seconds": 20}, "tag": "linux insane", "line": " Replacing the shellcode with a reverse shell!"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 116, "seconds": 30}, "tag": "linux insane", "line": " Testing on the custom chrome browser"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 118, "seconds": 30}, "tag": "linux insane", "line": " Running our exploit against the target!"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux easy", "line": " Begin of nmap"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "linux easy", "line": " Finding out this is Windows IOT"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux easy", "line": " Showing the BlackHat paper on Hacking Windows IOT "}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Trying SirepRAT out against this box"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux easy", "line": " Finally getting code execution witht he SirepRAT tool, trying to run powershell"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " Finally getting Powershell working, trying to get a Reverse Shell"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 19, "seconds": 45}, "tag": "linux easy", "line": " Getting a Reverse shell by downloading NC64.EXE and running it"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux easy", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux easy", "line": " Extracting the SAM/SYSTEM Registry hive so we can run SECRETSDUMP to pull user hashes"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux easy", "line": " Had trouble with Impacket's SMB Server, editing smbd.conf"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "linux easy", "line": " Getting a shell as APP using the website, so we can decrypt the user.txt and iot-admin.txt secure strings"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 40, "seconds": 40}, "tag": "linux easy", "line": " Getting a shell as ADMINISTRATOR using the website so we can decrypt root.txt"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 1, "seconds": 11}, "tag": "linux insane", "line": " Running nmap"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux insane", "line": " Discovering port 9100, and poking at it with nmap/pret"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux insane", "line": " Got access to the printer via PRET, dumping print jobs"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux insane", "line": " Running ENT to see the entropy is 7.99 which means it is probably encrypted... Then doing the same thing in Cyber Chef"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "linux insane", "line": " Discovering the encryption algorithm via inspecting variables on the printer. Then dumping the memory of the printer to get the AES Key and trying to decrypt in Cyber Chef"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "linux insane", "line": " Cutting up the Print Job with DD to extract the IV/Encrypted payload out of the print job."}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 18, "seconds": 58}, "tag": "linux insane", "line": " CyberChef decrypted our AES! Reading the PDF"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 23, "seconds": 46}, "tag": "linux insane", "line": " Creating the Protobuf object and converting to python"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "linux insane", "line": " Interacting with Port 9000 with our protobuf payload"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 31, "seconds": 10}, "tag": "linux insane", "line": " Attempting to Pickle a deserialization payload, to see its disabled"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux insane", "line": " Taking the example JSON Data and sending it to port 9000 and finding a SSRF Vulnerability!"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux insane", "line": " Using SSRF to scan ports on localhost and discovering SOLR"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "linux insane", "line": " Forcing the SSRF to send an HTTPS Post Request via GOPHER"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "linux insane", "line": " Sending the SOLR Post Payload"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 67, "seconds": 30}, "tag": "linux insane", "line": " Creating the second payload for SOLR"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 79, "seconds": 50}, "tag": "linux insane", "line": " Verifying our payloads doing some JSON Validation"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 91, "seconds": 50}, "tag": "linux insane", "line": " Finally fixed our payload! Darn URL Encoding issues."}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 95, "seconds": 50}, "tag": "linux insane", "line": " Reverse shell returned, doing some basic enumeration and seeing SSHPass"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 103, "seconds": 10}, "tag": "linux insane", "line": " Using PSPY to monitor processes and catching SSHPASS before it can rewrite its commandline"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 108, "seconds": 0}, "tag": "linux insane", "line": " Gaining root on the Docker Container, disabling SSH, and bending the port back at the host and gaining code execution"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Introduction"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 0, "seconds": 31}, "tag": "linux medium", "line": " Begin of nmap"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux medium", "line": " Nmap shows it is BSD, going over some command differences"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux medium", "line": " Running GoBuster to find other PHP Scripts"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux medium", "line": " Looking at the includes directory and finding source code"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 10, "seconds": 14}, "tag": "linux medium", "line": " Reversing the Check_Auth binary with Ghidra, to see it doesn't decompile well"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux medium", "line": " Using VirusTotal to find out if this an old binary"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux medium", "line": " Using Cutter to decompile this binary, to see it does a better job than Ghidra!"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux medium", "line": " Finding some BSD Exploits related to authentication"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux medium", "line": " Putting SCHALLENGE as the username, causes a different error message. Then doing some code analysis around $_REQUEST"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "linux medium", "line": " Abusing the $_REQUEST() feature to overwrite the username file with a valid user and grab their SSH Key"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "linux medium", "line": " Showing how OpenBSD has some different command line switches"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "linux medium", "line": " Going back to the earlier CVE, since it showed a privesc aswell and explaining CVE-2019-19520"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 40, "seconds": 45}, "tag": "linux medium", "line": " EXTRA: Looking at the PHP Code to explain the $_REQUEST exploit again"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Introduction"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 1, "seconds": 3}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 2, "seconds": 27}, "tag": "linux hard", "line": " Setting Squid up to do a portscan while we work on something else"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux hard", "line": " Poking at RSYNC and seeing we can download encrypted config backups"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 9, "seconds": 40}, "tag": "linux hard", "line": " Examining files downloaded from RSYNC, specifically looking at entropy to validate encryption"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux hard", "line": " Finding the EncFS Config file, and then using John to Crack it"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux hard", "line": " Decrypting the config directory and finding a squid password and some hostnames"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Examining the new website exposed to us, configuring BurpSuite to use the squid proxy"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux hard", "line": " Showing the Intranet-Host header is changing, then accessing Squid Cache Manager to find some more ip addresses"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux hard", "line": " Using curl to view Squid Cache Information"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 28, "seconds": 25}, "tag": "linux hard", "line": " Finding a new IP Address for a decomissioned server. Looks like this one has a vulnerability"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "linux hard", "line": " Poking at the login form on the intranet-host1, looks like its vulnerable to SQL Injection"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux hard", "line": " Trying SQL Injection in the Password Field since the User was behaving weirdly.. Password behaving slightly differently"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 38, "seconds": 20}, "tag": "linux hard", "line": " Examining what XPATH Injection is"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 39, "seconds": 15}, "tag": "linux hard", "line": " Confirming it is XPATH Injection by using standard XPATH Payloads"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 44, "seconds": 10}, "tag": "linux hard", "line": " Using a XPATH Payload to extract the password length for a user"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux hard", "line": " Using XPATH Injection to bruteforce the password one character at a time"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "linux hard", "line": " Using Python to Automate the XPATH Injection to dump passwords"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 61, "seconds": 30}, "tag": "linux hard", "line": " Script near done, grabbing the password for all users"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 66, "seconds": 40}, "tag": "linux hard", "line": " Using Hydra to find one of the users had SSH Access"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 68, "seconds": 30}, "tag": "linux hard", "line": " Reading the TODO and finding pi-hole by checking arp with ip neigh"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 70, "seconds": 10}, "tag": "linux hard", "line": " Creating an SSH Port Forward to access Pi-Hole"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 73, "seconds": 55}, "tag": "linux hard", "line": " Finding Pi-Hole Exploits"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 75, "seconds": 0}, "tag": "linux hard", "line": " Using FFUF to bruteforce the Pi Hole login form"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 77, "seconds": 50}, "tag": "linux hard", "line": " Failing to use public exploits for this"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 79, "seconds": 45}, "tag": "linux hard", "line": " Finding a blog post to examine how this exploit works"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 81, "seconds": 45}, "tag": "linux hard", "line": " Using CyberChef to edit the payload for our Pi Hole exploit"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 83, "seconds": 55}, "tag": "linux hard", "line": " Manually sending the exploit and getting a shell"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 85, "seconds": 0}, "tag": "linux hard", "line": " Finding the root password in a config file, then using SU to get root"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux medium", "line": " Start of nmap"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "linux medium", "line": " Poking a the websites"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux medium", "line": " Starting gobusters in the background while we look at the site"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux medium", "line": " Grabbing a list of emails off of the website"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux medium", "line": " Using SWAKS to mass email users with a link"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "linux medium", "line": " User went to our website, grabbed credentials"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux medium", "line": " Failing to do FTP User Enumeration, do this at the end of the video"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Failing with Thunderbird to login"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux medium", "line": " Switching to the Evolution Mail client to check mailboxes, finding FTP Details in Sent Mail"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 28, "seconds": 40}, "tag": "linux medium", "line": " Using wget to mirror the FTP Directory, then poking at PHP Files"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux medium", "line": " Showing pypi/Register.php, which *should* have been used during the phishing stage"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "linux medium", "line": " Checking if we can upload files to the FTP Directory and finding the dev VHOST "}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux medium", "line": " Shell Returned"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux medium", "line": " Discovering a HTPASSWD file, then cracking it with hashcat"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "linux medium", "line": " Checking out pypi.sneakycorp.htb:8080 and finding a pypi server"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux medium", "line": " Creating a Malicious PyPi Package"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "linux medium", "line": " Adding a reverse shell to our pypi package"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 44, "seconds": 45}, "tag": "linux medium", "line": " Creating a pypi configuration file"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux medium", "line": " Uploading the package and getting a shell as low"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "linux medium", "line": " Checking sudoers, and finding low can run pip3 - Use GTFO Bin to get root"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "linux medium", "line": " EXTRA: Enumerating the FTP Users by creating a quick webapp then using FFUF against it."}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Introduction"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "windows easy", "line": " Begin of nmap and poking at the website"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows easy", "line": " Checking when an image was uploaded to the server with wget and exiftool"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "windows easy", "line": " Contact.php discloses the software Gym Management Software is being used. Examining the exploit"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "windows easy", "line": " Editing the Python Exploit to force everything through a proxy, so we can examine what the exploit does."}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "windows easy", "line": " Running the exploit and examining in Burp"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "windows easy", "line": " Having trouble getting a reverse shell via PS, Uploading NC.EXE to do it"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "windows easy", "line": " Running WinPEAS.exe "}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "windows easy", "line": " Discovering CloudMe in the Downloads directory then looking at the exploit"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "windows easy", "line": " CloudMe isn't listening on a port... Reverting and getting a shell again"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "windows easy", "line": " Reverse shell returned... Still waiting for CloudMe to listen on a port"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 27, "seconds": 27}, "tag": "windows easy", "line": " Uploading Chisel to the box, then doing a port forward for MySQL to enumerate the database"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows easy", "line": " Finding MySQL Credentials in db.php, then checking the database from our box thanks to Chisel"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "windows easy", "line": " Replacing the payload in the CloudMe exploit with a reverse shell"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "windows easy", "line": " Running the exploit and getting root"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux hard", "line": " Begin of nmap"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux hard", "line": " Examining the Message, pointing out the endpoint does not need authentication"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux hard", "line": " Using FFUF to fuzz the API End Point and show importence of Content-Type"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux hard", "line": " Starting SQLMAP then manually fuzzing this application"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux hard", "line": " SQLite Boolean Injection, with CASE IF/THEN/ERROR"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux hard", "line": " SQLite Boolean Injection, Enumerating Usernames"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux hard", "line": " SQLite Boolean Injection, Start of Dumping Password"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "linux hard", "line": " SQLite Boolean Injeciton, Optimization chat about UNICODE and SUBSTR"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux hard", "line": " Start of coding out python script to dump the hash"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 41, "seconds": 20}, "tag": "linux hard", "line": " This hash looks weird... Tons of troubleshooting"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 45, "seconds": 12}, "tag": "linux hard", "line": " Explaining the issue, we are hitting the 140 character limit... Switching script up to do SUBSTR"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 51, "seconds": 55}, "tag": "linux hard", "line": " Script completed to dump hashes."}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 53, "seconds": 15}, "tag": "linux hard", "line": " Static source code analysis, find its vulnerable to Hash Length Extension Attack"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "linux hard", "line": " Using HashPumpy to perform the Hash Length Extension Attack"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 71, "seconds": 30}, "tag": "linux hard", "line": " We base64'd the signing portion wrong"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 73, "seconds": 30}, "tag": "linux hard", "line": " Now we have access to /admin, can use its API to read files and directories, showing Sched_debug and /proc/net/tcp,udp,environ to get important information"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 83, "seconds": 30}, "tag": "linux hard", "line": " Finding a RW SNMP Community string and then using snmp-shell to get code execution "}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 89, "seconds": 0}, "tag": "linux hard", "line": " Generating a SSH Key then copying it slowly to the box"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 95, "seconds": 0}, "tag": "linux hard", "line": " Doing a Local Port Forward with the Debian-SNMP User"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 97, "seconds": 20}, "tag": "linux hard", "line": " Binary Exploitation with Note_Server: Going over Source and recompiling with ggdb flag"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 101, "seconds": 0}, "tag": "linux hard", "line": " Binary Exploitation: Setting up PwnTools so we can interact with the binary"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 106, "seconds": 40}, "tag": "linux hard", "line": " Binary Exploitation: Defeating ASLR by leaking an address"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 116, "seconds": 20}, "tag": "linux hard", "line": " Binary Exploitation: Leaking LibC and Getting Code Execution"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 125, "seconds": 30}, "tag": "linux hard", "line": " Binary Exploitation: Creating offset's for our remote server to get it working"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Academy URL: https://academy.hackthebox.eu"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 1, "seconds": 3}, "tag": "", "line": " Accessing Academy"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "", "line": " Talking about Paths"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 2, "seconds": 10}, "tag": "", "line": " Talking about what a Cube is"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "", "line": " Showing all the modules and tiers"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Starting the Intro to Academy Course"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Showcasing interactive modules by starting a pwnbox instance"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "", "line": " Spawning a lab to interact with"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux easy", "line": " Start of Nmap"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 1, "seconds": 25}, "tag": "linux easy", "line": " Taking a look at the web page"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux easy", "line": " Discovering Megahosting.HTB and adding it to /etc/hosts"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 4, "seconds": 4}, "tag": "linux easy", "line": " Playing with news.php and explaining the logic of LFI"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux easy", "line": " Discovering it is a file_get_contents(), which means we can skip all our \"RCE Tests\" as it won't execute PHP Code"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux easy", "line": " Poking at Tomcat and hunting for its tomcat-users.xml file to use with our LFI on apache2"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux easy", "line": " Uploading a JSP Webshell to tomcat with credentials found in tomcat-users.xml"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "linux easy", "line": " Using Curl to upload the JSP webshell."}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "linux easy", "line": " Whoops was uploading to the wrong port and then forgot to convert the JSP to a WAR File"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 25, "seconds": 38}, "tag": "linux easy", "line": " Reverse shells having trouble running due to bad characters."}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 27, "seconds": 55}, "tag": "linux easy", "line": " Downloading the shell to disk, then executing it in order to avoid special characters"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 31, "seconds": 15}, "tag": "linux easy", "line": " Reverse shell returned and TTY fixed. Discovering an encrypted zip file that we crack with John"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux easy", "line": " Exploring the Zip file to find there's nothing really interesting"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux easy", "line": " Trying the zip password as users on the box and getting a shell as Ash, dropping an SSH key and logging in with ash"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux easy", "line": " Running linpeas"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "linux easy", "line": " Discovering user is a member of LXD Group"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 44, "seconds": 42}, "tag": "linux easy", "line": " Building an alpine container, then uploading it to the target machine"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 47, "seconds": 45}, "tag": "linux easy", "line": " Uploading the alpine container and using lxc to privesc"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Begin of nmap, see a Active Directory server with HTTP"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows medium", "line": " Gathering usernames from the website"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "windows medium", "line": " Using KerBrute to enumerate which users are valid "}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "windows medium", "line": " Using Cewl to generate a password list for brute forcing"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "windows medium", "line": " Using Hashcat to generate a password list for brute forcing"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "windows medium", "line": " Trying to use RPCClient to change the password. Cannot"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "windows medium", "line": " Using SMBPasswd to change the password"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "windows medium", "line": " Logging in via RPCClient and enumerating Active Directorry with EnumDomUsers and EnumPrinters"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "windows medium", "line": " Password for SVC-PRINT found via Printer description (EnumPrinters) in Active Directory, Logging in with WinRM"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "windows medium", "line": " Discovering SeLoadDriverPrivilege"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "windows medium", "line": " Switching to Windows Downloading everything needed for loading the Capcom Driver and Exploiting it"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "windows medium", "line": " Compiling the EoPLoadDriver from TarlogicSecurity"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "windows medium", "line": " Compiling ExploitCapcom from FuzzySecurity"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "windows medium", "line": " Copying everything to our Parrot VM then to Fuse"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 37, "seconds": 45}, "tag": "windows medium", "line": " Loading the Capcom Driver then failing to get code execution"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "windows medium", "line": " Creating a DotNet Reverse shell incase the Capcom Exploit didn't like PowerShell"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 47, "seconds": 50}, "tag": "windows medium", "line": " Exploring the ExploitCapcom source and editing it to execute our reverse shell"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 50, "seconds": 11}, "tag": "windows medium", "line": " Copying our new ExploitCapcom file and getting a shell"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux insane", "line": " Start of the box, running nmap with all ports."}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux insane", "line": " Using a Google Image Search to map icons with applications"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux insane", "line": " Manually fuzzing test.dyplesher.htb to check if there's any easy vulns"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux insane", "line": " Running NMAP Scripts against the results of our full port scan with awk and ORS"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux insane", "line": " Discovering a .git repo exposed on the website, using git-dumper to download it"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux insane", "line": " Memcache credentials discovered, download and test auth"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux insane", "line": " Creating a simple web application that will let us fuzz the remote memcat service"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux insane", "line": " Logging into GOGS as Felamos to download another repo, using git to restore a git bundle file"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux insane", "line": " Logging into dyplesher.htb with creds in the Git Repo"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Setting up our environment (IntelliJ)"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Skeleton Code"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Uploading the plugin and checking console"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Adding the ability to READ FILES and print Current Username"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Had trouble getting it to run, had to revert"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: Add the ability to write files and drop SSH Key + Web Shell"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 63, "seconds": 0}, "tag": "linux insane", "line": " MINECRAFT PLUGIN: SSH Key and WebShell dropped! Logging into the server"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 66, "seconds": 15}, "tag": "linux insane", "line": " Discovering DumpCap can be ran by our user, dumping localhost then running wireshark"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 73, "seconds": 25}, "tag": "linux insane", "line": " Discovering credentials in AMQP Traffic, these work on SSH"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 75, "seconds": 40}, "tag": "linux insane", "line": " Downloading AMQP-PUBLISH to send a URL to the queue as the note says"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 80, "seconds": 15}, "tag": "linux insane", "line": " Running PSPY while we dig through the wireshark some more, find the password in WireShark"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 82, "seconds": 20}, "tag": "linux insane", "line": " Using AMQP-PUBLISH with the correct credential and get the server to download a file"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 84, "seconds": 40}, "tag": "linux insane", "line": " Searching Cuberite plugins, to see its just lua. Writing a quick plugin and getting code execution"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "linux insane", "line": " Getting a root shell"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 89, "seconds": 40}, "tag": "linux insane", "line": " Failing to do some ERLANG stuff. May be useful if you want to try it yourself but i didn't get it working"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 95, "seconds": 0}, "tag": "linux insane", "line": " Exploring iptable/ufw rules and common mistakes"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 1, "seconds": 3}, "tag": "linux easy", "line": " Start of NMAP"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux easy", "line": " Discovering install.php, which says bludit is being installed."}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Looking for exploits searchsploit, everything requires Auth"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 7, "seconds": 35}, "tag": "linux easy", "line": " Attempting a login and noticing the CSRF Tokens"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "linux easy", "line": " Looking for exploits online that haven't made it to SearchSploit yet"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux easy", "line": " Placing the X-FORWARDED-FOR header to bypass brute force protection"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux easy", "line": " Creating a Python Brute Forcer"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux easy", "line": " Scripting: Grabbing the CSRF Value with python requests"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux easy", "line": " Scripting: Grabbing the PHP Session Cookie with python requests"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux easy", "line": " Scripting: Sending a login request with python requests"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux easy", "line": " Scripting: Telling request to not follow and detect a valid login"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 31, "seconds": 10}, "tag": "linux easy", "line": " Using Cewl to build a wordlist, then changing our python script to pull passwords from our wordlist"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux easy", "line": " Scripting: Setting a random IP in X-Forwarded-For header"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "linux easy", "line": " Scripting: Scripting fixing a bug then getting a password via brute force!"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux easy", "line": " Start of playing around with the Bludit Image Upload Vulnerability."}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux easy", "line": " Having trouble, running the exploit with metasploit through a proxy to understand what is going on"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 47, "seconds": 50}, "tag": "linux easy", "line": " Uploading a PHP Reverse shell then HTAccess file to get code execution"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "linux easy", "line": " Reverse shell returned, finding passwords in the bludit database, then cracking them."}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 68, "seconds": 20}, "tag": "linux easy", "line": " Cracked a password for hugo, switching to his user"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 69, "seconds": 30}, "tag": "linux easy", "line": " Doing the SUDO underflow exploit"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux medium", "line": " Running NMAP and checking out the page"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux medium", "line": " Author page contains a hint to do some type Domain Brute Forcing"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux medium", "line": " The Login form won't go to burpsuite, lets check out javascript"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 8, "seconds": 5}, "tag": "linux medium", "line": " Doing VirtualHost (VHOST) Bruteforcing with GoBuster to discover hms.htb"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux medium", "line": " Discovering OpenEMR, running searchsploit, attempting to find the version of it"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 15, "seconds": 25}, "tag": "linux medium", "line": " Searchsploit doesn't have any exploits, checking one on google to find a SQL Injection"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux medium", "line": " Discovering error based SQL Injection (XPATH)"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "linux medium", "line": " Manually extracting data from error based SQL Injection (XPATH)"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 27, "seconds": 25}, "tag": "linux medium", "line": " Using BurpSuite Intruder to aid us in running a bunch of SQL Injections, incrementing a number to get all the fields"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 33, "seconds": 8}, "tag": "linux medium", "line": " XPATH Injection only extracts 32 characters, we need to use SUBSTRING to extract fields longer than 32"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux medium", "line": " Logging into OpenEMR then using file upload functionality to upload a webshell"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 46, "seconds": 15}, "tag": "linux medium", "line": " Enumerating Memcache to discover credentials for luffy"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 50, "seconds": 40}, "tag": "linux medium", "line": " Luffy is a member of Docker, using GTFO Bins to use docker to privesc"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux medium", "line": " EXTRA: Going back to memcache, lets forward the memcache port to our box via chisel, so we can easily run tools against it."}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 61, "seconds": 25}, "tag": "linux medium", "line": " Using Metasploit to dump memcache"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 62, "seconds": 40}, "tag": "linux medium", "line": " Using Memcache utilities to manually enumerate memcache"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows hard", "line": " Enumerating fileshares with SMBClient and CrackMapExec, highlighting some picky syntax"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "windows hard", "line": " Mounting the profiles$ directory so we can build a username list"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "windows hard", "line": " Using Kerbrute to enumerate valid usernames"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "windows hard", "line": " Running GetNPUsers to perform an ASREP Roast"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "windows hard", "line": " Checking what we can do with the Support User from the ASREP Roast"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "windows hard", "line": " Running the python Bloodhound ingestor from Linux"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 27, "seconds": 55}, "tag": "windows hard", "line": " Bloodhound ran, playing around with the data, eventually seeing support can reset audit2020's password"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "windows hard", "line": " Setting an Windows users (Audit2020) password from linux using RPCClient"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 36, "seconds": 45}, "tag": "windows hard", "line": " Audit2020 has access to the forensic share which has a memory dump of lsass, running pypykatz to extract credentials"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "windows hard", "line": " Using Evil-WinRM to access the box as SVC_Backup and discovering the backup privilege"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "windows hard", "line": " Failing to get WBADMIN to send a backup file to impacket"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "windows hard", "line": " Creating a NTFS Block Device/Partition but does not fix our impacket issues"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 49, "seconds": 45}, "tag": "windows hard", "line": " Editing samba to create a windows fileshare from linux. Purposefully don't point it to our NTFS Disk so you can see the errors."}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 54, "seconds": 54}, "tag": "windows hard", "line": " Pointing samba to our NTFS Directory, to show it works much better"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 55, "seconds": 50}, "tag": "windows hard", "line": " Running wbadmin to create a backup to our fileshare and include ntds.dit"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "windows hard", "line": " Running wbadmin to restore a ntds.dit out of our backup and creating a backup of the SYSTEM Registry hive"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "windows hard", "line": " Using secretsdump to extract credentials out of the Active Directory database (ntds.dit) and show the history flag"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 64, "seconds": 20}, "tag": "windows hard", "line": " Showing you can't grab the flag as SYSTEM user due to EFS (Encrypted File System). Using WMIExec to get a shell as the actual user"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 72, "seconds": 30}, "tag": "windows hard", "line": " Using Mimikatz to restore the password of Audit2020, so it's like we were never there."}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux easy", "line": " Doing nmap quickly by not running scripts to get open ports, then using that output to run scripts."}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux easy", "line": " Checking out the webserver, discovering robots.txt"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux easy", "line": " Running gobuster on the admin-dir with the extensions txt and php"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux easy", "line": " Finding credentials.txt within that admin-dir"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "linux easy", "line": " Logging into FTP to discover the web directory source"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux easy", "line": " Running gobuster again on utility-scripts to discover adminer.php"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 24, "seconds": 55}, "tag": "linux easy", "line": " Going to adminer and trying to login"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "linux easy", "line": " Bypassing adminer authentication by creating a MySQL Database"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 31, "seconds": 45}, "tag": "linux easy", "line": " Failing to drop a file in adminer"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux easy", "line": " Using LOAD DATA LOCAL to insert a file into our database"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 38, "seconds": 5}, "tag": "linux easy", "line": " Uploading the servers index.php to our database and discovering the password"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux easy", "line": " SSH into the server with the password found before"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "linux easy", "line": " Sudo allows us to set environment variables, using PYTHONPATH to hijack a python library... Failing to get a rev shell"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux easy", "line": " Switching to nc for a revshell and getting a root shell!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows insane", "line": " Begin of nmap, going over what videos show KRB/LDAP/SMB enumeration"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "windows insane", "line": " Checking out the web page, finding an API that allows us to search employees"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows insane", "line": " Extracting usernames from the database using the above API"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "windows insane", "line": " Using wfuzz to fuzz this endpoing and discover there's a WAF that blocks us on BruteFoce and special characters"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "windows insane", "line": " Sending wfuzz to burpsuite so we can see why the page is giving us an HTTP 415 (hint: Its content-type!)"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "windows insane", "line": " Using unicode to bypass the bad character list, then launching a super slow SQLMap that never finishes"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "windows insane", "line": " While SQLMap runs, lets manually exploit this"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "windows insane", "line": " Found a union injection! Start of creating a Python Script, tons of issues around getting Request to send unicode"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "windows insane", "line": " Basic script is done, we can now send unicode data via python - Then convert to use the Cmd Module"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "windows insane", "line": " CmdLoop done, we can now send raw queries to the database. Lets make an option to do union injection"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 44, "seconds": 10}, "tag": "windows insane", "line": " Script now makes it easy to run UNION Commands and get the output, running through some basic MSSQL Injection to get data from the server"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 47, "seconds": 15}, "tag": "windows insane", "line": " Extracting database information (Table Names)"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "windows insane", "line": " Extracting Usernames and hashes from the Logins table, then cracking the passwords"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 61, "seconds": 15}, "tag": "windows insane", "line": " Performing a RID BruteForce via MS-SQL, getting and explaining the SID of Administrator. Then adding BruteForcing to our script"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 78, "seconds": 25}, "tag": "windows insane", "line": " Bruteforcing RID's to discover more usernames"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 83, "seconds": 8}, "tag": "windows insane", "line": " Using Evil-WinRM to get a shell as Tushikikatomo, then running WinPEAS and BloodHound to enumerate Active Directory"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 99, "seconds": 0}, "tag": "windows insane", "line": " Resetting the Neo4j Password Bloodhound uses by deleting auth dbms file"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 105, "seconds": 45}, "tag": "windows insane", "line": " Discovering a VS Code is running, and some random ports keep opening up. Debug ports? Downloading CEFDebug then running"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 113, "seconds": 34}, "tag": "windows insane", "line": " Testing CEF exploit with ping, then create a powershell cradle. Edit Nishang to bypass AMSI"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 118, "seconds": 10}, "tag": "windows insane", "line": " Shell returned as CYORK"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 121, "seconds": 0}, "tag": "windows insane", "line": " Discover a DLL in the web directory, run strings against it and discover a new password"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 123, "seconds": 30}, "tag": "windows insane", "line": " Updating bloodhound to see if we gained any new paths with the new compromised user (SBAUER) and we have GenericWrite to user"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 126, "seconds": 30}, "tag": "windows insane", "line": " Using SBAUER to enable DoesNotRequirePreAuth, so we can obtain a password hash (asrep 23) and crack it"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 132, "seconds": 30}, "tag": "windows insane", "line": " Shell as Jorden and we can edit services! Use SC to replace the binpath with a reverse shell and get root!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 138, "seconds": 25}, "tag": "windows insane", "line": " ALTERNATE METHOD: Using ZeroLogon/ZeroLogin CVE-2020-1472... Failing to use impacket correctly "}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 143, "seconds": 15}, "tag": "windows insane", "line": " Reverting my box, doing impacket the correct way (Installing in an Virtual Environment)"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 146, "seconds": 30}, "tag": "windows insane", "line": " Running the Zero Logon exploit to discover it worked! Running SecretsDump performs a DCSync and we can login as administrator... Rest of video is reverting what the exploit did to not leave a vulnerability!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 150, "seconds": 50}, "tag": "windows insane", "line": " SecretsDump with the -history flag shows the previous passwords... Now how to set a machine account, and how to \"pass the hash\" when setting a password."}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 157, "seconds": 10}, "tag": "windows insane", "line": " Running mimikatz to see Defender deleted it, using MpCmdRunto delete all defender definitions."}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 158, "seconds": 45}, "tag": "windows insane", "line": " Defender bypassed mimikatz runs!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 160, "seconds": 15}, "tag": "windows insane", "line": " Running mimikatz with lsadump::setntlm to restore the password"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "linux hard", "line": " Start of recon, discovering a bunch of hostnames in a cert"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 4, "seconds": 24}, "tag": "linux hard", "line": " Running wpscan against blog.travel.htb"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 6, "seconds": 10}, "tag": "linux hard", "line": " Running the raft-large-files.txt against blog-dev.travel.htb to discover the git repo"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux hard", "line": " Using git-dumper to download the git repo"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 10, "seconds": 28}, "tag": "linux hard", "line": " Examining the git project to discover what it is and where its installed on the webserver"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux hard", "line": " Discovering a debug file"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux hard", "line": " Hunting for where web app accepts user input"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "linux hard", "line": " Getting the server to make a request back to us"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux hard", "line": " Examining what debug.php is telling us (memcache)"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux hard", "line": " Hunting around wordpress/simplepie to see how it is using memcache"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux hard", "line": " Begin of trying to poison the memcache object, talking about bypass the ip filter via hex encoding the ip"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Bypassing the file:// filter by using gopher to smuggle in a request to memcache. Using gopherus"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 39, "seconds": 15}, "tag": "linux hard", "line": " Explaining what gopherus is doing"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 41, "seconds": 48}, "tag": "linux hard", "line": " Creating a php serialized object to drop a file to the webserver"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 44, "seconds": 24}, "tag": "linux hard", "line": " Having gopherus generate a malicious payload then dropping a web shell to the server"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 50, "seconds": 50}, "tag": "linux hard", "line": " Examining the MySQL database"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 53, "seconds": 45}, "tag": "linux hard", "line": " Discovering the wordpress backup file with additional users"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 56, "seconds": 40}, "tag": "linux hard", "line": " Logging in with lynik-admin and cracked password from WP backup. Finding ldaprc and viminfo"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 58, "seconds": 45}, "tag": "linux hard", "line": " Downloading Apache Directory Studio so we have a gui to LDAP"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 59, "seconds": 45}, "tag": "linux hard", "line": " Using SSH to forwarding port 389 to our box, so our LDAP Gui can access the service"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 64, "seconds": 0}, "tag": "linux hard", "line": " Using Apache Directory Studio to modify a users password"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "linux hard", "line": " Using Apache Directory Studio to add an SSH Key"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 69, "seconds": 10}, "tag": "linux hard", "line": " Using Apache Directory Studio to modify the user group to sudo, then we can sudo su to root"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows easy", "line": " Begin of nmap, enumerate ftp, and smb"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 5, "seconds": 32}, "tag": "windows easy", "line": " Taking a look at the website to discover umbraco"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "windows easy", "line": " Examining NFS with showmount"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "windows easy", "line": " Discovering umbraco.sdf on NFS is a database and contains the admin password"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "windows easy", "line": " Logging into umbraco and discovering the unauthenticated RCE"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 23, "seconds": 35}, "tag": "windows easy", "line": " Editing the umbraco exploit to ping our box"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "windows easy", "line": " Getting a reverse shell using Invoke-WebRequest instead of (New-Object Net.WebClient)"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "windows easy", "line": " Running WinPEAS to discover UsoSvc service is editable"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "windows easy", "line": " Editing the UsoSvc binpath to execute our reverse shell"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "windows easy", "line": " Alternate Path: Using Rogue Potato to get a shell"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 0, "seconds": 48}, "tag": "linux hard", "line": " Begin of Nmap, examining the page and running gobuster"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux hard", "line": " Identifying some extra care"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "linux hard", "line": " Adding portal.quick.htb to the host file so we can resolve hostname"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Trying to identify if the web application will tell us if an account is valid"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux hard", "line": " Building an email list based upon clients and then running wfuzz to try and identify valid emails"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "linux hard", "line": " Searching for the latest HTTP and seeing HTTP3 utilizes UDP instead of TCP"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux hard", "line": " Installing Quiche so we can navigate to the http3 site"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux hard", "line": " Having Quiche download files, discoving an initial password then revisiting the bruteforce to gain access to a ticket system"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "linux hard", "line": " Using wfuzz to search the helpdesk for all tickets "}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "linux hard", "line": " Finding ESIGATE is vulnerable to xml entity injection"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 40, "seconds": 20}, "tag": "linux hard", "line": " Testing the XXE Attack to see if it connects to our webserver"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "linux hard", "line": " The server keeps putting the full URL in its GET Request, which messes with pythons webserver. Switching to PHP's built in will fix this."}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "linux hard", "line": " Failing to get a reverse shell to execute via XSLT, switching to download a file and execute it"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 56, "seconds": 45}, "tag": "linux hard", "line": " Reverse Shell Returned as SAM"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 58, "seconds": 30}, "tag": "linux hard", "line": " Finding printerv2.quick.htb and a little apache confusion its only listening on port 80. Esigate listens on 9001 then redirects to 80"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 64, "seconds": 20}, "tag": "linux hard", "line": " Dumping password hashes from MySQL to discover the server does some mangling of the password before md5sum, so we cant use hashcat"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 67, "seconds": 45}, "tag": "linux hard", "line": " Creating a cracking script in PHP"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 73, "seconds": 15}, "tag": "linux hard", "line": " Logging into the application and seeing we can print jobs, then looking at source code to see how its doing it"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 76, "seconds": 40}, "tag": "linux hard", "line": " Creating a script to abuse the race condition of printing a document. To replace documents with a symlink to sensitive files prior to printing."}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 85, "seconds": 20}, "tag": "linux hard", "line": " Printing out the SRVADM SSH Key"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 87, "seconds": 30}, "tag": "linux hard", "line": " Finding a password in the cups configuration file, which is the root password"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux medium", "line": " Nmap"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "linux medium", "line": " Starting GoBuster on the root and images"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux medium", "line": " Finding Auth Bypass via SQL Injection on login then throwing it to SQLMap"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux medium", "line": " Creating a basic PHP Shell, then attempting to upload it"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux medium", "line": " Grabbing the magic bytes off a JPG, then prepending it to our shell"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " File uploaded, hunting for an LFI and doing more SQLMap"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux medium", "line": " Turns out we don't need the PHP Extension (.htaccess allows anything)"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "linux medium", "line": " Reverse Shell returned"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux medium", "line": " Grabbing the username and password out of Website Configuration"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 36, "seconds": 10}, "tag": "linux medium", "line": " Using VirusTotal to identify when a file was created"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "linux medium", "line": " Examining the .htaccess to see why we could execute code (should have a $ at the end)"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux medium", "line": " Using MsqlDump to dump the database and get a password out of it, su to the theseus user"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux medium", "line": " Found a SetUID Binary (sysinfo) then using strace to see what it does"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux medium", "line": " Using the -f argument with strace to follow forks and see the exec() calls"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux medium", "line": " Using Path Injection since absolute paths were not used in exec() and getting a root shell"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux medium", "line": " Showing SQLMap did complete with the increased level/risk"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux easy", "line": " Checking the web page, then running a SecList wordlist for CommonBackdoors"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux easy", "line": " GoBuster returned smevk.php"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux easy", "line": " Attempting to guess the password, get in with admin:admin"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 5, "seconds": 55}, "tag": "linux easy", "line": " Running script prior to my reverse shell to log the output... I forget to check this again but it did work!"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux easy", "line": " Reading note.txt which hints at finding a LUA File, using find to hunt for files"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 9, "seconds": 5}, "tag": "linux easy", "line": " The reverse shell is misbehaving, lets fix it by setting the the rows/columns"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux easy", "line": " Running LinPEAS, discover sudo with luvit; then looking up how to write files with a lua script"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 16, "seconds": 10}, "tag": "linux easy", "line": " SSH'ing in with SysAdmin after our key was written"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux easy", "line": " Using find some more to hunt for interesting files"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 23, "seconds": 11}, "tag": "linux easy", "line": " Using find to search between dates of interest shows an interesting backup directory"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "linux easy", "line": " Running pSpy to search for running processes"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux easy", "line": " Puzzled... Probably should have ran find commands to look for files edited within the last day!"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux easy", "line": " Changing up our tactic and using find commands to search for writable files "}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 34, "seconds": 10}, "tag": "linux easy", "line": " Editing MOTD with a reverse shell then SSH'ing in"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "linux easy", "line": " Extra: Running linPeas to see if it would have seen this privesc."}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux easy", "line": " Looking at the script.log output"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux insane", "line": " Intro"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 2, "seconds": 10}, "tag": "linux insane", "line": " Using wget to recursively download files off an annonymous FTP Server"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux insane", "line": " Attempting to execute the Java Thick Client, then switching to Java version 8 and trying again"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux insane", "line": " Seeing the Thick Client makes some DNS Requests, make the DNS Request resolve and attempt to intercept with Burp"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux insane", "line": " BurpSuite failed us, using SOCAT to forward the traffic and exploring the Thick Client features"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 15, "seconds": 20}, "tag": "linux insane", "line": " Using CFR to decompile a Java JAR File then VS Studio Code to analyze the source"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "linux insane", "line": " Downloading Eclipse and then configuring it to utilize Java 8 and creating a Hello World Java Application"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux insane", "line": " Importing a Java JAR File into our Java Project then calling Login"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux insane", "line": " Replicating the functionality to identify what Role we are, then other functions"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 37, "seconds": 45}, "tag": "linux insane", "line": " Calling the Invoker Class to execute methods on the server"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "linux insane", "line": " Attempting to call methods that the GUI prohibited us from"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "linux insane", "line": " Using ShowFiles to see we can list files in our parent directory, then using Open to download files"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 53, "seconds": 40}, "tag": "linux insane", "line": " Failing to download the fatty-server.jar file due to encoding issues"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 58, "seconds": 40}, "tag": "linux insane", "line": " Unsealing the JAR File so we can edit the Invoker Class Object to fix our encoding issue by creating a binaryOpen function"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 70, "seconds": 0}, "tag": "linux insane", "line": " Utilizing our new binaryOpen function to write to a file"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 74, "seconds": 45}, "tag": "linux insane", "line": " Debugging a null pointer error, our binaryOpen function returned nothing!"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 81, "seconds": 0}, "tag": "linux insane", "line": " Decompiling the downloaded fatty server and analyzing it to discover a SQL Injection and Deserialization vector"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 88, "seconds": 50}, "tag": "linux insane", "line": " Playing with SQL Injections in the username to get an admin session"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 100, "seconds": 0}, "tag": "linux insane", "line": " Modifying the ChangePW Function to allow us to send malicious payloads, then using ysoserial to generate a payload"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 108, "seconds": 30}, "tag": "linux insane", "line": " Using CommonsCollections5 to generate a malicious payload to send and getting a reverse shell"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 117, "seconds": 17}, "tag": "linux insane", "line": " Getting PsSpy on the box and discovering SCP is pulling files"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 119, "seconds": 50}, "tag": "linux insane", "line": " Explaining what our exploit path is, having a tar overwrite itself and point to authorized_keys then the next time it is copied to it overwrites auth_key"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 124, "seconds": 50}, "tag": "linux insane", "line": " Reverse shell returned, attempting to explain the exploit vector again"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 1, "seconds": 24}, "tag": "linux hard", "line": " Start the box checking out nmap, seeing an FTP Server with a file hinting at OAUTH"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux hard", "line": " Poking at the login for the flask application (Port 5000)"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux hard", "line": " Playing with the Change Password fied, made a mistake which puts me down a rabbit hole"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "linux hard", "line": " Checking the Contact page, seeing we get banned with a XSS Attempt but someone will click URL's if we send them"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux hard", "line": " Creating an account on Authorization.oouch.htb"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 27, "seconds": 40}, "tag": "linux hard", "line": " Enumerating the /token/ an endpoint through error messages"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "linux hard", "line": " Using the webapp to give our authorization account access to our consumer account"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 38, "seconds": 45}, "tag": "linux hard", "line": " Going through the same workflow to give authorization access to consumer account, but tricking a different user into going to the last piece of the workflow"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " We are now the QTC User! Going into the Documents shows some hints like a develop credential"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "linux hard", "line": " Reading the Django Docs to see how the oauth endpoints are setup, finding the application register endpoint and the develop creds to again access"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux hard", "line": " Looking at the oauth authorization workflow again in order to build a authorization link for our new application!"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 56, "seconds": 30}, "tag": "linux hard", "line": " Thanks to our application's redirect url we stole QTC's token which will eventually let us develop endpoints"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 60, "seconds": 20}, "tag": "linux hard", "line": " Used the token to authenticate and get our Bearer token, then playing with API endpoints and noticing get_user and get_userjaskldfj both go to the same route. Helpful when brute forcing"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 64, "seconds": 25}, "tag": "linux hard", "line": " TIL, I don't know how to use FFU eventually i switch to wfuzz to bruteforce the endpoint"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 68, "seconds": 46}, "tag": "linux hard", "line": " Got shell on the box, discover note.txt and it hints at DBUS"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 73, "seconds": 30}, "tag": "linux hard", "line": " Creating a bash script to ping/port scan in order to enumerate other containers"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 80, "seconds": 30}, "tag": "linux hard", "line": " Digging through the code in order to discover UWSGI and how the webapp sends, attempting to send the dbus message but getting access denied."}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 88, "seconds": 30}, "tag": "linux hard", "line": " Searching for a UWSGI Code execution route so we can switch to www-data, finding a script "}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 98, "seconds": 30}, "tag": "linux hard", "line": " Reverse shell as www-data returned, doing the DBUS Message again via python to get code execution"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 104, "seconds": 40}, "tag": "linux hard", "line": " ALTERNATE DBUS Method - Using the dbus commands (busctl/dbus-send) send the message without touching python"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "windows medium", "line": " Begin of nmap"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "windows medium", "line": " Enumerating RPC to identify usernames"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "windows medium", "line": " Setting up a bruteforce and creating a custom wordlist with hashcat"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows medium", "line": " Enumerating LDAP with LDAPSEARCH"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "windows medium", "line": " Discovering the cascadeLegacyPwd LDAP Attribute which has a password"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "windows medium", "line": " Using CrackMapExec to test the credential found in LDAP "}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "windows medium", "line": " Installing the latest CrackMapExec to gain access to the Spider_Plus Module"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "windows medium", "line": " Using the spider_plus module of CME (CrackMapExec) to crawl the SMB Share as R.Thompson"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 20, "seconds": 10}, "tag": "windows medium", "line": " Mounting the SMB Share as R.Thompson in order to view the files in Data share"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 26, "seconds": 10}, "tag": "windows medium", "line": " Discovering the VNC Install.reg file which contains an encrypted password"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 30, "seconds": 10}, "tag": "windows medium", "line": " Using Metasploit IRB to decrypt TightVNC's password"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "windows medium", "line": " Using the VNC Password to gain a WinRM Session to Cascade as s.smith discovering he is in the Audit Group"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "windows medium", "line": " Using DNSPY to decompile the CascAudit DotNet application "}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "windows medium", "line": " Setting a breakpoint in DNSPY where the password is decrypted and viewing the variable after it decrypts the pw"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "windows medium", "line": " Gaining e remote shell as ArkSvc to discover this user is in the AD Recycle Bin Group"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "windows medium", "line": " Viewing deleted Active Directory items to see the TempAdmin has the CascadeLegacyPwd field and discovering this is the PW for administrator"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows easy", "line": " Running Nmap"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 2, "seconds": 7}, "tag": "windows easy", "line": " Poking at SMB with CrackMapExec, SMBMap, and RPCClient to get nothing"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "windows easy", "line": " Checking out the web page"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows easy", "line": " Playing with user input in the website and getting an error \"HTTP VERB used is not allowed\""}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows easy", "line": " Copying names from the website"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "windows easy", "line": " Using some VIM/VI Magic (macro) to convert names into potential usernames"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 12, "seconds": 40}, "tag": "windows easy", "line": " Identifying valid usernames by using KerBrute which can enumerate valid usernames"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "windows easy", "line": " Running some Impacket scripts and performing an ASREP Roast to extract password hash from Active Directory"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "windows easy", "line": " Running GetNPUsers to get the hash for a user and then using hashcat to crack ASREP$23"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "windows easy", "line": " Seeing a RICOH printer share, pulling EXIF data off website to get an idea if it may be exploitable"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "windows easy", "line": " Using Evil-WinRM to log into the box with FSMITH and run WinPEAS to get saved credentials"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows easy", "line": " Running BloodHound"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 34, "seconds": 25}, "tag": "windows easy", "line": " Identifying that svc_loanmgr can perform a DCSYNC"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "windows easy", "line": " Running SecretsDump with svc_loanmgr to perform a DCSYNC"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 37, "seconds": 45}, "tag": "windows easy", "line": " Performing a Pass The Hash with the administrator user using PSExec"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 0, "seconds": 34}, "tag": "linux medium", "line": " Begin of Recon"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux medium", "line": " Enumerating the login page"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 3, "seconds": 5}, "tag": "linux medium", "line": " Creating an account, identifying what fields are unique"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux medium", "line": " Logged into the page, examining functionality starting with the download.php file"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux medium", "line": " Playing with the search field"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux medium", "line": " Playing with XSS by using img src"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux medium", "line": " Examining the user signup more closely"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 15, "seconds": 25}, "tag": "linux medium", "line": " Viewing javascript on the page to show there is a maximum number of characters in username/email"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux medium", "line": " Start of attempting SQL Truncation attack"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 22, "seconds": 25}, "tag": "linux medium", "line": " Attempting to login to /admin/ with our account to see we get in, then redoing everything to explain it."}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux medium", "line": " Explaining the SQL Truncation Attack"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "linux medium", "line": " Noticing the PDF Generation processes HTML and probably JavaScript"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux medium", "line": " Using a Javascript payload that reads a local file on the box"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "linux medium", "line": " Getting rid of the Base64 Encoding in the payload and reading /etc/passwd"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 46, "seconds": 18}, "tag": "linux medium", "line": " Trying (and failing) to grab /proc/self/environ "}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 54, "seconds": 10}, "tag": "linux medium", "line": " Attempting to grab an SSH Key for the Reader User"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux medium", "line": " SSH Key is poorly formatted. Using pdf2text to see if formatting is better"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "linux medium", "line": " PDF2Text didn't work, lets try PDF2HTML which does a great job"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 59, "seconds": 45}, "tag": "linux medium", "line": " Revisiting the Base64 Payload to see if PDF2HTML grabs all the Base64 (it does)"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 62, "seconds": 15}, "tag": "linux medium", "line": " Running LINPEAS to see we may be able to exploit log rotate"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 66, "seconds": 10}, "tag": "linux medium", "line": " Poorly explaining how logrotten works"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 72, "seconds": 30}, "tag": "linux medium", "line": " Performing the Logrotten exploit to get a reverse shell"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 78, "seconds": 15}, "tag": "linux medium", "line": " Finally keeping the reverse shell alive"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 80, "seconds": 25}, "tag": "linux medium", "line": " Examining how the SQL Truncation vulnerability came to be by looking at the PHP Source Code and then SQL Table Schema"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 87, "seconds": 30}, "tag": "linux medium", "line": " Showing how it determines the admin user and uses trim() which is why our attack works"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 89, "seconds": 40}, "tag": "linux medium", "line": " Examining the PHP Sessions"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 0, "seconds": 52}, "tag": "linux hard", "line": " Begin of Nmap"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux hard", "line": " Running Gobuster to Bruteforce the pages and subdomains to find backup.forwardslash.htb"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "linux hard", "line": " Registering an account and examining the functions to signed in users"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux hard", "line": " Playing with the ProfilePicture.php to discover we can do file inclusion"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "linux hard", "line": " Testing for RFI"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 14, "seconds": 25}, "tag": "linux hard", "line": " Using the PHP Filter Wrapper to convert php files to base64 and extract source code"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux hard", "line": " Start of creating a script to automate this"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux hard", "line": " Terminal portion of the script completed, now to add HTTP Requests"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux hard", "line": " Script cannot access the page due to requiring a login session, hard code the login cookie"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "linux hard", "line": " Script now is able to extract files off the server, now to add a save_file function"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "linux hard", "line": " Using the script we created as a library and building a brute forcer!"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "linux hard", "line": " Manually looking at source code while our script runs in the background"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux hard", "line": " Going back to gobuster seeing the \"/dev\" directory, extracting source to get credentials to SSH into the box"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux hard", "line": " Examining the Backup SetUID File with strace, explaining Path Injection (but it doesn't work here)."}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux hard", "line": " Opening up the backup file in Ghidra"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "linux hard", "line": " Using find to search for files owned by Pain to discover config.php.bak, then abusing the backup program to read this file"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 53, "seconds": 40}, "tag": "linux hard", "line": " Abusing the sudo rules to skip the crypto challenge. Upload a luks container with a SetUID Binary"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 55, "seconds": 45}, "tag": "linux hard", "line": " Creating a Luks Container"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "linux hard", "line": " Adding a SetUID Binary in the luks container then uploading it, and executing it to get root"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 62, "seconds": 40}, "tag": "linux hard", "line": " Going back to look over the Crypto Challenge"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 66, "seconds": 30}, "tag": "linux hard", "line": " Using the program to encrypt text we know the key to, so we can build a bruteforcer"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 74, "seconds": 0}, "tag": "linux hard", "line": " Found a weird bug, we only need to know the first character of the key and length... Build a cracker based upon that"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 83, "seconds": 40}, "tag": "linux hard", "line": " Key found, decrypt the container"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 88, "seconds": 55}, "tag": "linux hard", "line": " Going back to the ProfilePicture, and finding the SSRF + XXE Chain"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 93, "seconds": 50}, "tag": "linux hard", "line": " Showing the importance of double URL Encoding"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 102, "seconds": 55}, "tag": "linux hard", "line": " Creating another module for our LFI Script to add some crawl functionality to automatically download a bunch of source code!"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 0, "seconds": 51}, "tag": "", "line": " Begin of NMAP"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Identifying the Virtual Host (VHOST) player2.htb and doing recon on the webserver"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Testing basic SQL Injection on product.player2.htb"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "", "line": " Running gobuster against the product domain to find potential pages"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Running gobuster to try to enumerate sub domains."}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "", "line": " Checking the full port scan of the box to see 8545"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 19, "seconds": 45}, "tag": "", "line": " Gobuster had an issue enumerating subdomains, switched to wfuzz"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "", "line": " Investigation TWIRP because port 8545 had that in an error mesage"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "", "line": " Running gobuster to hunt for protobuf files and api endpoints"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "", "line": " Exploring the generated.proto file"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "", "line": " Seeing how TWIRP uses Protobuf files, then making the HTTP Request to pull credentials"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "", "line": " Using Hydra to bruteforce an http login form"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 47, "seconds": 50}, "tag": "", "line": " Exploring login logic to see how SESSIONS are handled after invalid logins"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " Testing /api/totp now that we have a session and finding ways to generate backup codes"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "", "line": " Looking at the authenticated product page"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "", "line": " Playing with the upload form of the protobs interface"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 59, "seconds": 20}, "tag": "", "line": " (unintended) Hunting for the uploads/ directory and testing for potential race condition"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 63, "seconds": 0}, "tag": "", "line": " Winning the race to get a reverse shell"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 65, "seconds": 15}, "tag": "", "line": " Doing the firmware upload the intended way."}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 67, "seconds": 20}, "tag": "", "line": " Using DD to extract data out of binwalk"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 69, "seconds": 50}, "tag": "", "line": " Exploring the firmware in Ghidra"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 71, "seconds": 50}, "tag": "", "line": " Testing the firmware signing by opening the ELF in a hex editor and changing a byte near the beginning of the file, then the end of the binary"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 75, "seconds": 10}, "tag": "", "line": " Editing the string in the system() call test for RRCE"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 79, "seconds": 30}, "tag": "", "line": " Changing our ping command to be a reverse shell"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "", "line": " Reverse shell returned but wanted to see how much of this ELF we messed up by overflowing the string."}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 95, "seconds": 0}, "tag": "", "line": " Checking the MySQL Database for creds"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 101, "seconds": 50}, "tag": "", "line": " Running pspy to see some hidden crons"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 104, "seconds": 40}, "tag": "", "line": " Running chisel to forward the MQTT Port back to our box"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 111, "seconds": 10}, "tag": "", "line": " Using mosquitto_sub to subscribe to a topic and get messages"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 113, "seconds": 40}, "tag": "", "line": " Subscribing to $SYS/# and seeing an SSH Key broadcast to it"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 114, "seconds": 40}, "tag": "", "line": " Changing the SSH Key on the box, which root reads and broadcasts. Use this to get shadow and root.txt"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "windows easy", "line": " Start of NMAP"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "windows easy", "line": " Using SMBClient to search for open shares (None)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "windows easy", "line": " Checking out the web page, some light fuzzing on login and examining how the language selection works"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "windows easy", "line": " Taking a Screenshot on Parrot and pasting it into Cherry Tree (Shift+PrintScreen)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "windows easy", "line": " Checking out FTP and downloading the two txt files"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "windows easy", "line": " Viewing port 8443, and realizing this page really hates firefox. Switch to Chromium"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 19, "seconds": 5}, "tag": "windows easy", "line": " Using searchsploit to find there's a directory traversal exploit in NVMS"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 20, "seconds": 5}, "tag": "windows easy", "line": " Grabbing Passwords.txt off Nathan's Desktop (filename was an FTP Note)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "windows easy", "line": " Using CrackMapExec to bruteforce logins for SMB and SSH (SSH alread bug fixed in DEV Branch)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows easy", "line": " Logging in with SSH, then looking for WebServer directories"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "windows easy", "line": " Examining the NSClient directory to view the config"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "windows easy", "line": " Using SSH to setup a port forward"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "windows easy", "line": " Lots of flailing around trying to get code execution"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "windows easy", "line": " Enough flailing, box reverted and do a clean run of this exploit"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "windows easy", "line": " Flailing around trying to get Nishang to run... Defender is giving me issues."}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 59, "seconds": 30}, "tag": "windows easy", "line": " Giving up with Defender Evasion, switching to nc.exe to get a reverse shell"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 61, "seconds": 20}, "tag": "windows easy", "line": " Reverse shell returned as System grabbing root.txt"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Into"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "windows medium", "line": " Begin of recon"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 3, "seconds": 36}, "tag": "windows medium", "line": " Using rpcclient with null authentication and dumping active directory users"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 6, "seconds": 26}, "tag": "windows medium", "line": " Building a password list with hashcat --stdout (Forest Video does it better)"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 8, "seconds": 41}, "tag": "windows medium", "line": " CrackMapExec shows SABatchJobs:SABatchJobs are valid credentials"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 12, "seconds": 6}, "tag": "windows medium", "line": " Using SMBMap to list contents of directories"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "windows medium", "line": " Using SMBMap to download azure.xml which has a hardcoded credential in it then testing with WinRM to see if we can get a shell"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "windows medium", "line": " Downloading and running Seatbelt on the server"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "windows medium", "line": " Running WinPEAS for a second opinion"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 27, "seconds": 45}, "tag": "windows medium", "line": " Talking about the Azure Admins group"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 28, "seconds": 55}, "tag": "windows medium", "line": " Playing with SQLCMD to view the MSSQL Database"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 30, "seconds": 45}, "tag": "windows medium", "line": " Downloading and running PowerUpSQL to see if there's any obvious escalation paths"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "windows medium", "line": " Using XP_DIRTREE to connect to our Responder Instance and leak an NetNTLMv2 hash (I should of noticed its the machine account due to username ending with a $, these are pretty much never crackable)"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "windows medium", "line": " Searching google to find XPNSec's post on \"Azure AD Connect for Red Teamers\""}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "windows medium", "line": " Running through the commands with SQLCMD to understand what is going on"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "windows medium", "line": " Executing the Azure AD Connectdecryption script and having Evil-WinRM Crash on us"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 49, "seconds": 10}, "tag": "windows medium", "line": " Stepping through the script to see where it is failing"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 51, "seconds": 25}, "tag": "windows medium", "line": " Updating the SQL Connection script to work with our MSSQL Configuration, then fixing the script"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "windows medium", "line": " Running the updated script, and getting the administrator password then using PSExec to get a system shell on the box"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 58, "seconds": 30}, "tag": "windows medium", "line": " Using DNSPY to decompile the MCRYPT.DLL binary to just explore what is going on"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "windows medium", "line": " Dumping the DNS Zone for MEGABANK.LOCAL via powershell"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows easy", "line": " Showing why we should run NMAP as root or sudo."}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "windows easy", "line": " Running nmap to see only SMB is open, start a full port scan and move on"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows easy", "line": " Enumerating SMB (Port 445) with CrackMapExec, SMBClient, and SMBMap to explore how each program works"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows easy", "line": " Running SMBClient to mount the share"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "windows easy", "line": " Installing CIFS-Utils so we can mount SMB and run commands like find against the share"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "windows easy", "line": " Discovering a password, doing a credential spray and getting some odd results"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "windows easy", "line": " Mounting the shares with as TempUser to discover we have access to more files"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "windows easy", "line": " Using iconv to cat a windows text file because it showed a bunch of bad characters"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "windows easy", "line": " Viewing the NotepadPlusPlus files to see the path of a file in the Secure$ Directory, we can get into this folder"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "windows easy", "line": " Downloading the source-code to RUScanner in the User share"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "windows easy", "line": " Switching to Windows so we can use Visual Studio to compile the RUScanner application and decrypt the password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "windows easy", "line": " Dropping the config in bin/debug and setting a breakpoint on the line of code which decrypts the password to view the output"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 35, "seconds": 55}, "tag": "windows easy", "line": " Using CrackMapExec to validate these are valid credentials, then exploring the fileshares again"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "windows easy", "line": " Exploring the application on port 4386 and showing why we need to use TELNET and not NC or NETCAT"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "windows easy", "line": " Playing with the various options on port 4386"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 44, "seconds": 58}, "tag": "windows easy", "line": " Using SMBClient to mount the Users directory as C.SMITH so we can use \"allinfo\" to see an ADS (Alternate Data Stream) Exists, then downloading the hidden password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "windows easy", "line": " Using the custom program on port 4386 and using the DEBUG Options to download the configuration file with an encrypted LDAP Password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "windows easy", "line": " Using DNSPY to decompile HqkLdap.exe"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "windows easy", "line": " Editing the application to print the password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 58, "seconds": 20}, "tag": "windows easy", "line": " Running HqkLdap to get the decrypted password, which is the administrator password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 59, "seconds": 20}, "tag": "windows easy", "line": " Using psexec to get a shell on the box as the SYSTEM user"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows medium", "line": " Intro"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "windows medium", "line": " Talking about my switch to Parrot"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "windows medium", "line": " Begin of nmap, discovering it is likely a Windows Domain Controller"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "windows medium", "line": " Checking if there are any open file shares "}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 6, "seconds": 11}, "tag": "windows medium", "line": " Using RPCClient to enumerate domain users (enumdomusers)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "windows medium", "line": " Using CrackMapExec to dump the PasswordPolicy"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows medium", "line": " Using RPCClient to dump Active Directory information (querydispinfo)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "windows medium", "line": " Bruteforcing accounts via CrackMapExec with password of Welcome123!"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "windows medium", "line": " Using Evil-WinRM to remote into the server as Melanie"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "windows medium", "line": " Building the latest version of Seatbelt on CommandoVM (The DotNet version is incompatible)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "windows medium", "line": " Explaining some cool bash one line tricks, then linking Egypt's \"One liners to rule them all\" talk"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "windows medium", "line": " Changing Seatbelt to compile to Version 4.0 then trying again."}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "windows medium", "line": " Finally examining the Seatbelt output, see the PSTranscript Directory and a Custom group in DNSAdmins"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "windows medium", "line": " Using RPCClient to Enumerate members of the Contractors group (enumdomgroups/querygroupmem)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "windows medium", "line": " Running WinPEAS to compare the differences"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "windows medium", "line": " Exploring hidden directories to see PSTranscripts, then finding credentials in a powershell log"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "windows medium", "line": " Using Evil-WinRM with the password from a PSTranscript File to get shell as Ryan"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 45, "seconds": 40}, "tag": "windows medium", "line": " Quickly going over how to execute code on a Domain Controller as a DNS Admin"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 46, "seconds": 10}, "tag": "windows medium", "line": " Using MSFVenom to create a Reverse Shell DLL (we'll do this better at end of the video)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 49, "seconds": 10}, "tag": "windows medium", "line": " Using DNSCMD to have the DNS Server execute our MSFVenom created DLL from a SMB Network Path... Works but hangs the DNS Server"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 52, "seconds": 50}, "tag": "windows medium", "line": " Using the DNS-EXE-Persistance to help us create a better to do the Reverse Shell"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 53, "seconds": 3}, "tag": "windows medium", "line": " Explaining the DNSCMD Exploit path on how it can be used both foor lateral movement and privesc"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 54, "seconds": 50}, "tag": "windows medium", "line": " Start of creating the DLL to use with this DNS Exploit"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 56, "seconds": 45}, "tag": "windows medium", "line": " Grabbing a C++ Reverse Shell program from github to add to our DNS Exploit Project, then modify it to execute as a thread"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 62, "seconds": 20}, "tag": "windows medium", "line": " Showing that we get a Reverse shell and DNS Keeps running"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 63, "seconds": 52}, "tag": "windows medium", "line": " Removing the \"CreateThread\" portion of our code to show that was needed, without CreateThread the DNS Server hangs because it stops on the RevShell code"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "", "line": " Nmap the box, then play with the WebServer. 404 msg are interesting"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "", "line": " Discovering Directory Traversal and then grabbing the webserver by going to /proc/self/cwd/"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "", "line": " Opening the binary up in Ghidra and exploring the binary to understand what it does"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 18, "seconds": 35}, "tag": "", "line": " Discovering we have control over the first argument in log_access/printf"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 20, "seconds": 5}, "tag": "", "line": " Showing one of my most hated things about debugging forks. Be sure to always kill the process!"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 21, "seconds": 5}, "tag": "", "line": " Using GDB to help us analyze the log_access call, by breaking and examining the stack"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "", "line": " Begin of PrintF (Format Strings) Exploitation, leak a bunch of memory addresses, then identify a spot in memory where we control"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 28, "seconds": 40}, "tag": "", "line": " Starting to write an exploit script"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "", "line": " Grabbing /proc/self/maps to obtain a memory map which helps bypass ASLR. Analyze the binary again and see it supports the \"RANGE\" HTTP Header which is required to grab these special files"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "", "line": " Back to Coding the exploit script, now that we can grab the process map"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 41, "seconds": 25}, "tag": "", "line": " Testing our leaking/rebasing code to verify we are leaking correctly then using fmtstr_payload to automate the exploit"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "", "line": " Running the exploit, seeing the output of \"GET\" on the Server's STDOUT... Lots of fighting with a debugger to show exactly what happened (explain it later, may want to skip to the next part)"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 61, "seconds": 30}, "tag": "", "line": " Replacing GET in our request with commands, to see it is running them. Placing a reverse shell here using IFS as space."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "", "line": " Changing the exploit to use the target... For some reason we have the wrong libc version, once we figure that out it works."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 68, "seconds": 25}, "tag": "", "line": " Going to /proc/self/maps again to leak the path of libc, redownloading it and then we instantly get a shell. Drop SSH Keys and SSH in"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 71, "seconds": 30}, "tag": "", "line": " Going back.. the issues with debugging the printf exploit, to explain it. The issues had was system() calls fork and we followed it"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 77, "seconds": 0}, "tag": "", "line": " John can sudo the readlogs binary, analyze it with ghidra/ldd to see it calls a printlog() option in a custom library that is chmod'd to 777"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 81, "seconds": 10}, "tag": "", "line": " Creating a custom library that replaces printlog() with a system(\"/bin/bash\") call, uploading and getting our shell. Drop an SSH Key and go in via ssh"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 86, "seconds": 0}, "tag": "", "line": " Examining the contact bin in Ghidra, this one is stripped so it will be a bit more pain to navigate"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 91, "seconds": 20}, "tag": "", "line": " Explaining the buffer overflow in the recv() call -- Then lots of fighting with gdb to get to a part of the code to explain overwriting the canary"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 106, "seconds": 49}, "tag": "", "line": " Partially overwriting the canary and showing it in GDB, then explaining how its like a padding oracle attack due to it not changing. "}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 110, "seconds": 10}, "tag": "", "line": " Begin the exploit script, start off with creating our threaded bruteforcer() class."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 122, "seconds": 45}, "tag": "", "line": " Explaining what our code will do, then running it and fixing errors"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 131, "seconds": 30}, "tag": "", "line": " Testing our program to see we can leak the canary. Then leaking RBP and RIP"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 134, "seconds": 50}, "tag": "", "line": " Using VMMAP to aid us in rebase the binary to bypass ASLR."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 138, "seconds": 22}, "tag": "", "line": " Using pwntools to create a write() gadget to leak a libc address, then rebase libc"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 143, "seconds": 35}, "tag": "", "line": " Since Canary/RBP/RIP are always the same, lets just hard code those variables for now to save time"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 145, "seconds": 30}, "tag": "", "line": " Going over the ROP Gadget, then verifying the libc address is correct and doing dup2,dup2,execve for code execution"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 155, "seconds": 40}, "tag": "", "line": " Found why the ExecVE wasn't working, didn't update the rop variable name, so ran libc leak twice"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 156, "seconds": 30}, "tag": "", "line": " Updating the code to work remotely. Use Chisel to forward port 1337 to our box"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 165, "seconds": 30}, "tag": "", "line": " Printing a few more debug things so we know the code is working, downgrading the # of workers, then running it remotely, to get a shell"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 168, "seconds": 50}, "tag": "", "line": " Showing we don't need the Pop RDI because RDI is already set as the FD"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 174, "seconds": 19}, "tag": "", "line": " Removing the first 16 bytes of our libc leak, to skip over RDI"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 176, "seconds": 40}, "tag": "", "line": " Removing the RDI's from our Dup2 calls"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 180, "seconds": 35}, "tag": "", "line": " Removing all the PwnTools magic from our binary, manually rebasing"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 182, "seconds": 30}, "tag": "", "line": " Manually specifying the addresses for everything, gadgets (ropper), objdump (PLT), ReadElf (GOT), Strings (binsh)"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 194, "seconds": 0}, "tag": "", "line": " Leaking libc gadget works. Repeating everything we did here with LibC and building the execve gadget"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 203, "seconds": 30}, "tag": "", "line": " Begin of manual PrintF, showing the liveoverflow videos I recommend watching."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 215, "seconds": 15}, "tag": "", "line": " Creating the printf payload (have a typo, should be %4x)"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 218, "seconds": 35}, "tag": "", "line": " Going to the pritnf call in GDB, examining the GOT PUTS address before/after to see we screwed up"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 222, "seconds": 30}, "tag": "", "line": " Had the wrong address for PUTS in our printf payload, put the correct one in and examine the call in GDB to see PUTS@GOT is now 0xc"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 224, "seconds": 17}, "tag": "", "line": " Explaining why we want to break the SYSTEM() address into two 2 byte pieces instead of one 4 byte... Modifying our PrintF Payload to allow this. This piece should really show what the \"n\" variable does in printf"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 227, "seconds": 9}, "tag": "", "line": " Our memory address is close to what we want for SYSTEM, modifying the number slightly"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 229, "seconds": 20}, "tag": "", "line": " Address matches! Running the exploit with our reverse shell and hand crafted printf payload to show it works."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux hard", "line": " Intro"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Begin of nmap, there's a weird 8888 port."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 3, "seconds": 55}, "tag": "linux hard", "line": " Looking at the website, downloading a docx"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux hard", "line": " Finally running GoBuster, doing the raft wordlist because it has \"UpdateDetails\""}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux hard", "line": " Running GoBuster against the \"release\" directory to get release notes and researching XML and DocX"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux hard", "line": " Adding an XXE Payload into our Word Document: customXml/item1.xml"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux hard", "line": " Making an XXE Chain to extract files using HTTP and PHP's Encoder"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "linux hard", "line": " Extracting the Apache Config to see DocRoot, then extracting config.php"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux hard", "line": " Exploring LFI Injection into getPatent_alphav1.0.php, explaining what happens with bad regex to remove things."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " Exploring Log File Poisoning"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "linux hard", "line": " Shell returned on the box, fixing up the TTY and searching for files by creation time"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 58, "seconds": 30}, "tag": "linux hard", "line": " There's a file in /opt/, that hints at a cronjob running a task every minute. Running PSPY to see the process creation"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 61, "seconds": 40}, "tag": "linux hard", "line": " Password is exposed in the command, this is the root password to the docker. Exploring the Cron and /opt/lfm directory"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 71, "seconds": 25}, "tag": "linux hard", "line": " Exploring the lfm directory and examining old git commit's to get the binary of lfmserver and some old source code."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 75, "seconds": 0}, "tag": "linux hard", "line": " Opening up on Ghidra, defining main"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 77, "seconds": 20}, "tag": "linux hard", "line": " Going into the first piece of the program which looks like an argument check. Looking at the source to verify we are correct."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 80, "seconds": 30}, "tag": "linux hard", "line": " Searching for the password in the binary to see where it is used. Use GDB to help us understand what is happening"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 84, "seconds": 30}, "tag": "linux hard", "line": " Start of creating an exploit script"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 89, "seconds": 50}, "tag": "linux hard", "line": " Changing the password to ippsec, and looking at it in GDB to confirm a variable... Bunch more playing around learning the binary"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 104, "seconds": 10}, "tag": "linux hard", "line": " Discover the applicaiton is expecting files to be in /files/, behaves like DOC_ROOT"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 105, "seconds": 10}, "tag": "linux hard", "line": " Explaining where I think the Buffer Overflow Happens (URLDecode)"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 110, "seconds": 0}, "tag": "linux hard", "line": " Crashed the applicaiton, discovering the correct spot to overwrite with \"pattern create\""}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 114, "seconds": 0}, "tag": "linux hard", "line": " Using Ropper to find some pop gadgets to use, then creating a gadget to leak an address using write(). Then doing a bunch of troubleshooting around MD5Sum to get the code to a spot that triggers our overflow."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 139, "seconds": 0}, "tag": "linux hard", "line": " End of troubleshooting that MD5 issue. Viewing what the server is sending in wireshark"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 147, "seconds": 30}, "tag": "linux hard", "line": " Calculating Memory Offsets based upon the link"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 156, "seconds": 10}, "tag": "linux hard", "line": " Creating a gadget to map stdin/stdout then execute bash... Then lots of troubleshooting, some encoding issue."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 162, "seconds": 20}, "tag": "linux hard", "line": " Memory address looks weird, using GDB to confirm we grabbed the wrong address."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 169, "seconds": 0}, "tag": "linux hard", "line": " Calculating where the BinSH String would be located and now our script works locally!"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 171, "seconds": 10}, "tag": "linux hard", "line": " When going against target, our script isn't even getting the memory leak... Incorrectly thinking there's some ACL based around IP Address. Using an SSH Tunnel to create a reverse tunnel and access the server through the docker"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 175, "seconds": 0}, "tag": "linux hard", "line": " Realizing the MD5 is wrong since convert.php on our target is different than our box!"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 177, "seconds": 15}, "tag": "linux hard", "line": " Address leaked! Using libc-database to hunt for the version of libc on the target machine"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 180, "seconds": 0}, "tag": "linux hard", "line": " Libc-database found the correct libc, modifying our exploit script to use this libc. Then getting a shell"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 185, "seconds": 30}, "tag": "linux hard", "line": " Running LinPEAS and noticing that /dev/sdb1 is mounted to /root, examining /dev/sda2 to see if there was a /root directory underneat to get root.txt."}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux medium", "line": " Intro"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 1, "seconds": 3}, "tag": "linux medium", "line": " Quick rant about Security through Obscurity and why it can be good"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux medium", "line": " Begin of nmap'ing the box "}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Checking out the webpage, GoBuster giving weird errors, try WFUZZ"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 12, "seconds": 5}, "tag": "linux medium", "line": " Taking a deeper look at the website while we have some recon running"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 17, "seconds": 45}, "tag": "linux medium", "line": " Wfuzz found nothing hunting for /$directory/SuperSecureServer.py"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux medium", "line": " Doing some Directory Traversal attempts against the webserver, and seeing it looks like its vulnerable"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux medium", "line": " Extracting the source code to the webserver by specifying /../SuperSecureServer.py"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux medium", "line": " Installing VS Code so we can run this webserver and insert breakpoints"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 28, "seconds": 20}, "tag": "linux medium", "line": " Creating main.py then running the code in VSCode"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux medium", "line": " Exploiting the exec() statement in the WebServer"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux medium", "line": " Explaining that we can't use + for spaces in the url, have to do %20, then testing a reverse shell"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux medium", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 46, "seconds": 50}, "tag": "linux medium", "line": " Turns out the intended way is to find the /develop/ directory. Looking into why wfuzz missed it"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "linux medium", "line": " Copying the SuperSecureCrypt files back to our local box, then reading the source"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux medium", "line": " Explaining modulus "}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 59, "seconds": 45}, "tag": "linux medium", "line": " Explaining Known Plaintext Attack"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 63, "seconds": 35}, "tag": "linux medium", "line": " Having trouble deciphering arguments, typing out the arguments on decrypting the key"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 67, "seconds": 0}, "tag": "linux medium", "line": " Decrypting the PasswordReminder.txt"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 70, "seconds": 39}, "tag": "linux medium", "line": " Explaining Block Ciphers and how to protect against Known-PlainText"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 71, "seconds": 25}, "tag": "linux medium", "line": " Rant about Initialization Vectors (IV) and why repeating them is bad (WEP)"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "linux medium", "line": " Looking at the BetterSSH Source Code"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 77, "seconds": 10}, "tag": "linux medium", "line": " Explaining why we can overload the -u parameter of Sudo"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 80, "seconds": 30}, "tag": "linux medium", "line": " Setting up a watch command to copy all files in /tmp/SSH to /dev/shm so we can crack them later"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 81, "seconds": 10}, "tag": "linux medium", "line": " Root #1: Exploiting BetterSSH via overloading parameters"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 85, "seconds": 20}, "tag": "linux medium", "line": " Root #2: Cracking the password"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 2, "seconds": 35}, "tag": "linux easy", "line": " Running GoBuster to discover /music/, checking the page to try to find out what it is."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux easy", "line": " Going to login reveals this is OpenNetAdmin version 18.1.1, searchsploit isn't updated and fails to find the correct exploit"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Showing what to do when an web exploit script gives HTML"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux easy", "line": " Finding the correct exploit script, setting it to go through burpsuite"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux easy", "line": " Failing to get a reverse shell for a bit because of bad characters (explained at end, we needed to URL Encode it)."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Reverse shell worked when doing the python one."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "linux easy", "line": " Looking for a config file with database connection info"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux easy", "line": " Exploring the MySQL Database to get additional creds"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux easy", "line": " Running Medusa to test the passwords against users on the box to discover we can login as jimmy"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "linux easy", "line": " Showing of \"sucrack\" to brute force with \"su\" incase SSH Was not open"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux easy", "line": " Running find to see what files are owned by Jimmy to see some new php scripts"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "linux easy", "line": " Discovering a second webserver, accessing main.php lets us read an SSH Key... Digging into why, because it looks like it wants us to login (forgot the die; command)"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 48, "seconds": 10}, "tag": "linux easy", "line": " Lets try it the \"correct\" way with an SSH Tunnel and using firefox to login, going down a \"magic hash (===)\" rabbit hole. When we could just crack the pw."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 61, "seconds": 20}, "tag": "linux easy", "line": " Running John to crack the SSH Key"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 68, "seconds": 35}, "tag": "linux easy", "line": " Linpeas shows Joanna can run nano with sudo"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "linux easy", "line": " GTFOBins shows a way to have nano execute commands"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 79, "seconds": 0}, "tag": "linux easy", "line": " GOING BACK: URL Encoding the the original RCE to see a standard bash revshell would work"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Start"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 1, "seconds": 2}, "tag": "windows hard", "line": " Begin of nmap"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows hard", "line": " Checking out the webpage, notice an IP in the comments and run GoBuster to discover /uploads/. Run GoBuster on /uploads/ looking for PHP files"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "windows hard", "line": " Begin fuzzing Proxy Headers with wfuzz to access admin.php"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "windows hard", "line": " Using Python's netaddr to generate an IP List based upon subnet, discovering X-Forwarded-For: 192.168.4.28 allows access to admin.php"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "windows hard", "line": " Having BurpSuite automatically add the x-forwarded-for header to our requests"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "windows hard", "line": " Explaining a reason why this header exists in the first palce"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "windows hard", "line": " Discovering Union injection on the admin page"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "windows hard", "line": " Telling SQLMap to run in the background, while we manually enumerate this ourselves."}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "windows hard", "line": " Using Group_Concat to return multiple rows in a union injection and enumerate the INFORMATION_SCHEMA Database"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "windows hard", "line": " Using LOAD_FILE and TO_BASE64 in our SQL Injection to extract source code from the webserver"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "windows hard", "line": " Enumerating who has the FILE privilege in the database, showing SQLMAP gives us some bad info"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "windows hard", "line": " Grabbing user hashes out of the database with our injection then cracking them to discover hector's password"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "windows hard", "line": " Using OUTFILE in our injection to drop a php webshell to the server"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 58, "seconds": 5}, "tag": "windows hard", "line": " Having trouble getting a reverse shell back, assuming it is defender so changing the name of some functions to bypass it"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 64, "seconds": 2}, "tag": "windows hard", "line": " Using powershell to run a command as hector with the password we cracked from the database"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 68, "seconds": 15}, "tag": "windows hard", "line": " Running WinPEAS and going over what it finds, looks like it misses some permissions around editing services"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 74, "seconds": 30}, "tag": "windows hard", "line": " Looking at the PSReadLine directory to get some powershell history and a hint at enumerating permissions in the registry"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 75, "seconds": 40}, "tag": "windows hard", "line": " Running ConvertFrom-SddlString to make sense of the registry permissions"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 81, "seconds": 20}, "tag": "windows hard", "line": " Listing services on the box, then shrinking the number by only showing ones that run as LocalSystem with a Manual startup type"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 86, "seconds": 0}, "tag": "windows hard", "line": " Shrink the list some more by only showing the services that our user has permission to startup"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 95, "seconds": 30}, "tag": "windows hard", "line": " Showing the \"SC\" command cannot set the BinPath of services, need to do this via registry"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 98, "seconds": 0}, "tag": "windows hard", "line": " Changing the ImagePath of the wuauserv service in the registry via PowerShell"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 101, "seconds": 15}, "tag": "windows hard", "line": " Setting the ImagePath to be a reverse shell via netcat, then starting the service to get a shell as LocalSystem"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux medium", "line": " Start of nmap and examining the HTTPS Certificate to get a potential hostname"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux medium", "line": " Doing light testing on the HTTPS Site for SQL Injection, then sending to SQLMap. Using --force-ssl to make SQLMAP do HTTPS instead of HTTP"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 6, "seconds": 26}, "tag": "linux medium", "line": " Playing with analytics.php and some light testing to see if we could do SSRF. Put it on the backburner and move on."}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 7, "seconds": 42}, "tag": "linux medium", "line": " Testing the logon prompt on the HTTP Site, playing with SQL Injection and starting another SQLMap"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 8, "seconds": 51}, "tag": "linux medium", "line": " Going over NoSQL Injection"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 9, "seconds": 44}, "tag": "linux medium", "line": " Attempting to explain NoSQL Injection"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "linux medium", "line": " Performing a NoSQL Injection test via x-www-form-encoded data"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 12, "seconds": 44}, "tag": "linux medium", "line": " Doing Regular Expressions with NoSQL Injection to extract the password length"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux medium", "line": " Explaining how you would have done NoSQL Injection on NodeJS (Sending objects in JSON)"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux medium", "line": " Logging into the webserver via NoSQL Injection, running GoBuster with our cookie that is logged in"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "linux medium", "line": " Going back to NoSQL Injection with RegularExpression and Boolean injection to extract the password"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "linux medium", "line": " Going over doing Burp Intruder to extract data"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 21, "seconds": 45}, "tag": "linux medium", "line": " Creating a Python Script to do this NoSQL Injection since Burp cost $$ and is slow."}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 37, "seconds": 11}, "tag": "linux medium", "line": " Script mostly done extracting admin's password"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 40, "seconds": 47}, "tag": "linux medium", "line": " Trying to extract Mango's password but there's a tricky character, troubleshooting"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux medium", "line": " Screwed up a loop and didn't go through all the character space. Getting Mango's password using SSH to login to the box."}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux medium", "line": " Running LinPEAS and seeing JJS is a SetUID Bin"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "linux medium", "line": " Turns out we can't execute JJS as mango, only admin. Use \"su\" to switch to admin and run JJS"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 50, "seconds": 11}, "tag": "linux medium", "line": " Using JJS to write a file and drop an SSH Key"}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Unofficial Time Schedule."}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - First 30 minutes - Using ansible to build a Windows Domain"}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Next 30-45 minutes - Searching Exploit-DB and taking apart exploits to understand them"}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - The remainder of time - VulnHub or something."}, {"machine": "Sunday Night Learning", "videoId": "Or21g3iw6BU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Unofficial Time Schedule."}, {"machine": "Sunday Night Learning", "videoId": "Or21g3iw6BU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - First 30 minutes - Using ansible to build a Windows Domain"}, {"machine": "Sunday Night Learning", "videoId": "Or21g3iw6BU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Next 30-45 minutes - Searching Exploit-DB and taking apart exploits to understand them"}, {"machine": "Sunday Night Learning", "videoId": "Or21g3iw6BU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - The remainder of time - VulnHub or something."}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Running nmap against the box, port 80 is running a unique webserver (nostromo)"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "linux easy", "line": " Lets check out the website before we throw any exploits"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 6, "seconds": 37}, "tag": "linux easy", "line": " Launching metasploit then exploting Nostromo but sending the exploit through burpsuite to see what it is doing"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 10, "seconds": 34}, "tag": "linux easy", "line": " Code Execution worked, for some reason the proxies command didn't work the first time"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 11, "seconds": 18}, "tag": "linux easy", "line": " Explaining why the script does a GET request before throughing an exploit (Exploit Verification)"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux easy", "line": " Editing the payload to send a Bash Reverse Shell"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux easy", "line": " Running LinEnum in Thorough mode"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 19, "seconds": 22}, "tag": "linux easy", "line": " Going over LinPEAS Output"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 22, "seconds": 16}, "tag": "linux easy", "line": " Going over LinEnum Output"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux easy", "line": " Discovering a HTPASSWD Password, then using hashcat to crack it"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "linux easy", "line": " Looking at the HTTP Configuration file to discover public_www directory in home directories"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux easy", "line": " Explaining Linux Permissions on Directories and why we can do a ls in /home/david/public_www but not /home/david/ "}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "linux easy", "line": " Discovering an encrypting SSH Key for David in public_www, downloading the file via netcat then cracking the key with sshng2john.py John"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux easy", "line": " SSH into the box as David"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "linux easy", "line": " Discovering David can sudo journalctl,"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux easy", "line": " Demonstrating that the pipe operator doesn't run as an elevated user when doing sudo"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "linux easy", "line": " Privesc by removing the pipe and then running !bash. Explaining why this works by tracing parent processes to see journalctl is just executing pager which is symlink'd to less"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 40, "seconds": 50}, "tag": "linux easy", "line": " Comparing the Directory traversal exploits (MSF and non-MSF) to see a weird bug adding %0d bypassed the /../ whitelist check"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "linux easy", "line": " Downloading the source code to nostromo (patched and unpatched versions) and analyzing the patch to see why %0d worked."}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 50, "seconds": 27}, "tag": "linux easy", "line": " Using find and grep to md5sum all the files to figure out what has changed."}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 53, "seconds": 26}, "tag": "linux easy", "line": " Using diff to compare two files"}, {"machine": "Creating a VM to learn Linux PrivEsc", "videoId": "B_7NIkSlYuQ", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Support the stream: https://streamlabs.com/ippsec"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux hard", "line": " Begin of Recon, discovering hostname in SSL Certificate"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux hard", "line": " Running GoBuster against Registry.htb and Docker.Registry.htb to discover CA Certificate in /install/"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux hard", "line": " /v2/ on Docker.Registry.HTB requires login, guessing admin:admin and then looking into the Docker Registry API"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux hard", "line": " Manually downloading a Blob off the Registry and extracting it to reveal files "}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux hard", "line": " A bit more elegant way to do this, configure Docker to use this registry by adding the CA to our Docker SSL Cert Store. Then downloading the Bolt-Image Container"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "linux hard", "line": " Discovering an Encrypted SSH Key on the container"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Explaining SSH Config Files"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux hard", "line": " Using find to show files modified between two dates to discover a file with the SSH Key Password"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux hard", "line": " Using more forensic artifacts (viminfo) to dicover the file with SSH Key Password"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux hard", "line": " Checking /var/www/html to discover the Web User can probably use sudo with restic. Try to get a shell as www-data"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "linux hard", "line": " Checking out Bolt CMS Exploits to discover an authenticated RCE"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 40, "seconds": 20}, "tag": "linux hard", "line": " Downloading the bolt SQLite database then viewing the contents and cracking the admin password"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 42, "seconds": 45}, "tag": "linux hard", "line": " Identifying the algorithm bolt uses to hash passwords"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux hard", "line": " Exploiting Bolt by editing the config to allow PHP Files and then uploading a webshell"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux hard", "line": " Could not get a reverse shell, checking iptable rules to see iptables blocks packets initiating a connection on OUTBOUND. Switching to localhost for reverse shell"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux hard", "line": " Setting up a Reverse SSH Tunnel to forward 127.0.0.1:8000 to our box, so Restic can talk to us"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "linux hard", "line": " Setting up a Restic Server on our box"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "linux hard", "line": " Using Restic to download /root and get the Root SSH Key to login to the box"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 0, "seconds": 34}, "tag": "", "line": " Explaining how networking is setup, then nmap"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Examining why nmap says a port is filtered in Wireshark"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " Exploring the webpage and doing basic SQL Injections in the search functionality"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "", "line": " Starting GoBuster in the background, #AlwaysHaveReconRunning"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "", "line": " Explaining SQL Injection"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 13, "seconds": 55}, "tag": "", "line": " Explaining SQL Union Injection"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "", "line": " Testing Union Injection by doing \u201cUNION SELECT\u201d, then testing it by doing \u201cORDER BY\u201d. "}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Explaining how to get data out of INFORMATION_SCHEMA"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 20, "seconds": 55}, "tag": "", "line": " Doing GROUP_CONCAT to extract multiple lines from a UNION Statement"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "", "line": " Using SED to replace \u201c,\u201d with line breaks and extracting a bunch of information out of the database"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "", "line": " Cracking the hash to see admin\u2019s password is transorbital1"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 34, "seconds": 41}, "tag": "", "line": " Using wfuzz to brute force a login prompt with two FUZZ Variables (some troubleshooting)"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "", "line": " Fuzzing the MANAGE.PHP script for a filename parameter with wfuzz"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "", "line": " Exploring the LFI"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "", "line": " Using LFI with /proc/sched_debug to get processes running and discovering KnockD"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "", "line": " The Opening up the SSH Port with port knocking"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 70, "seconds": 0}, "tag": "", "line": " Using medusa combo list to test SSH Credentials, then logging chandlerb and running linpeas"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 76, "seconds": 0}, "tag": "", "line": " Exploring the MySQL Database, discovering Janitor was created at a different time. Explore his directory to discover new credentials"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 82, "seconds": 0}, "tag": "", "line": " Using find to output a list of readable files for other users then finding files that can only be read by single users"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 88, "seconds": 50}, "tag": "", "line": " FredF can execute the \u201ctest\u201d binary as root. Looking at source, it allows appending lines to a file."}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 90, "seconds": 15}, "tag": "", "line": " File Write Method 1: Appending a line to allow joeyt to sudo"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 93, "seconds": 30}, "tag": "", "line": " File Write Method 2: Appending line to passwd to create a new user"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 96, "seconds": 50}, "tag": "", "line": " Extra content, going over the Source Code to view the LFI Exploit and a pretty funny login bypass bug"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows medium", "line": " Begin of Nmap scans"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "windows medium", "line": " Checking out the website and running a few GoBuster dir searches"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "windows medium", "line": " Examining Links on the blog page and discover a LFI Vulnerability in the LANG Parameter"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows medium", "line": " Discovering .. is a bad character, working around it by starting the path with a slash"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 10, "seconds": 28}, "tag": "windows medium", "line": " Testing RFI via SMB, then failing to steal a hash and use impackets SMBServer"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "windows medium", "line": " Configuring SMBd to host a share that is accessible by anonymous users"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "windows medium", "line": " Testing the SMB Share locally, then testing the RFI with just text, and finally putting a PHP Script for code execution. "}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "windows medium", "line": " Powershell Reverse Shells fail, find out we are in constrained language mode, switch to netcat for reverse shell"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "windows medium", "line": " Reverse Shell Returned!"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows medium", "line": " Discovering Chris's password then using Powershell to run a command as him to upgrade the shell."}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "windows medium", "line": " Going over to Windows to create a malicious CHM file with Nishang's out-chm (via NC on a SMB Share)"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 46, "seconds": 55}, "tag": "windows medium", "line": " Copying the malicious CHM File to c:\\Docs and not getting any shell. Simplify the exploit to run ping instead."}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "windows medium", "line": " Using Out-CHM to have it execute NC out of c:\\users\\chris\\downloads\\ instead of a SMB Share and getting shell as administrator"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 53, "seconds": 25}, "tag": "windows medium", "line": " Start of doing the box the second way. "}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 54, "seconds": 15}, "tag": "windows medium", "line": " Explaining the LFI + PHP Session Exploit Chain"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 56, "seconds": 30}, "tag": "windows medium", "line": " Identify bad characters by creating a in python to to create accounts and test logins"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 67, "seconds": 0}, "tag": "windows medium", "line": " Testing minimal php code for code execution"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 68, "seconds": 30}, "tag": "windows medium", "line": " Testing Code exeuction with Powershell Encoded commands"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 78, "seconds": 26}, "tag": "windows medium", "line": " Downloading Netcat to the box then executing it for a reverse shell"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 83, "seconds": 0}, "tag": "windows medium", "line": " Uploading Chisel to the box then forwarding ports 3306 and 5985 to us"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 91, "seconds": 40}, "tag": "windows medium", "line": " Using Evil-WinRM to get a shell on the box as chris through our chisel tunnel"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 92, "seconds": 20}, "tag": "windows medium", "line": " Creating a CHM File that includes a file off a SMB Server so we can use Responder to steal the hash"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 100, "seconds": 0}, "tag": "windows medium", "line": " Uploading the CHM and stealing the hash with Responder"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 91, "seconds": 20}, "tag": "windows medium", "line": " Using Hashcat to crack a NetNTLMv2 hash from Hashcat (5600)"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 102, "seconds": 40}, "tag": "windows medium", "line": " Using PSexec to remote into the boxh"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "windows easy", "line": " Running NMAP and queuing a second nmap to do all ports"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "windows easy", "line": " Using LDAPSEARCH to extract information out of Active Directory"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "windows easy", "line": " Dumping user information from AD via LDAP then creating a wordlist of users"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "windows easy", "line": " Creating a custom wordlist for password spraying with some bashfu and hashcat"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "windows easy", "line": " Using CrackMapExec to dump the password policy of Active Directory using a null authentication, then doing a Password Spray"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "windows easy", "line": " Enumerating information out of AD using rpcclient and null authentication"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 28, "seconds": 10}, "tag": "windows easy", "line": " Now that our PWSpray is running in the background, lets go through Impacket Scripts to see what works."}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "windows easy", "line": " Using GetNPUsers to perform an ASREP Roast (Kerberos PreAuth) with Null Authentication to extract SVC-ALFRESCO's hash. Then Cracking it."}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "windows easy", "line": " Using Evil-WinRM to get a shell on the box with SVC-ALFRESCO's credentials"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "windows easy", "line": " Setting up a SMBShare, using New-PSDRive to mount the share, then running WinPEAS"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "windows easy", "line": " Going over WinPEAS Output"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "windows easy", "line": " Downloading Bloodhound and the SharpHound Ingestor"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "windows easy", "line": " Importing the Bloodhound Results and finding an AD Attack Path"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 52, "seconds": 10}, "tag": "windows easy", "line": " Going over the Account Operators Group (will allow us to create an account)"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "windows easy", "line": " Using Net User to create a new user, then adding it to the Exchange Group"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 58, "seconds": 40}, "tag": "windows easy", "line": " Downloading the PowerSploit Dev Branch to utilize the function \"Add-DomainObjectAcl\""}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 61, "seconds": 40}, "tag": "windows easy", "line": " Some basic troubleshooting when the command goes wrong, then giving ippsec the DCSync Rights"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "windows easy", "line": " Performing SecretsDump to perform a DCSync and extract hashes, then PSEXEC with Administrator to gain access"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 67, "seconds": 10}, "tag": "windows easy", "line": " Going over the \"--users\" option in hashcat so you can easily identify whos hash was cracked"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 70, "seconds": 43}, "tag": "windows easy", "line": " Using the KRBTGT Hash to perform the GoldenTicket attack from Linux"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 95, "seconds": 11}, "tag": "windows easy", "line": " Showing it worked, Issues were we could not use IP Addresses anywhere in the command and need FQDN for the domain. Create entries in Host file if DNS is not there."}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux easy", "line": " Begin of nnmap scan"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux easy", "line": " Checking out the website, trying to identify what technology runs the site"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Nmap scan finished, start more recon (GoBuster and full nmap port scan)"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux easy", "line": " Trying to find out when the website was stood up with exiftool"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux easy", "line": " Full nmap showed the REDIS port, initial poking"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "linux easy", "line": " Searching the internet for things you can do with a REDIS Server"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "linux easy", "line": " Dropping a webshell didn't work, lets try dropping an SSH Key"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux easy", "line": " Discovering the location of a .ssh directory by guessing the default (/var/lib/redis/.ssh)"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux easy", "line": " Got a shell on the box!"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "linux easy", "line": " Running LinPEAS"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 29, "seconds": 45}, "tag": "linux easy", "line": " Running LinEnum twice (once with throrough mode enabled). To make sure we have good recon."}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 33, "seconds": 10}, "tag": "linux easy", "line": " Discovering Matt logged in at a time we did not previously have"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 36, "seconds": 7}, "tag": "linux easy", "line": " Discovering an encrypted SSH key, cracking the SSH Key with John"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux easy", "line": " SSH failing to work, decide to just use \"su\" to switch to the Matt User"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux easy", "line": " Discovering we can login to WebMin with Matt"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 42, "seconds": 48}, "tag": "linux easy", "line": " Running searchsploit, then using Metasploit to exploit Webmin"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "linux easy", "line": " Root shell returned, set Metasploit to go through burp and play with it until we get the exploit working."}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 0, "seconds": 59}, "tag": "windows insane", "line": " Begin of nmap, discover XAMPP"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 5, "seconds": 51}, "tag": "windows insane", "line": " Running GoBuster while we poke at the website"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows insane", "line": " Registering an account then seeing what new functions are avaialble"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "windows insane", "line": " Attempting to transfer money and discovering XSS "}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows insane", "line": " Basic Cross Site Scripting worked, check cookies to see HttpOnly is false then do a basic XSS to steal cookies"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 15, "seconds": 33}, "tag": "windows insane", "line": " Doing the OnError payload to steal administrative cookie"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 17, "seconds": 38}, "tag": "windows insane", "line": " Logging in as the administrative user, checking out the new pages. Search which is SQL Injectable and BackDoorChecker which can execute code from localhost"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "windows insane", "line": " Playing with the SQL Injection in Search, confirming it is union then sending it to SQLMap to dump the database"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "windows insane", "line": " Using SQL Injection to read the source code via LOAD_FILE in a Union Injection."}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "windows insane", "line": " Creating a XSS Payload that can send a Post Request (XMLHttpRequest)"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 40, "seconds": 45}, "tag": "windows insane", "line": " Reverse shell returned"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 46, "seconds": 20}, "tag": "windows insane", "line": " Manually poking around the box, discover port 910 is open but our nmap didn't show it"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 48, "seconds": 10}, "tag": "windows insane", "line": " Using Chisel to forward the port back to our box, and discover it's a telnet interace to perform transfers"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 52, "seconds": 20}, "tag": "windows insane", "line": " Using PwnTools to bruteforce the PIN Code on port 910"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 56, "seconds": 10}, "tag": "windows insane", "line": " Send it 100 A's to see if the program crashes, instead it executesa payload after 32 bytes"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 61, "seconds": 0}, "tag": "windows insane", "line": " Failing to run netcat froma UNC Path"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 68, "seconds": 26}, "tag": "windows insane", "line": " Running netcat from C:\\ to get a reverse shell"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux hard", "line": " Begin of Recon"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux hard", "line": " Discovering an SQL Injection inside of the WhoIs Service"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux hard", "line": " Identifying we can perform DNS Zone Transfers with dig axfr (aquatone is the application i mention to take screenshots)"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux hard", "line": " Explaining the SQL Union Injection"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "linux hard", "line": " Dumping information out of Information_Schema via the SQL Union Injection"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 23, "seconds": 5}, "tag": "linux hard", "line": " Dumping hostnames out of the whois database via the SQL Union Injection"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 28, "seconds": 45}, "tag": "linux hard", "line": " Discovering the pwned website, discovering shell.php with GoBuster"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 31, "seconds": 45}, "tag": "linux hard", "line": " Using wget to get the date the webserver was defaced"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "linux hard", "line": " Using wfuzz to find the parameter (hidden) the attackers shell used, then we have code execution on the machine."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 39, "seconds": 15}, "tag": "linux hard", "line": " Using find with newermt to identify what happened around the time the attacker pwned the box"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux hard", "line": " Discovering mail file that has some credentials for an FTP User"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 49, "seconds": 17}, "tag": "linux hard", "line": " Using grep/awk to find the hacker in an apache access logs"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 51, "seconds": 44}, "tag": "linux hard", "line": " Searching wireshark to pull the attackers post request to pull more credentials and the files the attacker uploaded to the server."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 55, "seconds": 5}, "tag": "linux hard", "line": " Analyzing root.c kernel module "}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "linux hard", "line": " Testing the kernel rootkit didn't work over HTTP, lets get a forward shell and try it there."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 62, "seconds": 22}, "tag": "linux hard", "line": " Testing passwords to gain access to ib01c01, which has the compiled kernel root kit (root.ko)"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 65, "seconds": 20}, "tag": "linux hard", "line": " Analyzing root.ko in Ghidra to discover some slight changes to the root.c source code."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 69, "seconds": 20}, "tag": "linux hard", "line": " Sending g3tPr1v to /dev/ttyR0 to activate the rootkit and switch to root"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 70, "seconds": 2}, "tag": "linux hard", "line": " Testing nc with a source port of 20 to verify our assumption only root can do this is true"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 71, "seconds": 50}, "tag": "linux hard", "line": " Creating a PHP Script to act as middleware between SQLMap and the WhoIs port and allow us to use SQLMap to dump the database"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 82, "seconds": 20}, "tag": "linux hard", "line": " Manually installing Zeek (formerly known as Bro) to analyze the pcap. "}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 85, "seconds": 50}, "tag": "linux hard", "line": " Zeek has been installed, running it against the pcap with Cr to ignore checksum errors"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 86, "seconds": 42}, "tag": "linux hard", "line": " Showing how to manually analyze zeek logs with less -S and zeek-cut"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 91, "seconds": 50}, "tag": "linux hard", "line": " Installing zkg which is the zeek package manager then installing ja3 and http-post modules to extract SSL Signatures and HTTP Post Data"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 96, "seconds": 20}, "tag": "linux hard", "line": " Running Zeek again with the modules, identify the HTTP Attack used (Google: \"prestashop mail proxycommand exploit\" to find the exploit the attacker used)"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 0, "seconds": 57}, "tag": "linux hard", "line": " Begin of NMAP, then examining FTP to see the banner leak time and IPv6 compatibility."}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux hard", "line": " Running GoBuster so we always have recon running in the background"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 5, "seconds": 38}, "tag": "linux hard", "line": " Examining the Web Page to see it has some usernames and FTP Creds"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux hard", "line": " Logging into FTP and testing basic things like downloading/uploading files"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "linux hard", "line": " Ran out of things to test. Run NMAP on all ports, then look into things we don't know."}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "linux hard", "line": " Explaining what FXP is and what an FTP Bounce Attack is"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Performing the FTP Bounce Attack to get the IPv6 Address, then doing a nmap on the ipv6 address "}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "linux hard", "line": " Identifying what port 8730 is (RSYNC) using both NMAP and NETCAT"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 18, "seconds": 45}, "tag": "linux hard", "line": " Downloading /etc via rsync, then explaining a bunch of configurations on the box"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux hard", "line": " Identifying there is an RSYNCD.SECRETS via the RSYNCD.CONF file. Cannot download but can identify filesize which will tell us the number of characters the password is."}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "linux hard", "line": " Extracting all 8/9 character words out of RockYou.txt then using bash to script a rsync bruteforce (end of video we code a better brute force)"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux hard", "line": " Got Roy's password (computer),then downloading his directory to get user.txt. After that upload an SSH Key"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 39, "seconds": 48}, "tag": "linux hard", "line": " SSH into the box as roy with the key, then failing to run lynis before running LinPEAS"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 48, "seconds": 8}, "tag": "linux hard", "line": " Using find to list files edited around the time User.txt was created (newermt) to identify git repo's under RSYSLOG and FTP"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 52, "seconds": 5}, "tag": "linux hard", "line": " Examining git repo in RSYSLOG to identify it sends syslog to POSTGRES and is SQL Injectable"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 57, "seconds": 10}, "tag": "linux hard", "line": " Performing the SQL Injection with logger, but before that tailing the postgres log for some output"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "linux hard", "line": " Running commands on Postgres 9.3 via PROGRAM command. Get into trouble with quotes, find postgres has a third quote option which is $$"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 73, "seconds": 57}, "tag": "linux hard", "line": " EXTRA CONTENT: Building a threaded RSYNC Bruteforcer"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 74, "seconds": 20}, "tag": "linux hard", "line": " Script 1: Figuring out how RSYNC Authentication works, its a Challenge/Response. "}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 82, "seconds": 44}, "tag": "linux hard", "line": " Script 1: Downloading the RSYNC Source and searching how it creates the hash"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 92, "seconds": 40}, "tag": "linux hard", "line": " Script 1: Adding SOCKET Support so we can connect to the RSYNC Server"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 105, "seconds": 40}, "tag": "linux hard", "line": " Script 2: Python3 Threading example "}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 110, "seconds": 45}, "tag": "linux hard", "line": " Script 3: Combining the Threaded example with our RSYNC Auth to get a good bruteforcer!"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 0, "seconds": 52}, "tag": "windows medium", "line": " Start of recon, NMAP"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 4, "seconds": 35}, "tag": "windows medium", "line": " Using SMBClient to look for OpenShares"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "windows medium", "line": " Examining the HTTP Redirect on the page"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 6, "seconds": 56}, "tag": "windows medium", "line": " Attemping default credentials"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 8, "seconds": 25}, "tag": "windows medium", "line": " Running GoBuster with PHP Extensions"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "windows medium", "line": " Examining the /api/ Requests made in BurpSuite"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 13, "seconds": 35}, "tag": "windows medium", "line": " Comparing Requests to notice one has a \"BEARER\" Header. Researching exactly what it is."}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "windows medium", "line": " Examining the contents of BEARER/OAUTH2 by base64 decoding it."}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "windows medium", "line": " Inducing an error message by placing invalid base64, then trying to get a different error message by putting valid but unexpected bas64"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "windows medium", "line": " See a serialization error, pointing towards JSON.NET, then switching to Windows to install ysoSerial"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 22, "seconds": 54}, "tag": "windows medium", "line": " Creating a .net Deserialization exploit that will ping us"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "windows medium", "line": " Base64 encoding the exploit, starting tcpdump, and checking for code execution. Then editing our exploit use a PowerShell webcradle with Nishang to get a reverse shell"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 32, "seconds": 51}, "tag": "windows medium", "line": " Reverse Shell Returned, Running WinPEAS from my SMBShare so we don't touch disk"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "windows medium", "line": " Going over WinPEAS.bat, which doesn't have color (we will do EXE later in the video to get colors!)"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "windows medium", "line": " PrivEsc #1: Reversing Sync2Ftp to decrypt a password"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 50, "seconds": 15}, "tag": "windows medium", "line": " Decompile SyncLocation.exe via DNSPY, then edit the executable to display the decrypted password."}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 56, "seconds": 15}, "tag": "windows medium", "line": " Couldn't use PSEXEC with the decrypted creds. Lets use Powershell Invoke-Command to switch users"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 65, "seconds": 25}, "tag": "windows medium", "line": " PrivEsc #2: FileZilla Server - This will require us to pop the box from Windows!"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 70, "seconds": 50}, "tag": "windows medium", "line": " Using Chisel to forward 127.0.0.1:14147 to us"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 75, "seconds": 15}, "tag": "windows medium", "line": " Running the FileZilla Server and connecting to the box through our tunnel to create new users"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 81, "seconds": 53}, "tag": "windows medium", "line": " PrivEsc #3: JuicyPotato"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 84, "seconds": 53}, "tag": "windows medium", "line": " Running JuicyPotato to get a system shell"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 0, "seconds": 30}, "tag": "windows hard", "line": " Begin of Recon"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 1, "seconds": 55}, "tag": "windows hard", "line": " Creating an entry in /etc/hosts for reblog.htb (found on webpage)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows hard", "line": " Reading each blog post and taking notes"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "windows hard", "line": " Poking at SMB to see MALWARE_DROPBOX"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "windows hard", "line": " Digging into why SMBMAP says READ_ONLY. Don't get anywhere but its an impacket thing?"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "windows hard", "line": " Installing LibreOffice, then creating a macro to ping us"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "windows hard", "line": " Obfuscating the macro by placing it over multiple lines (do LOLBINS at end of video)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "windows hard", "line": " Converting our obfuscated macro to a powershell cradle/one lienr (iconv to make it UTF-16LE)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "windows hard", "line": " Reverse Shell returned as LUKE, showing a way to get a logged in users hash and attempting to crack"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 26, "seconds": 25}, "tag": "windows hard", "line": " Running WinPEAS.bat (will do EXE at the end of the video)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "windows hard", "line": " Going over the process_sample.ps1 script to discover a potential WinRAR Vulnerability"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 38, "seconds": 9}, "tag": "windows hard", "line": " Using evilWinRAR to generate a ZipSlip like file, forget a trailing slash and do quite a bit of troubleshooting"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "windows hard", "line": " Switching up the ASPX Shell by using one from the TennC Repository"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 52, "seconds": 35}, "tag": "windows hard", "line": " Reverse shell as the IIS User"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "windows hard", "line": " Doing a Ghidra XXE Vulnerability to steal the users hash"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "windows hard", "line": " Copying the XXE Vulnerability in POC"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 64, "seconds": 45}, "tag": "windows hard", "line": " Lol. Found what out i was zipping the file incorrectly"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 67, "seconds": 30}, "tag": "windows hard", "line": " Cracking the new hash we just got"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 69, "seconds": 20}, "tag": "windows hard", "line": " Using Powershell to Invoke-Command with a different user"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 72, "seconds": 55}, "tag": "windows hard", "line": " Begin of unattended route (Changing macro to be RevSvr32 with an SCT File instead of CMD /c)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 81, "seconds": 20}, "tag": "windows hard", "line": " Downloading SharpUp and WinPEAS to compile executables"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 87, "seconds": 30}, "tag": "windows hard", "line": " Using rlwrap for our reverse shell so we have a semi-proper TTY on Windows"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 88, "seconds": 45}, "tag": "windows hard", "line": " Running PowerUp to identify the bad service and playing with a few commands to show what is happening"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 93, "seconds": 10}, "tag": "windows hard", "line": " Running WinPEASEXE to show the output"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 95, "seconds": 30}, "tag": "windows hard", "line": " Enabling RDP so we can see the error message SharpUp threw"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 97, "seconds": 50}, "tag": "windows hard", "line": " Changing DotNet version in the project properties to get SharpUp working on the box"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "linux medium", "line": " Begin of Recon"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "linux medium", "line": " Taking a look at the page, noticing the site is PHP, running GoBuster to find other PHP Files."}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 3, "seconds": 45}, "tag": "linux medium", "line": " Playing with the File Upload, failing to identify how uploaded files are stored"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux medium", "line": " Investigating PHP Files that GoBuster found, discovering intelligence.php"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux medium", "line": " Searching for Text to Speach programs (create WAV Files)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux medium", "line": " The first program didn't do a good job saving WAV Files, Downloading Festival"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 9, "seconds": 17}, "tag": "linux medium", "line": " Installing apt-file so we can use apt to search for what package contains a file (like yum whatprovides)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 11, "seconds": 5}, "tag": "linux medium", "line": " Using text2wave to create wav files and upload them, then discover a SQL Injection over voice"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 14, "seconds": 4}, "tag": "linux medium", "line": " Having trouble getting the voice recognition to recognize the word union. Using \"intelligence.php\" to discover alternative words."}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "linux medium", "line": " Extracting the username and password out of the database, then logging in via SSH"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux medium", "line": " Investigating how the file upload script works, turns out to be a dead end"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux medium", "line": " Running linPEAS to check other privesc paths (see JDWP)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "linux medium", "line": " Enumerating the local MySQL Database to get other credentials"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "linux medium", "line": " Starting to investigate the Tomcat ports (8000, 8009, and 8080)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux medium", "line": " Doing SSH Tunnels via the SSH Binary to forward 8080/8009 to our box then looking at Tomcat"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "linux medium", "line": " Doing SSH Tunnels from within a SSH Session (~c) to forward port 8000 without reconnecting to SSH"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 32, "seconds": 10}, "tag": "linux medium", "line": " Manually using JDB to execute a command via java.lang.Runtime"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux medium", "line": " Manually debugging JDWP is a bad idea, doing it the better way with jdwp-shellifier"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux hard", "line": " Begin of recon, wireshark nmap to see how it identified the hostname. The way this box is configured apache is placing the hostname when the \"Host: \" HTTP Header is not present."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Starting a bunch of automated tools. Nmap all ports, and gobuster to discover VHOST (virtual hosts) and files."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 9, "seconds": 55}, "tag": "linux hard", "line": " Checking dev.player.htb and identify the framework (Codiad) is being leaked in some javascript"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 12, "seconds": 25}, "tag": "linux hard", "line": " Checking chat.player.htb, nothing really here just hints at source code disclosure on other domains"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 14, "seconds": 5}, "tag": "linux hard", "line": " Checking staging.player.htb, sending an email leaks some interesting files"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux hard", "line": " Checking player.htb/launcher, entering an email leaks some other PHP Files along with a JWT Token"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux hard", "line": " Discovering backup files, showing BurpSutie Pro can do it but I had added this feature in GoBuster"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "linux hard", "line": " Going over exactly what I did in GoBuster to add the DiscoverBackup feature"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 27, "seconds": 35}, "tag": "linux hard", "line": " Using GoBuster with the new feature to discover some PHP Source that leaks the JWT Secret"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "linux hard", "line": " Using JWT.IO to create our forged JWT and discover a new page that proccesses Video Files"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 37, "seconds": 25}, "tag": "linux hard", "line": " Looking into FFMPEG Vulnerabilities to discover an LFI, using \"Payload All The Things\" to exploit this. Grab files Apache Config, Config files in web directories, /proc/net to see listening ports"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux hard", "line": " Trying the telegen credentials we retrieved from /var/www/backup/service_config with various services. See we can login to 6686 but are in a locked down shell"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 51, "seconds": 45}, "tag": "linux hard", "line": " Running searchsploit to see an XAUTH command injection that allows for reading/writing files. Failing to writefiles, but can now read .php files grab more source code to get another credential (Peter)"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 55, "seconds": 45}, "tag": "linux hard", "line": " Peter's creds work at dev.player.htb which allows for uploading files. Uploading a php reverse shell"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 60, "seconds": 40}, "tag": "linux hard", "line": " Reverse shell returned. Running su -s /bin/bash telegen to bypass the restricted shell"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 61, "seconds": 30}, "tag": "linux hard", "line": " Noticing the XAUTH command actually wrote a file! Going back to see why we failed to write to web directories. Trying it again but turns out quotes/spaces are bad chars which would make dropping a webshell tough."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 64, "seconds": 50}, "tag": "linux hard", "line": " Giving up with XAUTH, running pspy64 with our SSH Shell to see a PHP File is running every minute, checking it out to see it includes a file WWW-DATA can write to and that there is a unserialize vulnerability"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 67, "seconds": 40}, "tag": "linux hard", "line": " Exploiting the unserialize() vulnerability to write an SSH Key to /root/.ssh/authorized_keys"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 73, "seconds": 53}, "tag": "linux hard", "line": " UNINTENDED METHOD: Exploiting Codiad by using the installation scripts left behind to install it to chat.player.htb"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 76, "seconds": 45}, "tag": "linux hard", "line": " Stepping through the installation script to understand the vulnerability. Upon install it writes unsanitized user input to the config.php directory"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 89, "seconds": 30}, "tag": "linux hard", "line": " Reverse shell returned as www-data! "}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 90, "seconds": 45}, "tag": "linux hard", "line": " UNINTENDED METHOD 2: Performing the Authenticated Codiad RCE, stepping through it in BurpSuite to understand what the exploit does. At the very end of the video we will examine codiad source to understand the vuln."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 96, "seconds": 0}, "tag": "linux hard", "line": " Privesc from www-data by placing a PHP Rev Shell in the file the cron script included"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 98, "seconds": 35}, "tag": "linux hard", "line": " Analyzing the Source of Codiad to see why the CRLF Exploit worked."}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 1, "seconds": 58}, "tag": "", "line": " Taking a loot at the webserver and seeing a GitLab signin page"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 2, "seconds": 53}, "tag": "", "line": " Using wget and exiftool to check metadata on files on the server to see when stuff was uploaded"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Running gobuster, explaining why we need the Wildcard flag on this box for this tool to work"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "", "line": " Finding the /help directory which has some javascript that contains the password to GitLab"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 10, "seconds": 28}, "tag": "", "line": " Logging into Gitlab with creds from the bookmark.html"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 11, "seconds": 11}, "tag": "", "line": " Showing how to do GoBuster with a cookie (gets past the wildcard issue earlier in the video)"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "", "line": " Looking at snippets to see a Postgresql password"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "", "line": " Looking at Git Commit History of various files to see there's a post hook to upload merges to a webserver"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 16, "seconds": 10}, "tag": "", "line": " Creating a New Branch on Profile, adding a webshell, then merging it to trigger it to be uploaded to the server"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "", "line": " CMD PHP Shell is on the server, lets get a reverse shell."}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 20, "seconds": 5}, "tag": "", "line": " Reverse shell returned, setting up a proper pty with rows and cols"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ** BEGIN OF UNINTENDED WAY **"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " Checking sudo to see we can do a git pull as root, and explaining git hooks"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "", "line": " Copying the git repo to a different directory so we take ownership of every file"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "", "line": " Creating a Post-Merge script that gives us a shell, the running sudo git pull to execute it as root"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "", "line": " Explaining why the copied directory still pulled new version from the website"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " **END OF UNINTENDED WAY**"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "", "line": " Getting PostGres Creds"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " Creating a PHP Script to dump the PostGres database"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 31, "seconds": 7}, "tag": "", "line": " Clave's password was in the database, logging in as that user"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "", "line": " Initial analysis of the RemoteConnection.exe file (strings)"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "", "line": " Looking at the file in Ghidra"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "", "line": " Lets just do some dynamic analysis with x32debug, switching over to windows"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "", "line": " Setting breakpoints around interesting strings and running the program"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "", "line": " Stepping through the program and seeing a password on the stack"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "", "line": " Using this credential to SSH into the box"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 3, "seconds": 18}, "tag": "", "line": " Checking out the HTTPS Certificate for potential hostnames"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "", "line": " Looking at api.craft.htb, appears to be some type of Documentation for the REST API"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 6, "seconds": 40}, "tag": "", "line": " Looking at gogs.craft.htb, no known exploits but there is some source code!"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Checking out the Git Issues, seeing Dinesh put a JWT Token in a comment. Checking the token out"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "", "line": " Attempting to crack the JWT (fails)"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "", "line": " Going back to the issues to see there is an eval() on user input"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "", "line": " Installing Go and Pip3 on Kali 2019.4, so we can install GitLeaks and TruffleHog"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 18, "seconds": 57}, "tag": "", "line": " Running GitLeaks and TruffleHog (find nothing) then manually analyzing the git commits"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " Discovering Dinesh's credentials in an old git commit"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 25, "seconds": 5}, "tag": "", "line": " Logging into GOGS with Dinesh, then showing adding an SSH Key for potential port forwarding"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 28, "seconds": 28}, "tag": "", "line": " Testing Code Execution from the previous git issue, use the test.py script as a skeleton."}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "", "line": " Getting a reverse shell with this exploit using exec(base64)"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "", "line": " Grabbing settings.py on the server to get a bunch of credentials"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "", "line": " Fixing our terminal to have the correct rows/columns so we can use vi"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 40, "seconds": 18}, "tag": "", "line": " Editing dbtest.py to dump all users from the database"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "", "line": " Adding the JWT SECRET from settings.py to our hashcat wordlist to prove cracking would have worked if there was a weak secret"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 45, "seconds": 25}, "tag": "", "line": " Manually crafting a JWT in Python to show what to do if you are successful at cracking... Then trying to create a JWT that is not signed"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 49, "seconds": 10}, "tag": "", "line": " Logging into GOGS with the credentials we got from dumping the database"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "", "line": " Gilfoyle as a private repo, lets download it"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "", "line": " Running truffleHog and GitLeaks against Gilfoyle's craft-infra repo"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "", "line": " An SSH Key was found on Gilfoyle's repo, SSH in and run LinPEAS"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "", "line": " Bunch of references to Vault in LinPEAS, looking into what this is."}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 62, "seconds": 20}, "tag": "", "line": " The .vaulttoken file is saved creds, lets just use vault ssh to login to the box"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "linux insane", "line": " Begin of Recon"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux insane", "line": " Using Wireshark to see why Nmap said HTTP 403"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux insane", "line": " Running GoBuster to identify /backup"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "linux insane", "line": " Performing a DNZ Zone Transfer with dig axfr"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux insane", "line": " Manually playing with the login form to hunt for SQL Injection"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "linux insane", "line": " Downloading files out of /backup, opening auth.py with vim and ses.so with ghidra"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 16, "seconds": 42}, "tag": "linux insane", "line": " Examining /auth endpoint"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "linux insane", "line": " Examining ses.so in Ghidra"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 20, "seconds": 31}, "tag": "linux insane", "line": " Renaming variables from Ghidra's decompiler to try to make sense of the code"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux insane", "line": " Examining get_internal_usr and pwd to discover the bug"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "linux insane", "line": " Using GDB to debug python and step through ses.so, which makes analyzing decompiled code easier"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 36, "seconds": 50}, "tag": "linux insane", "line": " First time attaching the debugger - Seg faults for some reason."}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux insane", "line": " Attaching the debugger again, this time it works. Explaining important registers"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux insane", "line": " Stepping through the code trying to make sense of registers. This part may not make sense."}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " ### The RDI Value in the STRCMP was from my python script calling ses.so -- RSI is what the program thinks the password is. So if in the Python Script I used ippsec:ippsec, then it would be STRCMP('ippsec','ippsec')."}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 51, "seconds": 50}, "tag": "linux insane", "line": " Logging in with Administrator:Administrator and then looking at auth.py to see how the /api works"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 54, "seconds": 25}, "tag": "linux insane", "line": " Getting command execution"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 55, "seconds": 50}, "tag": "linux insane", "line": " Trying to get a Reverse Shell, discovering a WAF, identifying the bad characters"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 56, "seconds": 50}, "tag": "linux insane", "line": " Configuring burp to have a hotkey to \"Issue Repeater Request\" so we don't have to click send"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 57, "seconds": 18}, "tag": "linux insane", "line": " Tips to avoid a web filter/WAF ex: {echo,test}|{ba''se64,-''-d}"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 61, "seconds": 0}, "tag": "linux insane", "line": " Getting a reverse shell, then upgrading to a SSH Terminal by dropping SSH Key"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 65, "seconds": 5}, "tag": "linux insane", "line": " Running LinPEAS to identify paths to privesc"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 69, "seconds": 10}, "tag": "linux insane", "line": " Downloading the custom Linux Kernel Module: DHID then examine in Ghidra"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 72, "seconds": 0}, "tag": "linux insane", "line": " Looking at Snowscans blog to test the dev_read function"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 74, "seconds": 15}, "tag": "linux insane", "line": " Looking at the dev_mmap call"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 75, "seconds": 20}, "tag": "linux insane", "line": " Looking at MWR LAbs paper on insecure MMAP use in kernel modules"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 76, "seconds": 30}, "tag": "linux insane", "line": " Explaining what we are going to do - Rewrite credentials in memory"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 79, "seconds": 20}, "tag": "linux insane", "line": " Going over the first MMAP Call to map memory"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 81, "seconds": 5}, "tag": "linux insane", "line": " Setting a SSH CONFIG to make it easier to ssh and SCP into Smasher2"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 86, "seconds": 0}, "tag": "linux insane", "line": " Searching for a credential structure in memory"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 91, "seconds": 20}, "tag": "linux insane", "line": " Running GetUID to see if the cred structure we modified is ours, if not set it back"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 94, "seconds": 0}, "tag": "linux insane", "line": " Setting capabilities and running bash upon getting root"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 96, "seconds": 10}, "tag": "linux insane", "line": " Showing what would of happened if we did not revert credentials back to original."}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Previous Video: Intro to PHP Deserialization - https://youtu.be/HaW15aMzBUM"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 0, "seconds": 27}, "tag": "", "line": " Little bit of history about PHP Serialization"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 2, "seconds": 13}, "tag": "", "line": " Why is uploading Phar Files different than normal file upload vulns?"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 2, "seconds": 42}, "tag": "", "line": " What are Phar Files?"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 3, "seconds": 38}, "tag": "", "line": " Prevention by disabling the phar stream wrapper"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Going over the PHP Upload script created for this video"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "", "line": " Reviewing a PHP Script to generate malicious PHAR Files"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Setting our PHP Config to allow PHAR to operate in Read/Write mode"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "", "line": " Showing we can control the beginning bytes of the PHAR File to trick magic byte checks"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "", "line": " Copying the logging class from the intro to deserialization video into our upload script"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 9, "seconds": 35}, "tag": "", "line": " Adding the PHP Object/POP Chain to our PHAR Generation Script"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Starting a PHP Webserver so we can upload our image"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Explaining why the existing image upload script, isn't vulnerable."}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Creating a seperate script which performs the file operation unlink() against user input"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Trying to trigger this vulnerability via Curl (doesn't work yet, forgot to include our PHP Class)"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Adding the PHP Object to our script"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 17, "seconds": 17}, "tag": "", "line": " Begin of adding a phar file to a legitimate image"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Modifying our PHAR File to also be a valid image"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 20, "seconds": 12}, "tag": "", "line": " Triggering the PHAR Unserialize with our image, but this time with a different file operation (md5_file)"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "", "line": " Mentioning PHPGGC which is handy to utilize with this exploit"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 22, "seconds": 13}, "tag": "", "line": " Showing how to unregister PHP Stream wrappers to prevent this attack"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "", "line": " Background information, showing variables are point in time"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "", "line": " Creating a PHP Class and Object"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Serializing the Object and going over the format"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "", "line": " Converting the script to accept a PHP Object via WebRequest"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Explaining PHP Desesrialization Gadgets"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 10, "seconds": 5}, "tag": "", "line": " Creating Attack.php in order to quickly generate PHP Objects"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Creating exploit.sh which will just send our malicious object to the webserver"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "", "line": " Going over PHP Magic Methods"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "", "line": " Adding the __toString class that we can create a gadget to get to in order to read files"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "", "line": " Adding the new class to our attack script and reading /etc/passwd"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "", "line": " Demonstrating \"Class Path\" by creating an __destruct() method in another php file and including it"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Adding the LogFile to our class path and using it to drop a file"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "", "line": " Didn't work! Our script errored and PHP never destroyed our object so code didn't run"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "", "line": " Moving the LogFile gadget to our isAdmin check, which works"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 21, "seconds": 35}, "tag": "", "line": " Demonstrating a way to do Fast Destruct, to immediately destroy the object... I hope I'm right, this may be wrong read PHPGGC Source to see how it works"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 25, "seconds": 14}, "tag": "", "line": " Showing if an function is called from another functions magic method, we can craft a gadget to get to it"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 25, "seconds": 41}, "tag": "", "line": " Adding pwned function to attack. This is prior to us having a magic method call pwned, just to demonstrate you can't call any function."}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "", "line": " Making ReadFile() call pwn when destroyed"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "", "line": " Start of recon"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Running GoBuster to discover the /monitoring directory"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Running hydra to try to brute force the HTTP Authentication (Does not work due to it being a secure password)"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "", "line": " Bypassing the AUTH Request by changing to a POST \u2014 Explain why this works later"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Looking at the Centreon Changelog to look for any exploits"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "", "line": " There aren\u2019t any unauthenticated exploited, lets brute force a login. The main way uses a CSRF Token."}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " Bypassing the CSRF by using the Centreon API"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Using wfuzz to brute force the API Login and get admin:Password1"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 14, "seconds": 15}, "tag": "", "line": " Changing the Monitoring Engine Binary under Configure Pollers to get code execution"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "", "line": " Trying to ping ourselves, find out we can\u2019t use space"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "", "line": " Using IFS to instead of space"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 20, "seconds": 11}, "tag": "", "line": " Ping worked, trying to do a Reverse Shell"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "", "line": " The reverse shell didn\u2019t work lets do some debugging"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 25, "seconds": 55}, "tag": "", "line": " Adding a semicolon at the end of the script and getting a reverse shell"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "", "line": " Reverse shell returned, lets build a proper TTY with ROWS and COLUMNS so we can do things like vi"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "", "line": " Searching for files between two dates"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "", "line": " Discovering backup which is a PYC File, using uncompyle to decompile it"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 34, "seconds": 55}, "tag": "", "line": " Getting Shelby\u2019s password out of the backup script"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "", "line": " Using LinPEAS instead of LinEnum to look for privescs"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "", "line": " Exploiting Screen-4.5.0 to get root"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ## Extra"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 46, "seconds": 30}, "tag": "", "line": " Static Code Analysis tip, looking for dangerous functions"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows easy", "line": " Begin of recon\r"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "windows easy", "line": " Logging into the webpage as guest and viewing attachments"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "windows easy", "line": " Examining the cisco type 7 passwords, using ciscot7"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "windows easy", "line": " Decrypting the MD5Crypt password using Hashcat"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "windows easy", "line": " Using CrackMapExec to perform a SMB password spray with users/credentials we have"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "windows easy", "line": " Using Metasploit to do the same thing (smb_login), to show it keeps tracks of creds. Then doing a WinRM Login"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "windows easy", "line": " WinRM Login was unsuccessful. Lets see if we can enumerate users with Impacket's lookupsid"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "windows easy", "line": " Using RPCClient to replicate how LookupSID did the RID/SID Bruteforce, so we can understand it"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "windows easy", "line": " Doing the Winrm_Login again with new usernames and see Chase can login"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 20, "seconds": 25}, "tag": "windows easy", "line": " Using Evil WinRM to login to the box"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "windows easy", "line": " Low Priv shell returned"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "windows easy", "line": " Examining wwwroot, and sourcecode to see if we can get a shell as the IIS User (cannot)"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "windows easy", "line": " See firefox running with Get-Process"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows easy", "line": " Upload procdump64.exe to dump firefox's memory"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows easy", "line": " Running strings against the binary and finding the administrator password"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 34, "seconds": 35}, "tag": "windows easy", "line": " Testing logins with WinRM and CME, to see Administrator could PSEXEC or WinRM"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "", "line": " Downloading and analyzing the files off the anonymous FTP Directory"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " Looking into solidity to see what these files are about"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " The full portscan finished, trying to find out what port 9810"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "", "line": " Recommended reading to understand blockchain fundamentals"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "", "line": " Begin writing the script to interact with the smart contract"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Calling the getDomain function, then setting the domain to our IP and seeing the ping"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Command injection found, getting a reverse shell via bash"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "", "line": " Checking the source code to see why this worked"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "", "line": " Looking into what IPFS is (found in administrators home directory)"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 21, "seconds": 33}, "tag": "", "line": " Running ipfs refs local to list all files"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "", "line": " Dropping a SSH Key so we can get off this reverse shell"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 23, "seconds": 15}, "tag": "", "line": " Writing a loop around ipfs refs local to list all the files, then cat the emails."}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "", "line": " Cracking the SSH Key with sshng2john and john"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 29, "seconds": 27}, "tag": "", "line": " Exploiting the ChainsawClub via path injection and the program executing sudo via a non-absolute path"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "", "line": " Explaining the package managers place things in */local/* directories."}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "", "line": " Writing a loop around dpkg --search to find binaries in the path that the systems package manager doesn't know about"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 36, "seconds": 11}, "tag": "", "line": " Explaining file blocks and slack space"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 37, "seconds": 25}, "tag": "", "line": " Using bmap to extract data out of slack space"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "", "line": " Exploiting ChainsawClub the intended way by playing with the smart contract"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "", "line": " Calling setUsername to create ippsec, then setPassword to create a password"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 51, "seconds": 20}, "tag": "", "line": " Running setApprove and transfer to satisfy the other things, then logging into the ChainsawClub"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "linux easy", "line": " Intro"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux easy", "line": " Looking at the website, checking source, robots.txt, etc"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Using GoBuster with PHP Extensions as HTTP Header said it had PHP Enabled"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "linux easy", "line": " Writing a simple PHP Code Execution script and trying to upload it"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux easy", "line": " Discovery of backup.tar, examining timestamps between downloading with wget/firefox"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux easy", "line": " Searching php scripts for superglobals as that will show user-input"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 11, "seconds": 10}, "tag": "linux easy", "line": " Explaining what magic bytes are"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux easy", "line": " Using PHP interactive mode to demonstrate what is happening"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "linux easy", "line": " Showing error codes are different based upon where image validation failed"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux easy", "line": " Uploading a malicious PHP Shell"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 18, "seconds": 40}, "tag": "linux easy", "line": " Navigating to our php shell and getting a reverse shell"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "linux easy", "line": " Reverse shell returned"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux easy", "line": " Examining check_attack.php to discover vulnerability when doing exec() to escalate to guly"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux easy", "line": " Explaining the code execution vulnerability of creating a malicious file"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux easy", "line": " Creating the malicious file"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 31, "seconds": 57}, "tag": "linux easy", "line": " Shell returned as Guly, checking sudo list"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 33, "seconds": 9}, "tag": "linux easy", "line": " Examining the changename.sh script (guly can run it as root)"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux easy", "line": " Exploiting the script by inserting a command into a network configuration file"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "linux easy", "line": " Explaining why Apache executed PHP when files did not have the PHP Extension"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 39, "seconds": 8}, "tag": "linux easy", "line": " Checking php.conf to see it was user created"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 41, "seconds": 15}, "tag": "linux easy", "line": " Modifying php.conf to include \"FilesMatch .php$\", so it only executes php when the name ends in .php"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "", "line": " Running Gobuster and examining the web page"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "", "line": " Room.php is the only page that accepts user input, basic testing for SQL Injection"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Using wfuzz to fuzz for special characters then getting our IP Banned :("}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Unbanned, running wfuzz again and examining unique responses"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Showing several ways to test for SQL Injection (subtraction and hex())"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Examining the MySQL Query Structure"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "", "line": " Explaining Union Injection"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "", "line": " Nested queries with union statements"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "", "line": " Extracting information out of Information_Schema to databases, tables, columns"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 24, "seconds": 8}, "tag": "", "line": " Using LIMIT to ensure only one row is returned"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 25, "seconds": 25}, "tag": "", "line": " Using GROUP_CONCAT to allow us to return multiple rows within union"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "", "line": " Extracting Mysql users/passwords then cracking MySQL (mode 300)"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "", "line": " Another way to get the password, LOAD_FILE() to view PHP Source Code"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "", "line": " PHPMyAdmin 4.8.0 RCE (LFI + Tainted PHP Cookie)"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 57, "seconds": 40}, "tag": "", "line": " Dropping a shell via the PHPMyAdmin exploit"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 59, "seconds": 30}, "tag": "", "line": " ALTERNATE Way to get Shell:Dropping a file from the SQL Injection"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 63, "seconds": 52}, "tag": "", "line": " Examining the PHP Cookie to see what happened with the PHPMyAdmin stuff"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 65, "seconds": 45}, "tag": "", "line": " Examing the Python Script we can execute as pepper with sudo"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 70, "seconds": 40}, "tag": "", "line": " We can execute code with $() but theres bad characters, so drop a bash script to disk"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 75, "seconds": 0}, "tag": "", "line": " Running find to look for setuid binaries, discover systemctl then check GTFO Bins"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 81, "seconds": 15}, "tag": "", "line": " Copying our Sysmctl Scripts out of /tmp then creating our malicious service"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "linux easy", "line": " Begin of Recon find Elastic Search on 9200"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux easy", "line": " Checking the exif data in the image, nothing interesting, but showing FF changes some metadata when downloading (foresnic tip)"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 3, "seconds": 55}, "tag": "linux easy", "line": " Navigating to port 9200 and seeing the Elastic Search JSON Response"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 4, "seconds": 48}, "tag": "linux easy", "line": " Searching Elastic Search Documentation to see how to make queries"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Using /_cat/indices to see the \"tables\" withing ES"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 7, "seconds": 37}, "tag": "linux easy", "line": " Using /quotes/_search to dump the Quotes indicy, then using jq to extract desired data"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux easy", "line": " Lets switch over to Python to extract this data so we can translate this into English"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "linux easy", "line": " Installing googletrans, so our script can translate this. Using python3 cli to test this out"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 20, "seconds": 10}, "tag": "linux easy", "line": " Adding googletrans to our script"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 21, "seconds": 10}, "tag": "linux easy", "line": " Running our script to translate everything and then using grep to \"find the needle\""}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "linux easy", "line": " SSH'ing to the box with the security user"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux easy", "line": " Running LinEnum, noticing kibana listening on 5601"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "linux easy", "line": " Creating a Local Port forward so we can access kibana from out box"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "linux easy", "line": " Checking Kibana's version to see there are known exploits for it"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "linux easy", "line": " Getting a reverse shell as the Kibana user"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux easy", "line": " Using find to see what files the kibana user can write to"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux easy", "line": " Going into the Logstash directory to see that it will execute code with a specific log message"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 38, "seconds": 45}, "tag": "linux easy", "line": " Explaining the logstash pipeline of how it gets data"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 39, "seconds": 33}, "tag": "linux easy", "line": " Getting a reverse shell as the LogStash user (root)"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux easy", "line": " Reverse shell returned, but we screwed up creating a file -- figuring out what we did wrong"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "linux easy", "line": " Begin of nmap"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 2, "seconds": 31}, "tag": "linux easy", "line": " Discovering MyApp in the HTML Source"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux easy", "line": " Examining MyApp on port 1337"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux easy", "line": " Opening myapp up in Ghidra"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux easy", "line": " Testing out the buffer overflow"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux easy", "line": " Using pattern search to see where we can overwrite RSP"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux easy", "line": " Create a PwnTool Skeleton and having it call main instead of crashing"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux easy", "line": " Testing calling main (error: need to do recvline to send text)"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "linux easy", "line": " Explaining hijacking the SYSTEM() call"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 17, "seconds": 11}, "tag": "linux easy", "line": " Finding a way to put user input into RDI "}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux easy", "line": " Examining the Test Function which places RSP to RDI"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux easy", "line": " Finding a pop r13 as the Test Function jumps to r13"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Putting the gadget togather for code execution"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux easy", "line": " Setting pwntools to exploit the remote host"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux easy", "line": " Shell on the box"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 29, "seconds": 15}, "tag": "linux easy", "line": " Dropping SSH Key to get a normal shell and copying keepass files"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 31, "seconds": 40}, "tag": "linux easy", "line": " Using keepass2john to create hashes to crack"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux easy", "line": " Cracking keepass hashes with hashcat"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "linux easy", "line": " Using kpcli to export the root password"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 39, "seconds": 20}, "tag": "linux easy", "line": " Using the root password to su to the root user"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 1, "seconds": 12}, "tag": "linux hard", "line": " Begin of recon, examining website seeing the \"Hackers\" Theme"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux hard", "line": " Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux hard", "line": " Demoing how this is fixed now, with Werkzeug requiring a pin code"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux hard", "line": " Testing if we can connect back to our host with ping or curl (cannot)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux hard", "line": " Dropping a SSH Key via python since we cannot reverse shell"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " SSH into the box as the HAL User and clean up the authorized_key file"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "linux hard", "line": " Using xclip to copy and run LinEnum due to a firewall preventing us from curling it"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux hard", "line": " Discovering why the WERKZEUG PIN Code was disabled (Environment Variable)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 22, "seconds": 27}, "tag": "linux hard", "line": " Checking out the Garbage SetUID Binary as HAL to discover he cannot run it"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "linux hard", "line": " Using Ghidra to verify we are not missing any functionality"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux hard", "line": " Using find to discover what files the adm group is an owner of"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux hard", "line": " Displaying exact modify times with ls using time-style argument, then checking logs to see what users changed their password after the shadow backup"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "linux hard", "line": " Cracking the Sha512Crypt (1800) hashes with Hashcat (Discovering Margo's password)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "linux hard", "line": " Using Ghidra to discover the hardcoded password in the garbage binary"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux hard", "line": " Exploring the binary, using Ghidra to see if there are any hidden menu options"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux hard", "line": " Installing GDB Enhanced Features (GEF) and pwntools for python3"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "linux hard", "line": " Poorly explaining leaking memory addresses by creating a ROP Chain with puts"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "linux hard", "line": " Begin of Buffer Overflow ROP Chain - leak libc address, call main, overflow password with system(/bin/sh)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 49, "seconds": 20}, "tag": "linux hard", "line": " Using pattern create and offset/search within gef to RSP Overwrite Location"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "linux hard", "line": " Using ropper to discover a pop rdi gadget"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 53, "seconds": 40}, "tag": "linux hard", "line": " Beging creating the pwntools skelton exploit, using objdump to get PLT/GOT location of PUTS and performing the memory leak."}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 66, "seconds": 30}, "tag": "linux hard", "line": " Using Readelf to get important locations in libc and strings to get location of /bin/sh. Then performing all the calculations based upon memory leak"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 75, "seconds": 41}, "tag": "linux hard", "line": " Putting it all togather to create a gadget chain to get a shell"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 80, "seconds": 0}, "tag": "linux hard", "line": " Replacing libc memory locations with the ones installed on ellingson"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 82, "seconds": 30}, "tag": "linux hard", "line": " Running the exploit, getting a root shell, then documenting the code"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "linux easy", "line": " Start of recon identifying a debian box based upon banners"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Taking a look at the website, has warnings about DOS type attacks."}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 3, "seconds": 17}, "tag": "linux easy", "line": " Discovering the /writeup/ directory in robots.txt"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 4, "seconds": 18}, "tag": "linux easy", "line": " Checking the HTML Source to see if there's any information about what generated this page. Discover CMS Made Simple"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "linux easy", "line": " CMS Made Simple is an opensource product. Search through the source code to discover a way to identify version information."}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux easy", "line": " Using SearchSploit to find an exploit"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 9, "seconds": 5}, "tag": "linux easy", "line": " Running the exploit script with a bad URL and triggering the servers anti-DOS protection"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "linux easy", "line": " Running the exploit script with correct URL and analyze the HTTP Requests it makes via Wireshark to see how the SQL Injection works"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "linux easy", "line": " Explaining how password salts work"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "linux easy", "line": " Using Hashcat to crack a salted md5sum"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "linux easy", "line": " Demonstrating the --username flag in hashcat, this allows you to associate cracked passwords to users"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 24, "seconds": 14}, "tag": "linux easy", "line": " Begin of low-priv shell, running LinEnum to discover we are a member of staff"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 27, "seconds": 58}, "tag": "linux easy", "line": " Using google to see what the Staff group can do (edit /usr/local/bin)"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 28, "seconds": 40}, "tag": "linux easy", "line": " Explaining path injection"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "linux easy", "line": " Using PSPY to display all the processes that start on linux, useful for finding crons or short-running processes"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 31, "seconds": 58}, "tag": "linux easy", "line": " Running PSPY to see run-parts is called without an absolute path upon user login"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 33, "seconds": 13}, "tag": "linux easy", "line": " Performing the relative path injection by creating the file /usr/local/bin/run-parts which will drop our SSH Key"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 1, "seconds": 29}, "tag": "linux hard", "line": " Begin of Recon, notice multiple SSH Host Keys"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "linux hard", "line": " Discovering the HTTPD Website has a PHP Script, Run SQLMap and update gobuster to find PHP"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux hard", "line": " Moving onto enumerating TOMCAT, default password (admin:admin) logs in and attempting to discover framework via google images"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux hard", "line": " Discovering that this TOMCAT page allows the ability to upload images and zips"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "linux hard", "line": " Explaining the ZipSlip Vulnerability"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux hard", "line": " Walking through how ZipSlip Works"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux hard", "line": " Start of using EvilArc with a PHP-Reverse-Shell to perform ZipSlip"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux hard", "line": " Reverse Shell Returned "}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 18, "seconds": 51}, "tag": "linux hard", "line": " Looking at Secret.php to get potential usernames and passwords"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "linux hard", "line": " Discovering tomcat listens on port 8080 then use that to drop SSH Key to get root (Unintended Path)"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 25, "seconds": 55}, "tag": "linux hard", "line": " Enumerating HTTPD PHP Scripts and TOMCAT Config to find some usernames and passwords"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "linux hard", "line": " Using find to list files modified between two dates"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "linux hard", "line": " Copying SSH Keys back to our box"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "linux hard", "line": " Logging into SSH over port 22 with Kaneki and SSH Key"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux hard", "line": " Creating a bash script to perform a ping scan to discover other hosts"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 49, "seconds": 55}, "tag": "linux hard", "line": " Extracting additional usernames from ~/.ssh/authorized_keys file and SSH Into the host"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 52, "seconds": 12}, "tag": "linux hard", "line": " Running the HostScan utility again to find another host, then modifying script to do a portscan"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux hard", "line": " Tunneling to the GOGS Box via SSH Tunnels"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "linux hard", "line": " Verifying the tunnel works by going to the GOGS HomePage and then searching for exploits"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 59, "seconds": 15}, "tag": "linux hard", "line": " SearchSploit turned up nothing, lets search for CVE's and hunt for a POC (CVE-2018-18925)"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 60, "seconds": 25}, "tag": "linux hard", "line": " Copying the GOGS Exploit, and logging in with a password we previously found. Note: There is a tool called gogsownz, but it automates so much you don't really learn anything."}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "linux hard", "line": " Creating a Repository in GOGS then dropping a file to the box"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "linux hard", "line": " Uploading the file to the repo, then modifying our i_like_gogs cookie to load it via an LFI and becoming admin"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 66, "seconds": 38}, "tag": "linux hard", "line": " As an Admin now we can create a Git Hook to execute code upon updating and get a shell "}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 71, "seconds": 50}, "tag": "linux hard", "line": " Searching for what the gosu binary does, finding out it lets us privesc to root"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 78, "seconds": 15}, "tag": "linux hard", "line": " Examining the git history (git reflog) of the aogiri-chatapp found in the root directory to find credentials"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 82, "seconds": 0}, "tag": "linux hard", "line": " Escalating to root on kaneki-pc (second docker box) via password found"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 85, "seconds": 0}, "tag": "linux hard", "line": " Abusing SSH Agents to intercept the \"SSO Like Token\" and swim upstream to the Host OS"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 1, "seconds": 36}, "tag": "linux easy", "line": " Examining the web page to find Magento, noticing /index.php/ mod-rewrite misconfig and old copyright"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux easy", "line": " Whoops should of done apt search magescan, either way this package is not in Kali"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux easy", "line": " Running MageScan to scan the website"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux easy", "line": " Finding an open configuration file (app/etc/local.xml)"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux easy", "line": " Running searchsploit to identify public exploits"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "linux easy", "line": " Examining an exploit that will add an administrative user via SQL Injection"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "linux easy", "line": " Running the exploit out of the box didn't work, send it through burp in order to debug it"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux easy", "line": " Exploit needed to be modified to include index.php due to mod-rewrite misconfig"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "linux easy", "line": " Going back to SearchSploit and using the Authenticated RCE Exploit"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux easy", "line": " Making the obvious changes to fix the exploit script"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 24, "seconds": 17}, "tag": "linux easy", "line": " Debugging the exploit by running it through burpsuite, find out we need to use an login page"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux easy", "line": " Bit more in-depth debugging by setting a breakpoint with pdb"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "linux easy", "line": " The regex is failing due to page not returning anything, the URL has a time span lets increase that"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "linux easy", "line": " Finally fixed this exploit! Reverse Shell Returned"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 35, "seconds": 30}, "tag": "linux easy", "line": " Noticing we can exec vim with sudo, lets privesc"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux easy", "line": " Mentioning GTFOBins which helps find privesc paths from privileged programs"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 38, "seconds": 15}, "tag": "linux easy", "line": " EXTRA: Examining the PHP Object Injection RCE Exploit"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "linux insane", "line": " Begin of Recon"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux insane", "line": " Examining login request while GoBuster runs"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 5, "seconds": 35}, "tag": "linux insane", "line": " Noticing weird behavior by modifying db parameter in login request"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "linux insane", "line": " Finding what the Error numbers mean. (SQL Error Codes)"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux insane", "line": " Testing if we can trick the application into authentication against us"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "linux insane", "line": " Starting up metasploit to steal the login hash of a MYSQL Login"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "linux insane", "line": " Cracking the MySQL Hash with Hashcat"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux insane", "line": " Creating a databse locally for the application to authenticate to"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux insane", "line": " Examining what MySQL Does after authentication in Wireshark"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux insane", "line": " Creating the database structure so the application will authenticate against our database"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux insane", "line": " Begin of the File Encryptor PHP App"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux insane", "line": " Performing a Known Plaintext attack against the RC4 Encryption"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux insane", "line": " Explaining the Known Plaintext"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux insane", "line": " Creating a Python Script to perform a SSRF attack and decrypt content"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 54, "seconds": 25}, "tag": "linux insane", "line": " Script done, discovering a LFI Exploit in /dev/"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "linux insane", "line": " Using PHP Filters to convert LFI to source code disclosure"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "linux insane", "line": " Extracting sqlite_test_page.php source code"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 61, "seconds": 0}, "tag": "linux insane", "line": " Manually analyzing the source code to discover a way to write files"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 63, "seconds": 0}, "tag": "linux insane", "line": " Checking PayloadAllTheThings to get a payload for dropping files"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 75, "seconds": 38}, "tag": "linux insane", "line": " Testing dropping a php script for code execution"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 78, "seconds": 0}, "tag": "linux insane", "line": " Using Chankro to bypass PHP Disabled functions"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 80, "seconds": 45}, "tag": "linux insane", "line": " Creating a PHP Script to download Chankro Script to avoid bad characters in the RCE"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 84, "seconds": 50}, "tag": "linux insane", "line": " Reverse shell returned, finding a VIMCrypted file in Rijndael Home"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 85, "seconds": 35}, "tag": "linux insane", "line": " Decrypting Creds.txt with a known plaintext attack in VimCrypt 02 (Blowfish)"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 88, "seconds": 20}, "tag": "linux insane", "line": " Downloading the files to our local box and explaining the attack"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 90, "seconds": 30}, "tag": "linux insane", "line": " Copying our Python Script from earlier and modify it to work with our VIM File"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 98, "seconds": 20}, "tag": "linux insane", "line": " Decrypted the creds and use them to SSH"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 99, "seconds": 10}, "tag": "linux insane", "line": " Analyzing the kryptos.py file"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 101, "seconds": 0}, "tag": "linux insane", "line": " Testing how random the random is"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 106, "seconds": 0}, "tag": "linux insane", "line": " Creating a python script to bruteforce the key as we know the randomness is broken"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 117, "seconds": 0}, "tag": "linux insane", "line": " Script to brute force signing key done"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 118, "seconds": 45}, "tag": "linux insane", "line": " Getting code execution within the eval statement"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 124, "seconds": 30}, "tag": "linux insane", "line": " Extra content, showing by using the encrypt method twice early on \u2014 you can decrypt pages"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "", "line": " Checking FTP to get a note"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 3, "seconds": 38}, "tag": "", "line": " Going to each of the three websites"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Running Gobuster on port 80/3000"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Taking notes of all the login pages (forgot Ajenti)"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "", "line": " config.php found which has a password"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "", "line": " Discovering /login on port 3000 accepts username=&password= "}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 11, "seconds": 25}, "tag": "", "line": " Successful login! JWT Token returned"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Using curl to add the JWT Token in the header to access other api endpoints"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "", "line": " Using BurpSuite to add headers"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "", "line": " Navigating the Rest API to dump the usernames and passwords"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Attempting logins on other services"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "", "line": " Derry can login to /management"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "", "line": " Ajenti Password! Lets try logging in"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Ajenti has a virtual terminal that is running as root!"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "", "line": " Extra Content - Getting a reverse shell"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "", "line": " Grabbing the JWT Secret, so we can forge our own tokens!"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "", "line": " Creating a python script to generate JWT Tokens"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "", "line": " This token has no expiration time, and is assigned at 0. Should never expire!"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "", "line": " Adding Requests to our script, so the script can make web requests"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "", "line": " Lets try removing all signing algorithms from the token and see if server accepts it"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 34, "seconds": 40}, "tag": "", "line": " Cracking the JWT Token Signing key with Hashcat"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 1, "seconds": 33}, "tag": "windows easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "windows easy", "line": " Using SMBClient to view open shares, discover /Backups"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows easy", "line": " Mount the SMB Share "}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "windows easy", "line": " Playing with SMBMap which is a bit more automated but write files!"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 5, "seconds": 22}, "tag": "windows easy", "line": " Checking out files in the /Backups share"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows easy", "line": " Using 7zip to view files in a VHD file"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "windows easy", "line": " Installing libguestfs-tools in order to use guestmount"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "windows easy", "line": " Mounting the VHD with guestmount"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "windows easy", "line": " Extracting local passwords from SAM and SYSTEM with secretsdump"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 13, "seconds": 30}, "tag": "windows easy", "line": " Cracking the hash and then using SSH to login to the box"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "windows easy", "line": " Viewing local adminstrators and seeing administrators is not actually disabled (backup indicated it was)"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "windows easy", "line": " Running JAWS"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows easy", "line": " Discovering mRemoteNG installed"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "windows easy", "line": " Looks like there is a way to decrypt passwords stored in mRemoteNG"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "windows easy", "line": " Installing mRemoteNG-Decrypt then decrypting the passwords in the config"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "windows easy", "line": " Using PSEXEC or SSH to remote in as administrator"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 0, "seconds": 42}, "tag": "linux hard", "line": " Begin of recon"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "linux hard", "line": " Examining the webpage "}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 4, "seconds": 28}, "tag": "linux hard", "line": " Discoving SFTP Credentials on the web page"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux hard", "line": " Playing with the SFTP Server"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux hard", "line": " Discoving the SymLink command to break out of home directory"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 9, "seconds": 40}, "tag": "linux hard", "line": " Symlinking the root directory to find the source of login.php through VIM SWP Files."}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "linux hard", "line": " Second way to get source code, symlink with a file naming ending in not PHP"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux hard", "line": " Examining the source code to login.php and getting a hard coded username"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "linux hard", "line": " Examining index.php to see how to access a login portal (admin)"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "linux hard", "line": " Using SSH to do port forwarding (Reddish)"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "linux hard", "line": " Examinig the admin web page"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 24, "seconds": 13}, "tag": "linux hard", "line": " Examing the Apache Rewrite Engine Rules"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "linux hard", "line": " Checking the source code to addon-manager to identify how upload/download features work"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 26, "seconds": 15}, "tag": "linux hard", "line": " Explaining the Rewrite attack"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 30, "seconds": 40}, "tag": "linux hard", "line": " Uploading a reverse shell, then executing"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux hard", "line": " Reverse shell returned"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 34, "seconds": 30}, "tag": "linux hard", "line": " Can sudo with apt, checking GTFO Bins"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Looks like we can MITM Apt due to passing a proxy through sudo"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux hard", "line": " Configuring Burp to act as an HTTP Proxy and pass it to Python"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 40, "seconds": 50}, "tag": "linux hard", "line": " Creating the Malicious APT Repo"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "linux hard", "line": " Creating the Malicious Deb File"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "linux hard", "line": " Getting the Root Shell"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Running GoBuster to discover /dev and index.php"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Checking out the web application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "", "line": " Discovering SQL Injection in ID and playing with it"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "", "line": " Running SQLMap to dump pieces of the database"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 14, "seconds": 55}, "tag": "", "line": " Nginx Misconfiguration, missing trailing slash"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "", "line": " Downloading source code of the application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " Exploring the source of the application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 25, "seconds": 47}, "tag": "", "line": " Specifying an error string in SQLMap to have it do boolean logic versus time-based"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "", "line": " Installing a Docker LAMP Server to run the web application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 45, "seconds": 40}, "tag": "", "line": " Finally got the application running locally (Missed a comma which created a lot more work)"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 46, "seconds": 15}, "tag": "", "line": " Analyzing the SQL Injection with Debug turned on to see how it works"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " Explanation of gaining code execution through an LFI + PHP Cookies"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "", "line": " Exploring the cookie"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "", "line": " Have code execution on our docker, lets exploit the server"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "", "line": " Reverse Shell returned"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 62, "seconds": 35}, "tag": "", "line": " Exploring MySQL database and escalating to GULY"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 68, "seconds": 30}, "tag": "", "line": " Running LinEnum as Guly and going through the results"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 72, "seconds": 0}, "tag": "", "line": " Exploring files Guly can access due to Grub Group, downloading initrd"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 74, "seconds": 10}, "tag": "", "line": " Decompressing initrd.img and looking for the file GULY modified"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 81, "seconds": 20}, "tag": "", "line": " Running STRACE to see what uinitrd does"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 84, "seconds": 20}, "tag": "", "line": " Running uinitrd after modifying /etc/hosts and /boot/guid"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 86, "seconds": 20}, "tag": "", "line": " Extra Content: If you had trouble with TTY, SSH is accessible via IPv6"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 90, "seconds": 50}, "tag": "", "line": " Extra Content: Runing GIXY to analyze the NGINX Configuration"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 95, "seconds": 20}, "tag": "", "line": " Extra Content: Looking at uinitrd in Ghidra"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 0, "seconds": 35}, "tag": "windows hard", "line": " Begin of Recon"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 1, "seconds": 42}, "tag": "windows hard", "line": " Checking the ManageEngine Page"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 2, "seconds": 23}, "tag": "windows hard", "line": " Running Searchsploit to see potential exploits"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "windows hard", "line": " Enumerating valid usernames via AjaxDomainServlet"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "windows hard", "line": " Logging in with guest:guest"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "windows hard", "line": " Running the privilege escalation script to get Administrator access"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "windows hard", "line": " Searching for information on this exploit"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows hard", "line": " Blog post missing... Searching Archive.org and Google Cache for a mirror"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows hard", "line": " Making curl go through burp to step through the exploit in BurpSuite"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "windows hard", "line": " Copying the admin cookies into FireFox "}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "windows hard", "line": " Going to Admin then Custom Triggers to execute code on the server"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "windows hard", "line": " Getting a reverse shell via Nishang"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "windows hard", "line": " Using iconv to create UTF-16LE encoded Base64 for use with \"-EncodedCommand\" option"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 25, "seconds": 45}, "tag": "windows hard", "line": " Reverse Shell as System returned, but EFS Protects the flags"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "windows hard", "line": " Finding interesting files with get-childitem -recurse . | select FullName"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "windows hard", "line": " Copying mimikatz over to the box to steal NTLM Hashes"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows hard", "line": " Defender blocked us. Disable defender with Set-MpPreference -DisableRealtimeMonitoring $true"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 32, "seconds": 50}, "tag": "windows hard", "line": " Using hashes.org to view password of Zachary, checking his groups to see he can view event logs"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "windows hard", "line": " Doing some powershell goodness to search event logs!"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 40, "seconds": 50}, "tag": "windows hard", "line": " Extracting ProcessCommandLine from the logs (Tolu Password), its a shame Nishang screws with how some commands output to stdout. This could of been a lot cleaner."}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 43, "seconds": 0}, "tag": "windows hard", "line": " Using Mimikatz to decrypt the EFS Protected file with Tolu's password"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 57, "seconds": 25}, "tag": "windows hard", "line": " Need to read Leo's admin-pass.xml, load meterpreter and migrate into his namespace"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 60, "seconds": 20}, "tag": "windows hard", "line": " admin-pass is the output of SecureString, lets decrypt it to get the admin password"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 62, "seconds": 20}, "tag": "windows hard", "line": " Using Invoke-Command with the credential object created to execute commands as administrator"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "windows hard", "line": " Cannot read root.txt because of \"Double Hop Problem\" (how PowerShell Authenticates), using CredSSP Authentication to fix this."}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "windows medium", "line": " Begin of Recon "}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "windows medium", "line": " Checking the WebPages"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "windows medium", "line": " Examining /userSubscribe.faces, to discover potential deserialization"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "windows medium", "line": " Exploring javax.faces.ViewState"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "windows medium", "line": " Googling around to see what an unencrypted serialized object should look like"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "windows medium", "line": " Checking out SMB to discover an openshare"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "windows medium", "line": " Downloading appserver.zip from batshare via smbclient"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "windows medium", "line": " Cracking a luks encrypted file with dd and hashcat"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "windows medium", "line": " Luks cracked, mounting the disk with luksOpen"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "windows medium", "line": " Discovery of the secret used to encrypt the java object"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "windows medium", "line": " Creating a python script to decrypt the ViewState to verify we have correct crypto settings"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 23, "seconds": 10}, "tag": "windows medium", "line": " Script completed, lets test the decryption!"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "windows medium", "line": " Downloading ysoserial to create a deserialization CommonCollections gadget"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows medium", "line": " Creating a python script to exploit the deserialization vuln"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows medium", "line": " Script complete! We got a ping, testing the MyFaces serialization objects (did not work)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "windows medium", "line": " Modifying the script to run commands other than what ySoSerial provided"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 41, "seconds": 10}, "tag": "windows medium", "line": " Script updates finished, trying to get a reverse shell via nishang (did not work)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 42, "seconds": 40}, "tag": "windows medium", "line": " Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for constrained mode)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "windows medium", "line": " Downloading netcat to upload to the box"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "windows medium", "line": " Netcat returned a powershell reverse shell "}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "windows medium", "line": " Discovering Backup.zip, downloading, using readpst to convert it to a plaintext mbox file"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "windows medium", "line": " Using evolution to view mbox file and find Batman's password"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 52, "seconds": 45}, "tag": "windows medium", "line": " Using Powershell's Invoke-Command to execute commands as Batman (like runas)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "windows medium", "line": " Reverse shell as batman returned! Running a few commands to find out he is localadmin but needs to break out of UAC"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 58, "seconds": 10}, "tag": "windows medium", "line": " Unintended: Using net use to mount c$ and view the flag"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 59, "seconds": 30}, "tag": "windows medium", "line": " Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HTB Member"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 62, "seconds": 10}, "tag": "windows medium", "line": " Using GreatSCT/MSBuild to launch Meterpreter"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 62, "seconds": 45}, "tag": "windows medium", "line": " While GreatSCT installs, create a DLL to return a reverse shell"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "windows medium", "line": " copying the DLL into c:\\users\\batman\\appdata\\local\\microsoft\\windowsapps"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 68, "seconds": 30}, "tag": "windows medium", "line": " Using GreatSCT to generate payloads"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 71, "seconds": 50}, "tag": "windows medium", "line": " Getting a Meterpreter Session then migrating into an interactive process"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 77, "seconds": 45}, "tag": "windows medium", "line": " Running SystemPropertiesAdvanced.exe, which elevates and executes our dll"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "linux insane", "line": " Begin of recon"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 4, "seconds": 41}, "tag": "linux insane", "line": " Exploring the web page on port 80"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 6, "seconds": 2}, "tag": "linux insane", "line": " Using wfuzz to do a special character fuzz to identify odd behavior and discover command injection"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 11, "seconds": 6}, "tag": "linux insane", "line": " Creating a hotkey in Burpsuite to send requests in repeater pane"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 11, "seconds": 50}, "tag": "linux insane", "line": " Start of creating a python program to automate this"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 17, "seconds": 30}, "tag": "linux insane", "line": " Script finished"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "linux insane", "line": " Exploring /var/appsrv "}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "linux insane", "line": " Exploring authpf"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "linux insane", "line": " Hunting for the signing key for the CA to view HTTPS"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "linux insane", "line": " Copying the certificates to our box"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux insane", "line": " Creating and signing a Client Certificate"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux insane", "line": " Importing the certificate into FireFox"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 30, "seconds": 49}, "tag": "linux insane", "line": " Discovering the reason our certificate isn't working (time of server is behind)"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "linux insane", "line": " Accessing the HTTPS Website to get a SSH key for NFSUSER"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux insane", "line": " Discovering additional ports are open after using SSH with NFSUSER"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 34, "seconds": 45}, "tag": "linux insane", "line": " Installing the NFS-COMMON package to get the showmount binary"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 35, "seconds": 10}, "tag": "linux insane", "line": " Mounting a NFS Share with Version 2"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux insane", "line": " Editing our User ID on our box to gain access to the NFS Directories"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "linux insane", "line": " Reading mail to discover that the root password is set to the Postgres databases root pw"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "linux insane", "line": " Testing if we could setup a SetUID Binary with this NFS (Check Jail Video for this being successful)"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 40, "seconds": 20}, "tag": "linux insane", "line": " SSH into the box as Charlie and dumping the database"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "linux insane", "line": " Exploring the source code to the web application"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux insane", "line": " Copying the crypto python script to our box, which will let us decrypt it"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 47, "seconds": 40}, "tag": "linux insane", "line": " Copying the secrets into the crypto python script and decrypting the password"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Start of nmap"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "", "line": " Attempting to execute an VSFTPD Backdoor via MSF"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "", "line": " Discovering the backdoor opened 6200, discovering a weird shell"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "", "line": " Lets figure out what just happened"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Triggering the backdoor without Metasploit"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 9, "seconds": 5}, "tag": "", "line": " Exploring the Psy PHP Shell opened up by the backdoor"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "", "line": " Several functions for executing bash aren't working, checking disable_functions"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "", "line": " Attempting to bypass disabled_functions (does not work)"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Using ScanDir() and File_Get_Contents(), to explore the filesystem"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "", "line": " Identifying we are probably running as the Dali User (Unintended Path)"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " Downloading CA.KEY, which is a private key to a webserver"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 21, "seconds": 40}, "tag": "", "line": " Using the CA.KEY to generate client certificates to access the HTTPS Page"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 30, "seconds": 25}, "tag": "", "line": " Weird it didn't work, lets just verify all our certificates are good"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 32, "seconds": 28}, "tag": "", "line": " This time it worked! We connected to the server"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "", "line": " Failing to add the certificate to BurpSuite"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 33, "seconds": 50}, "tag": "", "line": " Discovering File Traversal by editing the PATH variable"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 36, "seconds": 38}, "tag": "", "line": " Discovering the LFI just puts the path as Base64 Encoded"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 37, "seconds": 15}, "tag": "", "line": " Using the LFI to download the SSH Private Key"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 38, "seconds": 45}, "tag": "", "line": " Testing SSH Key against users on the box to gain access!"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 39, "seconds": 13}, "tag": "", "line": " UNINTENDED: Skipping the HTTPS Certificate - Generating SSH Keys to upload via PHP Shell"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "", "line": " UNINTENDED: Using file_put_contents() to append our public key to authorized_keys"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "", "line": " UNINTENDED: Using SSH to tunnel through Dali (SOCKS Proxy)"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "", "line": " UNINTENDED: Scanning ports on Dali that are listening on LocalHost"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 43, "seconds": 8}, "tag": "", "line": " UNINTENDED: Port 8000 is open, and its one step after the Reverse_Proxy that performs SSL Authentication!"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 45, "seconds": 35}, "tag": "", "line": " Running PSPY and LinEnum"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "", "line": " Using PSPY to view FileSystem Events which will show the cron"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "", "line": " Taking control of ~/memcached.ini because we own the folder!"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 54, "seconds": 45}, "tag": "", "line": " Exploiting the cron that utilizes memcached.ini to get a root shell"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " -- Bonus"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 55, "seconds": 55}, "tag": "", "line": " Exploring how the SSL Authentication is working"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "", "line": " Exploring how the VSFTPD Backdoor was modified."}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " Support me on Patreon! https://patreon.com/ippsec"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 0, "seconds": 52}, "tag": "linux insane", "line": " Start of Recon, discovering CentOS Version via HTTPD Version"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "linux insane", "line": " Checking out the HTTP Page"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 3, "seconds": 32}, "tag": "linux insane", "line": " Checking out login.php"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "linux insane", "line": " Identifying a Secure Token is used, most likely STOKEN"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "linux insane", "line": " Failing to enumerate usernames through BruteForce"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux insane", "line": " Fuzzing the login form with special characters to identify a blacklist"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 11, "seconds": 45}, "tag": "linux insane", "line": " Trying Double URL Encoding to bypass the BlackList"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 12, "seconds": 55}, "tag": "linux insane", "line": " Explaining Double URL Encoding"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "linux insane", "line": " Discovering this is most likely a LDAP Injection"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux insane", "line": " Explaining how a LDAP Query Works"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 19, "seconds": 15}, "tag": "linux insane", "line": " Identifying the LDAP Query Structure with a Null Byte"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "linux insane", "line": " Injecting the WildCard (*) to enumerate usernames"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "linux insane", "line": " Using Wfuzz to extract the username"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux insane", "line": " Enumerating LDAP Attributes that are utilized"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 30, "seconds": 26}, "tag": "linux insane", "line": " Creating a python script to extract the Pager Attribute"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 41, "seconds": 38}, "tag": "linux insane", "line": " Script complete, lets extract the token"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 43, "seconds": 45}, "tag": "linux insane", "line": " Using STOKEN to generate the OTP and logging in"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux insane", "line": " Disabling NTP so we can math the server time"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 46, "seconds": 44}, "tag": "linux insane", "line": " Discovery of that second half of the original LDAP Query at 16 minutes."}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 47, "seconds": 33}, "tag": "linux insane", "line": " Using a Null Byte to remove the GROUP Check."}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 50, "seconds": 33}, "tag": "linux insane", "line": " Running Commands"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 50, "seconds": 25}, "tag": "linux insane", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 53, "seconds": 17}, "tag": "linux insane", "line": " Checking for the LDAP Bind password, then SSHing into the box"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 55, "seconds": 0}, "tag": "linux insane", "line": " Going over the /backup directory"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 58, "seconds": 20}, "tag": "linux insane", "line": " Using ListFiles to have 7za print our the contents of root.txt"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "", "line": " Running SMBMap to identify and crawl file shares"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " Downloading creds.txt from an smb share and checking FTP/SMB"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Checking the webpage and grabbing potential DNS Names for the box"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "", "line": " Using dig to perform a DNS Zone Transfer to obtain additional host names"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Adding all hostnames to /etc/hosts"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 12, "seconds": 55}, "tag": "", "line": " Running Aquatone to take screenshots of all the pages for quick examination"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "", "line": " Testing Uploads.Friendzone.red"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Testing admin.friendzone.red"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " Testing administrator1.friendzone.red, logging in with creds found from SMB"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 18, "seconds": 35}, "tag": "", "line": " Found an LFI in the Dashboard.PHP script (PageName Variable)"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "", "line": " Using PHP Wrappers with the LFI To obtain PHP Script Source"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Revisiting recon to find ways to upload files, end up using SMBClient"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "", "line": " Gaining code execution through the LFI Exploit and SMB File Share"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "", "line": " Exploring /var/www/html to see if any troll directories had useful files in them, find creds to Friend user"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 31, "seconds": 20}, "tag": "", "line": " Running PSPY to identify cron jobs we don't have permission to see"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "", "line": " Running LinEnum.sh to enumerate the box and discover the Python OS Library is writeable"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 38, "seconds": 20}, "tag": "", "line": " Fixing our reverse shell by setting ROWS and COLUMNS of our terminal so we can use Vi"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 40, "seconds": 45}, "tag": "", "line": " Placing a reverse shell in the Python OS library"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows insane", "line": " Intro"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "windows insane", "line": " Begin of Recon, discovery of an HTTP API that has a few commands"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows insane", "line": " Using JQ to parse json output, use NetStat/Proc to find GoPhish"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "windows insane", "line": " Logging into GoPhish with default creds admin:gophish, finding DNS Names"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "windows insane", "line": " Discovery of Obfuscated JavaScript Deobfuscating it to find a hidden section"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 33, "seconds": 20}, "tag": "windows insane", "line": " Using wfuzz to bruteforce the password for webadmin.php"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "windows insane", "line": " Finding Code Execution in WebAdmin.php"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "windows insane", "line": " Creating a Python Script to give a pseudo shell to cat, ls, and upload"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 70, "seconds": 45}, "tag": "windows insane", "line": " Script finished, uploading reGeorg to create a proxy onto the box to bypass FW"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 76, "seconds": 20}, "tag": "windows insane", "line": " Using WinRM to access low privilege shell as Simple User"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 85, "seconds": 8}, "tag": "windows insane", "line": " Exploring /Util/Scripts to find a way to privesc to Hacker"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 90, "seconds": 29}, "tag": "windows insane", "line": " Exploring GetSystem functionality of meterpreter"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 97, "seconds": 20}, "tag": "windows insane", "line": " Starting to create program to steal a token from NamedPipe Clients"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 101, "seconds": 0}, "tag": "windows insane", "line": " Creating XOR Encrypter for payloads in C (There is a bug used & instead of %)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 108, "seconds": 20}, "tag": "windows insane", "line": " Using MSFVenom to generate raw payload to XOR then generate in C Format"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 111, "seconds": 38}, "tag": "windows insane", "line": " Creating the Stager to execute meterpreter, with some fun old AV Evasion tactics"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " (Testing/Bug Hunting)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 123, "seconds": 45}, "tag": "windows insane", "line": " Found the issue, AND'd the payload instead of XOR'd in encrypt.c"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 128, "seconds": 30}, "tag": "windows insane", "line": " Creating the NamedPipe portion of code"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 148, "seconds": 30}, "tag": "windows insane", "line": " Creating the Pipe Impersonation part of the code"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 163, "seconds": 16}, "tag": "windows insane", "line": " Had some weird errors, adding the ability to enable token privileges"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " (more troubleshooting....)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 181, "seconds": 0}, "tag": "windows insane", "line": " Editing the /util/scripts/clean.ini to execute our NamedPipe Creation File"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 186, "seconds": 10}, "tag": "windows insane", "line": " Meterpreter Session Loaded. Unfortunately it grab the impersonation token, more troubleshooting."}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 188, "seconds": 20}, "tag": "windows insane", "line": " Found the bug that caused us to not pass the token"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 189, "seconds": 45}, "tag": "windows insane", "line": " Re-Explaining all the code"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 194, "seconds": 57}, "tag": "windows insane", "line": " Meterpreter loaded, using incognito to grab our impersonation token for HACKER user"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " - https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 210, "seconds": 15}, "tag": "windows insane", "line": " Creating a bat file to run NetCat and upload into /util/scripts/spool which gets executed"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 215, "seconds": 50}, "tag": "windows insane", "line": " Start of looking at UserLogger Service, download it, un-UPX it"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 221, "seconds": 30}, "tag": "windows insane", "line": " Using ProcessMonitor to Dynamically Analyze the UserLogger binary (think of strace on windows)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 229, "seconds": 40}, "tag": "windows insane", "line": " UserLogger lets us write binaries as SYSTEM with 777 permissions! Lets chain Diagnostic Hub Exploit"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 232, "seconds": 0}, "tag": "windows insane", "line": " Changing CMDLine in FakeDLL and valid_dir in Diaghub_exploit.cpp"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " (Tons of trouble shooting)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 258, "seconds": 5}, "tag": "windows insane", "line": " Changing from DEBUG mode to RELEASE mode for compiling. Which fixes it."}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 265, "seconds": 15}, "tag": "windows insane", "line": " Root.txt is hidden behind alternate data streams."}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 267, "seconds": 39}, "tag": "windows insane", "line": " ALTERNATE PATH THAT LETS YOU SKIP NAMEDPIPE STUFF"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows easy", "line": " Begin of Recon"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "windows easy", "line": " Searching for good files to view via FTP"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "windows easy", "line": " Nothing really found, searching for where PRTG creation file is"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 14, "seconds": 34}, "tag": "windows easy", "line": " Backup configuration found!"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "windows easy", "line": " Logging in by incrementing the password from 2018 to 2019"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 17, "seconds": 55}, "tag": "windows easy", "line": " Searching for CVE's"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 19, "seconds": 45}, "tag": "windows easy", "line": " Searching for where to send notification emails like CVE Said"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "windows easy", "line": " Testing for Command Injection via Cmd"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "windows easy", "line": " Testing for Command Injection via Powershell"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "windows easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 26, "seconds": 55}, "tag": "windows easy", "line": " Encoding powershell in Base64 to eliminate potential bad characters"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "windows easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "windows medium", "line": " Begin of Reocn"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "windows medium", "line": " Using SMBMap to enumerate fileshares"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows medium", "line": " Discovering an Excel Macro File"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "windows medium", "line": " Using olevba to extract macro from the document to discover credentials"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "windows medium", "line": " Using MSSQLClient.py from Impacket to log into the SQL Server"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "windows medium", "line": " Doing the SQL CMD:XP_DIRTREE to read a file off a UNC Share to steal the hash with Responder"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "windows medium", "line": " Cracking the NetNTLMv2 Hash"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 14, "seconds": 11}, "tag": "windows medium", "line": " Explaining the Responder Database file to view previously captured hashes"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "windows medium", "line": " Logging into the SQL Server with the cracked account, then doing XP_CMDSHELL to run commands"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "windows medium", "line": " Getting a Nishang Reverse Shell"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "windows medium", "line": " Running PowerUp, doing Invoke-ServiceAbuse and discovering creds in an old Group Policy Object"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ** For some reason the user created with Invoke-ServiceAbuse cannot write to C$ so no psexec :("}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "windows medium", "line": " Going back to the password disclosed via Group Policy and discovering they are an administrator"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "windows medium", "line": " Explaining how the PowerUp module decrypted a password out of Group Policy"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "windows medium", "line": " Getting VIM to highlight the syntax of Powershell"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "windows medium", "line": " Rooting the box with Invoke-ServiceAbuse"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux hard", "line": " Begin of Recon"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux hard", "line": " Adding DNS Names to /etc/hosts"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux hard", "line": " Using Aquatone to take HTTP Screenshots of a bunch of pages"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "linux hard", "line": " Start of looking at FreeFlujab.htb"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux hard", "line": " Looking at HTTP Cookies we send"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "linux hard", "line": " Editing Cookies in Firefox"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux hard", "line": " Discovering SMTP_CONFIG, which lets us change where the mail server is"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "linux hard", "line": " Using FireFox to remove character restrictions on a page"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "linux hard", "line": " The WebPage kept resetting our cookie, using Burp to auto replace"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux hard", "line": " Standing up a SMTP Server in python to read mail"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "linux hard", "line": " Discovering SQL Injection"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux hard", "line": " SQL Injection confirmed, testing Union Injections"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux hard", "line": " Creating a Python Script to aid us in running SQL Injections"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 37, "seconds": 40}, "tag": "linux hard", "line": " Script: Running a SMTP Server in background thread"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 41, "seconds": 35}, "tag": "linux hard", "line": " Script: Adding ability to use arrow keys to go to previous command"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 46, "seconds": 42}, "tag": "linux hard", "line": " Script: Making our command prompt send HTTP Requests"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 52, "seconds": 40}, "tag": "linux hard", "line": " Dumping database structure from INFORMATION_SCHEMA"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 65, "seconds": 0}, "tag": "linux hard", "line": " Dumping information out of the VACCINATIONS Table"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 67, "seconds": 50}, "tag": "linux hard", "line": " User information dumped, cracking a sha256 hash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 71, "seconds": 0}, "tag": "linux hard", "line": " Accessing a new HOSTNAME from the database (sysadmin-console-01)"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 76, "seconds": 0}, "tag": "linux hard", "line": " Logging into Ajenti"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 77, "seconds": 0}, "tag": "linux hard", "line": " Discovering Notepad can read files from the server"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 84, "seconds": 10}, "tag": "linux hard", "line": " Looks like there was a SSH Key Compromise on the box from a README File"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 87, "seconds": 40}, "tag": "linux hard", "line": " Searching the compromised debian keys for one on the box"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 89, "seconds": 48}, "tag": "linux hard", "line": " Able to SSH Into the box with the Key! However we are in restricted bash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 90, "seconds": 30}, "tag": "linux hard", "line": " rBash escape 1: Using GTFOBins to find a way to escape restricted bash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 92, "seconds": 30}, "tag": "linux hard", "line": " rBash escape 2: Using -t bash argument in SSH to escape restricted bash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 93, "seconds": 30}, "tag": "linux hard", "line": " Exploiting an old version of Screen to PrivEsc!"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " * Second way to get a shell on the box *"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 103, "seconds": 40}, "tag": "linux hard", "line": " Creating files in /home/sysadm"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 106, "seconds": 40}, "tag": "linux hard", "line": " SSH is configured to allow public keys to also be placed in ~/access "}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 108, "seconds": 0}, "tag": "linux hard", "line": " Reading Ajenti Documentation to see API lets us change file permissions"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 110, "seconds": 0}, "tag": "linux hard", "line": " Ajenti wants the CHMOD Number to be in a weird format"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 0, "seconds": 49}, "tag": "linux easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "linux easy", "line": " Running gobuster to find /support"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux easy", "line": " Searching for a way to find version of HelpdeskZ"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 3, "seconds": 35}, "tag": "linux easy", "line": " Reading over the File Upload exploit script to see it requires server time"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 5, "seconds": 10}, "tag": "linux easy", "line": " Uploading a PHP Reverse Shell Script"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux easy", "line": " Going back to GitHub to find where uploads are saved"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "linux easy", "line": " Begin of modifying the script to pull the server time out of HTTP Headers"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux easy", "line": " Figuring out the python to pull the \"Date\" HTTP Header"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux easy", "line": " Getting the Time Format right with STRFTIME.COM"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 19, "seconds": 40}, "tag": "linux easy", "line": " Testing out the exploit and getting a shell"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux easy", "line": " Discovery of an old kernel, looking for an exploit"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux easy", "line": " Copying the exploit, compiling, and privesc!"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux easy", "line": " Looking into port 3000"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux easy", "line": " /graphql discovered"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 27, "seconds": 42}, "tag": "linux easy", "line": " Dumping the schema to discover what data is inside"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 30, "seconds": 15}, "tag": "linux easy", "line": " Dumping username, password from the database"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 32, "seconds": 12}, "tag": "linux easy", "line": " Logging into HelpdeskZ"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "linux easy", "line": " Discovering the Boolean SQL Injection"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "linux easy", "line": " Running SQLMap"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux easy", "line": " Explaining the Injection"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 37, "seconds": 10}, "tag": "linux easy", "line": " Begin of creating a python script to exploit this"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 1, "seconds": 4}, "tag": "windows insane", "line": " Begin of Recon"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "windows insane", "line": " Checking the web interfaces"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "windows insane", "line": " Discovering there is a Certificate Authority"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "windows insane", "line": " Taking a look at LDAP"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "windows insane", "line": " Examining SMB to find shares"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows insane", "line": " Searching the Operations and Department Shares"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 14, "seconds": 50}, "tag": "windows insane", "line": " Viewing permissions of a SMB Share with SMBCACLS"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 19, "seconds": 10}, "tag": "windows insane", "line": " Discovering a writeable share, dropping a SCF File to get a hash"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 22, "seconds": 4}, "tag": "windows insane", "line": " Using Hashcat to crack NetNTLMv2"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 24, "seconds": 40}, "tag": "windows insane", "line": " Using SMBMap to identify if this user has access to anything extra"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "windows insane", "line": " Discovering the CertSRV Directory "}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "windows insane", "line": " Discovering Powershell Remoting"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows insane", "line": " Error from WinRM (Need SSL)"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows insane", "line": " Using openSSL to generate a private key"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 31, "seconds": 52}, "tag": "windows insane", "line": " Going to /CertSRV to sign our certificate as Amanda"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "windows insane", "line": " Adding the SSL Authentication to WinrM"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "windows insane", "line": " Playing with LDAP Again (with the Amanda Creds)"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "windows insane", "line": " Shell on the box with WinRM as Amanda"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 38, "seconds": 15}, "tag": "windows insane", "line": " Running SharpHound to enumerate Active Directory"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 40, "seconds": 29}, "tag": "windows insane", "line": " Applocker is on the box, lets move it in the windows directory "}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "windows insane", "line": " Trying to get the bloodhound data off the box."}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 44, "seconds": 20}, "tag": "windows insane", "line": " Starting bloodhound "}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 45, "seconds": 27}, "tag": "windows insane", "line": " File didn't copy lets load up Covenant"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "windows insane", "line": " Covenant is up and running - Create a HTTP Listener"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 50, "seconds": 30}, "tag": "windows insane", "line": " Hosting a Launcher"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 52, "seconds": 30}, "tag": "windows insane", "line": " Getting a grunt"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 54, "seconds": 40}, "tag": "windows insane", "line": " Running SeatBelt"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 57, "seconds": 0}, "tag": "windows insane", "line": " Running SharpHound"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "windows insane", "line": " Finally uploading the bloodhound data"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 61, "seconds": 18}, "tag": "windows insane", "line": " Running Bloodhound with all Collection Methods"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 65, "seconds": 15}, "tag": "windows insane", "line": " Discovering the MRLKY can DCSYNC"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 67, "seconds": 25}, "tag": "windows insane", "line": " Cannot kerberoast because of the Double Hop Problem, create token with MakeToken"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 72, "seconds": 30}, "tag": "windows insane", "line": " Cracked the Kerberoasted Hash, doing maketoken with mrlky and running DCSYnc"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 74, "seconds": 40}, "tag": "windows insane", "line": " Running WMIExec to get Administrator"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 82, "seconds": 0}, "tag": "windows insane", "line": " UNINTENDED Method 1: Amanda can write to Clean.bat"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 84, "seconds": 30}, "tag": "windows insane", "line": " UNINTENDED Method 2: Forensic artifacts leave MRKLY Hash in C:\\windows\\system32\\file.txt"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Starting up GoBuster then editing /etc/hosts to add the hosts in nmap"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "", "line": " Going over the website"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "", "line": " Discovering a wordpress instance (/wp/ form goBuster)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "", "line": " Finding webmail credentials from a wordpress Protected Post"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "", "line": " Discovering webmail.chaos.htb (Method 1)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Testing IMAP, then configuring Evolution to login to the mail server (Method 2)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 16, "seconds": 40}, "tag": "", "line": " Decrypting the message that was in the draft."}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 22, "seconds": 55}, "tag": "", "line": " Message decrypted, new page discovered"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 23, "seconds": 11}, "tag": "", "line": " Discovering a webpage for creating pdfs"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "", "line": " Searching for a code injection path for LaTex"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "", "line": " Discovering the blacklist is on \"input\""}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "", "line": " Testing for blind command execution via ping"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 27, "seconds": 43}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 28, "seconds": 10}, "tag": "", "line": " Enumerating the web directory to find passwords"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 29, "seconds": 11}, "tag": "", "line": " Switching to the \"Ayush\" user with mail password, discover we are in rBash"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 29, "seconds": 45}, "tag": "", "line": " Escaping rBash by via tar (Method 1: GTFOBins)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "", "line": " Escaping rBash by editing path (Method 2)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 32, "seconds": 55}, "tag": "", "line": " Discovering a mozilla user configuration directory, copying it off to export passwords"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "", "line": " Using firefox_decrypt to export root password"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "", "line": " Logging into webmin with credentials from firefox"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "", "line": " Privesc via switching to root user with known password (Method 1)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 38, "seconds": 10}, "tag": "", "line": " Using webmin to execute commands as root (Method 2)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "windows hard", "line": " Begin of recon"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 2, "seconds": 54}, "tag": "windows hard", "line": " Checking SNMP with snmpwalk"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 3, "seconds": 29}, "tag": "windows hard", "line": " Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decrypted value"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 4, "seconds": 18}, "tag": "windows hard", "line": " Getting more SNMP Information with snmp-check"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 7, "seconds": 35}, "tag": "windows hard", "line": " Going over UDP Ports discovered by snmp-check"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "windows hard", "line": " Running ike-scan"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 11, "seconds": 55}, "tag": "windows hard", "line": " Examining ike-scan results to build a IPSEC Config"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 13, "seconds": 50}, "tag": "windows hard", "line": " Installing Strongswan (IPSEC/VPN Program)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 14, "seconds": 19}, "tag": "windows hard", "line": " Adding the PSK Found earlier to /etc/ipsec.secrets"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "windows hard", "line": " Begin configuring /etc/ipsec.conf"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 20, "seconds": 8}, "tag": "windows hard", "line": " Starting and debugging ipsec"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 21, "seconds": 55}, "tag": "windows hard", "line": " Explaining why we add TCP to strongswan config"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "windows hard", "line": " Starting IPSEC, then using NMAP through IPSEC."}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows hard", "line": " (You may want to run WireShark here and see all traffic is encrypted thanks to ipsec)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 25, "seconds": 55}, "tag": "windows hard", "line": " Enumerating SMB Quickly (SMBMap/cme)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "windows hard", "line": " Enumerating FTP, discovering we can upload files"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "windows hard", "line": " Checking HTTP, hunting for our uploaded file. Then uploading files that may lead to code execution"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 29, "seconds": 44}, "tag": "windows hard", "line": " Grabbing an ASP Webshell from Github/tennc/webshell"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 32, "seconds": 8}, "tag": "windows hard", "line": " Webshell has been uploaded"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "windows hard", "line": " Explaining a weird MTU Issue you *may* run into due to the nested VPN's"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "windows hard", "line": " Back to playing with the web shell, getting a reverse shell with Nishang"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 38, "seconds": 3}, "tag": "windows hard", "line": " Explaining RLWRAP"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "windows hard", "line": " whoami /all shows SEImpersonation, so we run JuicyPotato to privesc"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 44, "seconds": 35}, "tag": "windows hard", "line": " JuicyPotato fails with the default CLSID, changing it up to get it working."}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 46, "seconds": 30}, "tag": "windows hard", "line": " Doing the box again with Windows"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 47, "seconds": 15}, "tag": "windows hard", "line": " Setting up the IPSEC Connection through Windows Firewall"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "windows hard", "line": " Installing a DotNet C2 (The Covenant)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 54, "seconds": 20}, "tag": "windows hard", "line": " Covenant/Elite open, starting a Listener then a Powershell Launcher"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 60, "seconds": 10}, "tag": "windows hard", "line": " Grunt activated. Running Seatbelt, then compiling Watson and reflectively running it"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 65, "seconds": 0}, "tag": "windows hard", "line": " Grabbing the Sandbox Escaper ALPC Privesc"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 68, "seconds": 3}, "tag": "windows hard", "line": " Being lazy and compiling a CPP Rev Shell in Linux because it wasn't installed on Windows"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows hard", "line": " (bunch of flailing, then reverting the machine)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 85, "seconds": 35}, "tag": "windows hard", "line": " Box is reverted, trying the ALPC Exploit again"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Begin of recon, Nmap"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Taking the CentOS Apache Version to find major version"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "", "line": " Running GoBuster with a Common-PHP-Files wordlist."}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "", "line": " Enumerating Ldap with ldapsearch"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " Discovery of Password Hashes within ldap information"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "", "line": " Attempting to crack the hashes. (does not crack)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "", "line": " Back to the web page"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "", "line": " Page says to login with ip@Lightweight with the password of your ip"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 15, "seconds": 35}, "tag": "", "line": " Running LinEnum"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "", "line": " Discovery of Extended Capabilities set on tcpdump"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "", "line": " Performing a packet capture over SSH without touching disk"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "", "line": " Examining the pcap created, don't see anything on ens33"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "", "line": " Performing a packet capture through SSH and piping live results to WireShark"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "", "line": " Discovery of LDAP Traffic, ldapuser2 password passed in clear-text"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "", "line": " Using bash to exfil a file over the network (backup.7z)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 29, "seconds": 25}, "tag": "", "line": " Using 7z2john and hashcat to crack a 7zip file"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 32, "seconds": 5}, "tag": "", "line": " Examining extracted files to discover a new credential (ldapuser1)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "", "line": " The openssl binary in ldapuser1 has an empty capability (which is all)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Using GTFOBins to see what we can do with openssl"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 37, "seconds": 11}, "tag": "", "line": " Reading /etc/shadow with openssl"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 37, "seconds": 35}, "tag": "", "line": " Adding an entry into /etc/sudoers to allow us to escalate to root"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "windows insane", "line": " Begin of Nmap"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "windows insane", "line": " Pulling important information from the website"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows insane", "line": " Discovering DNS Names, adding stuff to /etc/hosts"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "windows insane", "line": " Odd behavior with code.bighead.htb, redirects us to 127.0.0.1; change that with Burp"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "windows insane", "line": " Using wfuzz to dirbust, with the ability to see HTTP Codes (hunting for 418)"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "windows insane", "line": " Found BigHead Web Server on Github, pulling Zips and cracking"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "windows insane", "line": " Before reversing the binary, keep hunting for information about the OS"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "windows insane", "line": " Discovering PHPInfo within the PhpMyAdmin directory, has OS."}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "windows insane", "line": " Installing Immunity and Mona"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "windows insane", "line": " Grabbing MinGW so we can run the Bighead Webserver"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 55, "seconds": 40}, "tag": "windows insane", "line": " Crashing the webserver, seeing we have"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "windows insane", "line": " Sending a pattern to the box and examining the stack to see where our overwrites are"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 66, "seconds": 15}, "tag": "windows insane", "line": " Validating we know where all our overwrites are (EAX,EBX,EIP,ESP)"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 70, "seconds": 6}, "tag": "windows insane", "line": " Explanation of EggHunters"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 76, "seconds": 5}, "tag": "windows insane", "line": " Grabbing the shellcode we want, then adding it to our exploit script"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 84, "seconds": 50}, "tag": "windows insane", "line": " Validating our exploit is working as we intended by setting a break point on JMP ESP"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "windows insane", "line": " Our box complains about DEP, lets disable that on our OS and hope its disabled on target"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 90, "seconds": 0}, "tag": "windows insane", "line": " Running the exploit against the target and getting a shell back!"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 95, "seconds": 0}, "tag": "windows insane", "line": " Searching the registry (HKLM) for \"password\""}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 97, "seconds": 0}, "tag": "windows insane", "line": " Dumping information about services on the box (HKLM\\System\\CurrentControlSet\\Services)"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 98, "seconds": 15}, "tag": "windows insane", "line": " Discovery of NGINX password, then looking at ports listening on localhost"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 101, "seconds": 8}, "tag": "windows insane", "line": " Found SSH Listening on 127.0.0.1:2020, Setting up a reverse tunnel with Chisel"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 105, "seconds": 10}, "tag": "windows insane", "line": " SSH into nginx@Bighead over port 2020, land in an extremely restricted shell"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 110, "seconds": 30}, "tag": "windows insane", "line": " Searching for vulnerable PHP Code, discovering testlink"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 122, "seconds": 55}, "tag": "windows insane", "line": " Exploiting an LFI Vulnerability"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 127, "seconds": 0}, "tag": "windows insane", "line": " Using Netcat to get a reverse shell"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 136, "seconds": 10}, "tag": "windows insane", "line": " Looking at the KeePass Configuration File to see where the KDBX and Key is"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 138, "seconds": 55}, "tag": "windows insane", "line": " A bunch of pain trying to get data off the Alternate Data Stream."}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 151, "seconds": 30}, "tag": "windows insane", "line": " Finally got the KDBX back to my box, then crack the KeePass file"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " Last video was missing about 2 minutes and cut off at 31:35. Sorry, was an extremely busy week and didn't get to verify everything was good."}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 0, "seconds": 39}, "tag": "linux easy", "line": " Begin on Recon"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 1, "seconds": 39}, "tag": "linux easy", "line": " Starting a full nmap scan "}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "linux easy", "line": " Discovery of IRC"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 4, "seconds": 35}, "tag": "linux easy", "line": " Manually looking at IRC"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Looking at the IRC to understand how to connect to an IRC Server"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux easy", "line": " Pulling the IRC Version and discovering the exploit"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux easy", "line": " Going into the history of the IRC Backdoor"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux easy", "line": " Manually exploiting the IRC Server"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "linux easy", "line": " Shell returned on the server"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "linux easy", "line": " Discovery of .backup which gives a steg password"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "linux easy", "line": " Logging in with djmardov"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "linux easy", "line": " Discovery of SetUID enabled custom binary, viewuser"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 23, "seconds": 25}, "tag": "linux easy", "line": " Using ltrace to see what the binary does, executes the file /tmp/listusers"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux easy", "line": " Getting a root shell"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux easy", "line": " Testing exploiting the binary with \"who\", fails due to no setuid"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "linux easy", "line": " Looking at the binary within Ghidra"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "linux easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "linux easy", "line": " Poking around at the website to identify what techologies it utilizes"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux easy", "line": " Discovering something odd about images/5.png"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "linux easy", "line": " Downloading 5.png to discover it is a text file with a portion of a password"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "linux easy", "line": " Finding a place to login (/moodle), attempt to enumerate valid usernames"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux easy", "line": " Using wfuzz to bruteforce the password"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 11, "seconds": 20}, "tag": "linux easy", "line": " Looking for a way to enumerate Moodle Versions"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "linux easy", "line": " Searching for exploits for this version and finding \"Bad Teacher\""}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "linux easy", "line": " Start of manually exploiting this vulnerability"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "linux easy", "line": " Adding a \"Calculated Question\" which has the formula (vulnerable) parameter"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 20, "seconds": 16}, "tag": "linux easy", "line": " Finding artifacts of creating/testing the machine which spoils what we are supposed to do"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 24, "seconds": 21}, "tag": "linux easy", "line": " Fixing our forumla to allow for code execution"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "linux easy", "line": " Looking around the MySQL Database to discover hashes of other users"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 31, "seconds": 52}, "tag": "linux easy", "line": " The account Giovannibak stands out due to the hash being just MD5"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "linux easy", "line": " Attempting the password (expelled) of the MD5 hash above to login to \"Su\" to Giovannibak"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "linux easy", "line": " Grabbing and compiling pspy to find a cronjob"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux easy", "line": " Running PSPY to discover /usr/bin/backup.sh"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux easy", "line": " Abusing the backup cron to have it chmod 777 /etc/shadow (could do anything, sudoers is a bit less noisy)"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " More detailed notes: https://gist.github.com/IppSec/137a9f8870bed2763048072f321073e5"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "", "line": " My Vulnerability Assessment methodology"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " Starting a Nessus Scan to see what it thinks"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "", "line": " Running nmap and deciding what ports are needed"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 9, "seconds": 35}, "tag": "", "line": " Reviewing the Nessus Scan"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 12, "seconds": 2}, "tag": "", "line": " Examining what leaving KSQL/Kafka (8088) open can do"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 13, "seconds": 58}, "tag": "", "line": " Using iptables to block ports that don't need to be routable"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 15, "seconds": 53}, "tag": "", "line": " Preventing NMAP from detecting the port as filtered, doing REJECT --reject-with tcp-reset"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "", "line": " Using Draw.io to explain what we are doing with a Reverse Proxy"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 20, "seconds": 40}, "tag": "", "line": " Installing Apache2"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 21, "seconds": 33}, "tag": "", "line": " Creating the reverse proxy HTTPS Configuration, then enabling modules ssl, proxy, proxy_http"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "", "line": " Our Apache Server doesn't like self-signed certificate of remote server adding:"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " -- SSLProxyVerify, SSLProxyCheckPeerCN, SSLProxyCheckPeerName, SSLProxyCheckPeerExpire"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 28, "seconds": 44}, "tag": "", "line": " Enabling Universe Repo then installing mod-security"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "", "line": " Briefly going over the mod-security configuration file"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 32, "seconds": 35}, "tag": "", "line": " Setting ModSecurity to blocking mode then modifying the rules to allow Kibana to work"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 36, "seconds": 25}, "tag": "", "line": " ModSecurity doesn't like \"application/x-ndjson\", adding this to the allowed content types"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 40, "seconds": 13}, "tag": "", "line": " Beginning of creating a Certificate Authority to handle Mutual SSL Authentication"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "", "line": " Creating the CA Private/Public Keys with OpenSSL"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 44, "seconds": 11}, "tag": "", "line": " Creating the WebServer's private key with OpenSSL, then signing"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "", "line": " Creating the users private key with OpenSSL, then signing"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "", "line": " Copying the Webserver's keys to the reverse proxy, then updating Apache2 to use the certs"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 49, "seconds": 50}, "tag": "", "line": " Showing the SSL is working by adding the CA to firefox and checking if cert warnings go away"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 51, "seconds": 10}, "tag": "", "line": " Configuring Apache to force SSL Client Authentication which requires user certificates"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "", "line": " Creating the PFX File in order to allow Firefox to import our user certificate"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "", "line": " Demonstrating SSL Mutual Authentication is working"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "", "line": " Modifying iptables on HELK to only allow HTTP/HTTPS Connections from the Reverse Proxy"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "", "line": " Making the iptable rules on HELK persistent"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 56, "seconds": 40}, "tag": "", "line": " Uh-oh we forgot to do rules on IPv6, which allows for a firewall bypass. Let's just disable IPv6."}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 20}, "tag": "", "line": " Flow chart of potential paths through this box"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 2, "seconds": 25}, "tag": "", "line": " Begin of recon, SSL Enumeration, examining PHP Behavior"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 6, "seconds": 23}, "tag": "", "line": " Using GoBuster to dicover directories, pdf's, and php scripts"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "", "line": " Using wfuzz to discover subdomains (virtual host routing)"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 12, "seconds": 15}, "tag": "", "line": " Guessing credential, logging in with guest:guest disover SQL Injection"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "", "line": " Manually doing an error-based SQL Injection with extractquery()"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ** Go watch the Enterprise Video if you want Double Query Based Errors **"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 31, "seconds": 50}, "tag": "", "line": " A good screenshot showing the SQL Inject Queries used, then cracking"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Doing the SQLInjection with SQLMap, needed the delay flag!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ** Going back to start of box"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 37, "seconds": 50}, "tag": "", "line": " Examining the account-signup.pdf to create a user"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "", "line": " Doing XSS (cross site scripting) to steal a cookie of the admin"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 43, "seconds": 15}, "tag": "", "line": " Going to admin.redcross.htb and showing that any way you got the PHPSESSID cookie would work"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 46, "seconds": 15}, "tag": "", "line": " Poking at admin.redcross.htb, creating a user that lands us in an SSH Jail"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 48, "seconds": 38}, "tag": "", "line": " Playing with the Firewall portion of the site, discover command injection in deleting rules!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 52, "seconds": 28}, "tag": "", "line": " Reverse shell as www-data"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 54, "seconds": 40}, "tag": "", "line": " Discover postgresql credentials in actions.php, this database lets you create users!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 60, "seconds": 21}, "tag": "", "line": " Inserting a user into the database, then logging in with SSH"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 62, "seconds": 40}, "tag": "", "line": " Examining /etc to discover a different postgresql account-signup"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 64, "seconds": 50}, "tag": "", "line": " Adding a root user with the new credentials, then sudo to root!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " *** Going back to just adding our IP to the whitelist in firewall"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 66, "seconds": 29}, "tag": "", "line": " Discovering Haraka running"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 69, "seconds": 10}, "tag": "", "line": " Using Metasploit to exploit haraka, get shell as penelope"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 72, "seconds": 26}, "tag": "", "line": " Doing the PG thing again but this time specify sudo group, so we don't need to use the other PG account."}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " *** Going back, lets do the overflow! No postgres at all"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " * Go watch Bitterman if this is confusing"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 75, "seconds": 50}, "tag": "", "line": " Examining iptctl.c"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 79, "seconds": 56}, "tag": "", "line": " Using Pattern_Create to discover where the RSP (RIP) Overwrite occours."}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 81, "seconds": 15}, "tag": "", "line": " Start of python script"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 84, "seconds": 11}, "tag": "", "line": " Dumping PLT Functions to use with our rop chain (no aslr on binary)"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 88, "seconds": 0}, "tag": "", "line": " Getting pop gadgets with radare"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 89, "seconds": 40}, "tag": "", "line": " Building our ROP Chain"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 94, "seconds": 28}, "tag": "", "line": " Exploiting the binary! To get root."}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Explaining the HELK Architecture"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "", "line": " Showing my VM's Spec's/build"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Installing HELK "}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Poking around HELK's Logstash container to see how it works"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "", "line": " Examining HELK Elastalert to view sigma rules"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 9, "seconds": 8}, "tag": "", "line": " The magic behind catching APT! (sorry did it for the keywords)"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 11, "seconds": 58}, "tag": "", "line": " The SafetyKeyz Sigma rule, could easily be avoided"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 12, "seconds": 58}, "tag": "", "line": " Start of Windows"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 13, "seconds": 20}, "tag": "", "line": " Building a Sysmon Config with Sysmon-Modular"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - https://github.com/olafhartong/sysmon-modular"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "", "line": " Enabling Other Logging"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "", "line": " Enabling Command Line Logging with arguments"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Computer/Windows/SecuritySettings/SecurityOptions/Audit: Force Audit policy"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Computer/Windows/SecuritySettings/AdvancedAudit/DetailedTracking/AuditProcessCreate"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Computer/AdminTemplates/System/AuditProcessCreation"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "", "line": " Enabling Powershell Module and Script Block Logging"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Computer/AdminTemplates/WindowsComponents/WindowsPowershell/"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - Create Profile.ps1 in c:\\windows\\system32\\WindowsPowerShell\\v1.0"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " -- Variables: $LogCommandHealth and $LogCommandLifeCycleEvent = $true"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Enabling Task Scheduler History/Logging"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 23, "seconds": 25}, "tag": "", "line": " Downloading and installing WinLogBeat"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " (If you have issues, try version 6.7 of WinLogBeat, 7 is now out and HELK is not ingesting)"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 27, "seconds": 5}, "tag": "", "line": " Logging into HELK and start of searching the logs!"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 28, "seconds": 45}, "tag": "", "line": " Searching Process Create Events (4688) and finding the commands we ran earlier"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 29, "seconds": 53}, "tag": "", "line": " Testing the Powershell logging to detect downloading and executing a script"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "", "line": " Detecting mimikatz accessing LSASS"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 39, "seconds": 40}, "tag": "", "line": " Deep dive into Mimikatz to identify how it accesses LSASS.EXE to create a signature, what is 0x1010 process grant?"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "", "line": " Showing the Process Creation stuff in real time."}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 47, "seconds": 25}, "tag": "", "line": " Examining the SysMon Dashboard"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "", "line": " Viewing the SIGMA Rules and how to clean up noisy ones."}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ** Really good blog post: https://posts.specterops.io/what-the-helk-sigma-integration-via-elastalert-6edf1715b02 **"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " Deep dive into the SIGMA Rule setup"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " - python -m elastalert.elastalert --debug --rule"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 51, "seconds": 30}, "tag": "", "line": " Discovering the mistake in the SIGMA to Elastalert conversion (realert:0)"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "", "line": " Debugging Elastalert Rules"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 3, "seconds": 8}, "tag": "", "line": " Begin of GoBustering"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "", "line": " Discovery of an image upload script"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 8, "seconds": 39}, "tag": "", "line": " Attempting to bypass the upload filter"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 12, "seconds": 46}, "tag": "", "line": " Reverse Shell to ubuntu Returned. Examining Web Source"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 15, "seconds": 28}, "tag": "", "line": " ALTERNATIVE: Checking out the host name pollution, setting host header to localhost"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 19, "seconds": 27}, "tag": "", "line": " Resume of poking around the host, discover passwords and other hosts in /home"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 23, "seconds": 14}, "tag": "", "line": " Uploading a static-compiled nmap to the box (static-binaries is a github repo)"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 24, "seconds": 57}, "tag": "", "line": " SSH Local Port Forward and Dynamic, to let our Kali box communicate with the next hop."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 27, "seconds": 27}, "tag": "", "line": " Discovery of a page that lets us create ovpn (openvpn) configs and test the VPN"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 28, "seconds": 45}, "tag": "", "line": " Think i broke the box here, sent unicode to the box.... It stops responding on web."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 32, "seconds": 55}, "tag": "", "line": " Machine reverted, getting back to where I started."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 34, "seconds": 50}, "tag": "", "line": " Trying this again, and get a shell on ubuntu -- Lets do a Reverse Port Forward to get a shell on our kali box."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 36, "seconds": 12}, "tag": "", "line": " Shell returned to Kali Box, explaining how to use socat if SSH Forward cannot listen on all ports."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 38, "seconds": 58}, "tag": "", "line": " Exploring the DNS Server box."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 39, "seconds": 26}, "tag": "", "line": " Finding a password in /home/dave/ssh"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "", "line": " Discovering Vault's IP Address in /etc/hosts"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 41, "seconds": 20}, "tag": "", "line": " Perfoming a NMAP on the vault box, discover two ports closed"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 41, "seconds": 50}, "tag": "", "line": " Doing a NMAP with the source port of one of the above ports to test for a lazy firewall, discover SSH on port 987"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 43, "seconds": 20}, "tag": "", "line": " ALTERNATIVE: Bypassing the firewall by using IPv6"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 49, "seconds": 47}, "tag": "", "line": " How to set the source port with SSH via ncat"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 50, "seconds": 45}, "tag": "", "line": " Discovering root.txt.gpg on Vault, it is encrypted with RSA Key D1EB1F03"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 51, "seconds": 35}, "tag": "", "line": " Dave has the above RSA Key, use SCP to send the file back to Ubuntu"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 54, "seconds": 45}, "tag": "", "line": " The file has been copied, using gpg to decrypt the file."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 55, "seconds": 39}, "tag": "", "line": " MAJOR UNINTENDED WAY: Discovering SPICE ports are listening on localhost:5900-5903, this is like VNC"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 57, "seconds": 5}, "tag": "", "line": " Using Remote-Viewer to connect to the SPICE Port and getting physical access to the machine."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 57, "seconds": 42}, "tag": "", "line": " Rebooting Vault by sending the Ctrl+Alt+delete key"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "", "line": " Editing grub to get a root shell without a password"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 58, "seconds": 56}, "tag": "", "line": " Changing the password to root, then rebooting again"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 59, "seconds": 30}, "tag": "", "line": " Logging in with the new password."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "", "line": " Installing FireEye Commando to help keep our development environments sync'd"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Using Git to download mimikatz, openifang with Visual Studio 2017 and installing dependencies"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " Verifying that we can compile mimikatz before we make any changes."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "", "line": " Creating an Antivirus Exception in Defender to ignore shared drive"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "", "line": " Remove String: mimikatz and then rename files with mimikatz in the name"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 13, "seconds": 45}, "tag": "", "line": " Remove String: all metadata by editing the RC File (accidentally wipe a quote)"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "", "line": " Replace Icon"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Test rebuilding after these changes."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "", "line": " Using \"head\" to split the binary in half to help identify where Defender is identifying mimikatz"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Tons of splitting."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " Found a rough location of a bad string, opening in a hex editor to identify the string."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " Appears to flag on KiwiAndRegistryTools, lets verify"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "", "line": " Search and replace for \"mimi\" (whoops, should of done kiwi here!)"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Remove String: KiwiAndRegistryTools"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 27, "seconds": 20}, "tag": "", "line": " Decompressing the Defender Signature File, this should speed up finding bad strings but i still need to do more research here."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "", "line": " Verifying KiwiAndRegistryTools is removed by testing it against Defender"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "", "line": " From here on... Tons of repetitive stuff to find other strings."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 42, "seconds": 45}, "tag": "", "line": " wdigest.dll is a bad character, lets see if its in a DLL Import or Print Statement."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "", "line": " Remove String: wdigest.dll"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 46, "seconds": 25}, "tag": "", "line": " Remove String: isBase64InterceptOutput, isBase64InterceptInput"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 52, "seconds": 25}, "tag": "", "line": " Remove String: multirdp"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 57, "seconds": 20}, "tag": "", "line": " Wow. Just realized double clicking a program is a better way to test if an executable is malicious. Lol."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "", "line": " Remove String: logonPasswords "}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "", "line": " Remove String: credman"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 71, "seconds": 30}, "tag": "", "line": " Remove String: I_NetTrustPasswordsGet, this one is different due to being in the IMPORT table. Use dumpbin /exports to show ordinal addresses"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 75, "seconds": 30}, "tag": "", "line": " Ordinal loading explained, kind of"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 76, "seconds": 45}, "tag": "", "line": " Creating a new lib file to do ordinal loading of netapi32 functions. Create DEF file, then use lib to compile it."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 79, "seconds": 40}, "tag": "", "line": " Whoops, string isn't here because its I_NetTrust, not I_NetPass. After this mistake, mimikatz is ran"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 82, "seconds": 20}, "tag": "", "line": " Running Ghidra to view import tables to see how the ordinal loading works."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 87, "seconds": 0}, "tag": "", "line": " Lets just see what VirusTotal thinks of this binary."}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 1, "seconds": 12}, "tag": "linux easy", "line": " Begin of Recon"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 1, "seconds": 55}, "tag": "linux easy", "line": " Running Cewl to generate a wordlist"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "linux easy", "line": " Finding secret.txt in the HTML Source, which happens to be the password"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 3, "seconds": 28}, "tag": "linux easy", "line": " Runninh JoomScan so we have something running in the background"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "linux easy", "line": " Checking the manifest to get the Joomla Version"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux easy", "line": " Explaining what equals mean in base64"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "linux easy", "line": " Begin of hunting for Joomla Username"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "linux easy", "line": " BruteForcing Joomla Login with WFUZZ"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 10, "seconds": 35}, "tag": "linux easy", "line": " Troubleshooting by sending wfuzz through burp"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 12, "seconds": 25}, "tag": "linux easy", "line": " Turns out the CSRF Token is tied to cookie, adding that to the wfuzz command"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "linux easy", "line": " Success! Logged into Joomla"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 17, "seconds": 58}, "tag": "linux easy", "line": " Gaining code execution by modifying a template"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "linux easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "linux easy", "line": " Finding the file: password_backup which is encoded"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 23, "seconds": 55}, "tag": "linux easy", "line": " Extracting password_backup manually with xxd, zcat, bzcat, tar"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 25, "seconds": 43}, "tag": "linux easy", "line": " Extracting Password_Backup with CyberChef"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 27, "seconds": 35}, "tag": "linux easy", "line": " Logging in with Floris"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 28, "seconds": 17}, "tag": "linux easy", "line": " Looking at /home/floris/AdminArea"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "linux easy", "line": " Testing the input file by changing the url to us"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux easy", "line": " Getting LFI by using file:// within curl"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 30, "seconds": 38}, "tag": "linux easy", "line": " Pulling the cron, to see what is going on"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 31, "seconds": 25}, "tag": "linux easy", "line": " Cron shows curl -K to use curl with a config file, checking man page."}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 32, "seconds": 5}, "tag": "linux easy", "line": " Changing where curl saves to, in order to gain a root shell"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 33, "seconds": 45}, "tag": "linux easy", "line": " Showing another good file to read with the LFI (logs)"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 34, "seconds": 18}, "tag": "linux easy", "line": " Using pspy to show when processes start/end, which shows the curl command with no exploits"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 1, "seconds": 16}, "tag": "linux easy", "line": " Begin of Recon, until around 13 minutes gathering information to avoid rabbit holes"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 4, "seconds": 4}, "tag": "linux easy", "line": " Using nc/ncat to verify a port is open (-zv)"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 11, "seconds": 17}, "tag": "linux easy", "line": " Doing gobuster across man of the sub directories"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 13, "seconds": 3}, "tag": "linux easy", "line": " Examining /admin/ - Examine the HTML Source because login is not sending any data"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 14, "seconds": 9}, "tag": "linux easy", "line": " Discover some weird text encoding (Ook), how I went about decoding it"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 15, "seconds": 44}, "tag": "linux easy", "line": " Decoded to base64 with some spaces, clean up the base64 and are left with a zip file"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 19, "seconds": 19}, "tag": "linux easy", "line": " After cracking the zip, there is another text encoding challenge (BrainF*)"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 25, "seconds": 11}, "tag": "linux easy", "line": " With potential information, return to our long running recon for more information"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 28, "seconds": 49}, "tag": "linux easy", "line": " Discovering /playsms"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux easy", "line": " Reading ExploitDB Articles and then attempting to manuall exploit PlaySMS via uploading a CSV"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 34, "seconds": 34}, "tag": "linux easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux easy", "line": " Running LinEnum.sh"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "linux easy", "line": " Finding the SetUID file: rop"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux easy", "line": " Exploiting ROP Program with ret2libc"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "linux easy", "line": " Getting offsets of system, exit, /bin/sh from libc using ldd, readelf, and strings"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 50, "seconds": 34}, "tag": "linux easy", "line": " Running our exploit to get root shell"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "linux easy", "line": " Begin of recovering rop.c source code"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 56, "seconds": 41}, "tag": "linux easy", "line": " Recreating rop.c then compiling"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 59, "seconds": 44}, "tag": "linux easy", "line": " Copying the physical disk to our local box via SSH and DD"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 61, "seconds": 44}, "tag": "linux easy", "line": " Using PhotoRec to restore files and finding rop.c"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 0, "seconds": 53}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Checking out the Web Page"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "", "line": " Doing UDP/GoBuster Scans"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Running SNMPWalk and then logging into web interface"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "", "line": " Reading the tickets on the web page"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Discovering code execution"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 23, "seconds": 15}, "tag": "", "line": " Discovering FTP Server 10.120.15.10"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "", "line": " Gaining access to a Router Interface"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " Using Draw.io to draw out the network"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "", "line": " Examining routing information"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "", "line": " Looking at BGP Information"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "", "line": " First attempt at BGP Hijack, advertising a route"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "", "line": " Did not work, examining routing loop."}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 50, "seconds": 50}, "tag": "", "line": " Blocking the routing advertisement to AS300"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 56, "seconds": 50}, "tag": "", "line": " Showing the new routing loop (AS300 sends to AS200)"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 60, "seconds": 0}, "tag": "", "line": " Telling AS200 not to advertise the route to AS300"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 64, "seconds": 0}, "tag": "", "line": " Grabbing FTP Traffic to get root password"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " -- Extra Content"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 67, "seconds": 0}, "tag": "", "line": " Logging into all 3 routers for some fun"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 68, "seconds": 50}, "tag": "", "line": " Hiding from TraceRoute by mucking with TTL's"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 73, "seconds": 20}, "tag": "", "line": " Redoing the attack, but showing routing tables on all routers"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 77, "seconds": 30}, "tag": "", "line": " Unintended route, Just adding an IP to eth2"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " This video didn't go quite as smooth as I expected. Still putting it here to show an unintended route for Ethereal. When I get more time, I'll probably redo this video, so don't be surprised if it disappears."}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 0, "seconds": 14}, "tag": "", "line": " Demo of this AppLocker Bypass"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " How this is different than LOLBINs"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Creating a Reverse Shell EXE"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Converting our Reverse Shell EXE to a DLL"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Performing this COR PROFILER bypass with our Reverse Shell DLL"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 11, "seconds": 21}, "tag": "", "line": " Trying to do this on the HackTheBox machine: Ethereal"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 18, "seconds": 43}, "tag": "", "line": " Creating a BAT file to set environment variables and execute TZSYNC"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 20, "seconds": 45}, "tag": "", "line": " Executing the BAT File and getting a meterpreter session!"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 22, "seconds": 3}, "tag": "", "line": " Doing JuicyPotato to privesc to SYSTEM"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "", "line": " Migrating to a user to be able to read an EFS Protected file."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "windows insane", "line": " Begin of Recon, Downloading FTP and inspecting websites"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 10, "seconds": 23}, "tag": "windows insane", "line": " Recap of what we saw on the recon. Limited pages that provide paths for exploitation, Server Hostname, and FTP"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "windows insane", "line": " Sending MD5Hashes to VirusTotal to get file age"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "windows insane", "line": " Downloading PasswordBox sourcecode to examine pbox.dat and discover a password manager."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "windows insane", "line": " Use Hydra to try to bruteforce ethereal.htb:8080, find blind command injection in page by running various ping commands but no way to view output."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 25, "seconds": 45}, "tag": "windows insane", "line": " Using nslookup to exfil the results of commands executed."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "windows insane", "line": " Creating Python Script to automate exploitaiton of this program. Using Scapy, BeutifulSoup, and Requests."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 55, "seconds": 23}, "tag": "windows insane", "line": " Script working! Now to make the output a bit more pretty using tokens to sepereate spaces"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "windows insane", "line": " Running commands to get interesting information about the page"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 65, "seconds": 20}, "tag": "windows insane", "line": " Enumerating the Firewall via netsh"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 69, "seconds": 10}, "tag": "windows insane", "line": " Using OpenSSL to get a reverse shell on windows"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 77, "seconds": 25}, "tag": "windows insane", "line": " Reverse shell returned. "}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 79, "seconds": 40}, "tag": "windows insane", "line": " Creating a malicious shortcut via powershell"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 82, "seconds": 40}, "tag": "windows insane", "line": " Using OpenSSL To transfer files"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 88, "seconds": 0}, "tag": "windows insane", "line": " Getting reverse shell as Alan, then using OpenSSL to convert files to base64 to make exfil easier"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 92, "seconds": 30}, "tag": "windows insane", "line": " Creating and signing a malicious MSI with WiX."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 108, "seconds": 15}, "tag": "windows insane", "line": " First attempt failed, creating a less complicated MSI File by just having it execute our shortcut"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 113, "seconds": 0}, "tag": "windows insane", "line": " Getting reverse shell as SYSTEM - Cannot read EFS Files"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 115, "seconds": 20}, "tag": "windows insane", "line": " Having our MSI not run as SYSTEM by changing impersonation in WiX"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 118, "seconds": 30}, "tag": "windows insane", "line": " Shell as Rupal returned."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "windows easy", "line": " Begin of recon: ftp, telnet, IIS 7.5"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows easy", "line": " Downloading all files off an FTP Server with WGET"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "windows easy", "line": " Examining the \"Access Control.zip\" file."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows easy", "line": " Cracking a zip file with John"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "windows easy", "line": " Creating a wordlist for cracking the zip (strings of the mdb file)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows easy", "line": " Exploring the MDB Files (Access Database) with MDBTools (mdb-sql and mdb-tables)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "windows easy", "line": " Grabbing the same password we cracked by checking the auth_user table"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 13, "seconds": 35}, "tag": "windows easy", "line": " Converting the PST File (Outlook Email) to PlainText via readpst"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "windows easy", "line": " Logging into telnet with the credentials from the email"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "windows easy", "line": " Switching to a Nishang Shell to execute powershell"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "windows easy", "line": " Running JAWS (Just Another Windows Scanner)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 23, "seconds": 34}, "tag": "windows easy", "line": " Discovering Stored Credentials on the box for ACCESS\\Administrator "}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 25, "seconds": 11}, "tag": "windows easy", "line": " Examining the Shortcut on PUBLIC\\DESKTOP which shows us how the \"Stored Credential\" is used."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 25, "seconds": 58}, "tag": "windows easy", "line": " Using powershell to view information of a Shortcut"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 27, "seconds": 25}, "tag": "windows easy", "line": " Using the Stored Credential via runas /savecred"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " (some flailing around, darn windows quotes)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 30, "seconds": 31}, "tag": "windows easy", "line": " Creating Base64 (UTF-16LE) on linux to use in as a Powershell EncodedCommand"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 31, "seconds": 54}, "tag": "windows easy", "line": " Box done, Administrator returned."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " (Flailing around until 54:20)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 32, "seconds": 38}, "tag": "windows easy", "line": " Begin of decrypting the Stored Credential, uploading Mimikatz"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 33, "seconds": 40}, "tag": "windows easy", "line": " Using powershell to download files"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 36, "seconds": 36}, "tag": "windows easy", "line": " Discovering that I was trying to save mimikatz to a directory i cannot write to :("}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 37, "seconds": 15}, "tag": "windows easy", "line": " Testing Applocker methods to bypass the Software Restriction Policy (Give up on this one)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "windows easy", "line": " Trying to get Meterpreter shell via Unicorn (Fails, unknown reason)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 41, "seconds": 28}, "tag": "windows easy", "line": " Getting a Empire Agent running"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 43, "seconds": 35}, "tag": "windows easy", "line": " Empire Agent Returned, Injecting meterpreter shellcode."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 45, "seconds": 46}, "tag": "windows easy", "line": " Attempting to use Mimikatz from within Meterpreter to decrypt dpapi::creds"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 46, "seconds": 52}, "tag": "windows easy", "line": " Explaining Mimikatz Arguments when in \"non-interactive\" mode"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 54, "seconds": 20}, "tag": "windows easy", "line": " Grabbing needed files to decrypt DPAPI::CREDS offline"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 56, "seconds": 9}, "tag": "windows easy", "line": " Switing to Windows to run Mimikatz"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 62, "seconds": 32}, "tag": "windows easy", "line": " Decrypting the Creds stored in DPAPI"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux hard", "line": " Start of NMAP"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "linux hard", "line": " Signing into Zabbix as Guest"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux hard", "line": " Getting potential usernames from inside Zabbix and guessing creds"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux hard", "line": " Running Searchsploit and looking for vulnerabilties"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "linux hard", "line": " Analyzing the \"API\" Script from SearchSploit as we have API Creds"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux hard", "line": " Modifying the \"API\" Script "}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux hard", "line": " Showing a shortcut to skip the Container to Host Lateral Movement."}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 15, "seconds": 35}, "tag": "linux hard", "line": " Shell on the Container."}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 17, "seconds": 25}, "tag": "linux hard", "line": " Searching for Zabbix MySQL Password "}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 18, "seconds": 35}, "tag": "linux hard", "line": " Dumping the Zabbix User Database"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 20, "seconds": 0}, "tag": "linux hard", "line": " Logging into Zabbix as Admin, discover ZBX Agent on Host. Testing if port is accessible"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux hard", "line": " Running commands on the Zabbix Agent (Host OS) from Zabbix Server (Guest OS)"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 29, "seconds": 53}, "tag": "linux hard", "line": " Getting a Reverse Shell on Zabbix (use nohup to fork)"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux hard", "line": " Running LinEnum on Zabbix Host"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "linux hard", "line": " Examining home directories to find Zapper Creds"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 36, "seconds": 42}, "tag": "linux hard", "line": " Examining the \"Zabbix-Service\" SetUID "}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "linux hard", "line": " PRIVESC #1: Running ltrace to discover it is vulnerable to $PATH Manipulation"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux hard", "line": " PRIVESC #2: Weak permissions on Purge-Backups Service"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 48, "seconds": 30}, "tag": "linux hard", "line": " Extra Content: Building a Zabbix API Client from Scratch!"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 48, "seconds": 55}, "tag": "linux hard", "line": " \"Pseudo Terminal\" Skeleton Script via Cmd module"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux hard", "line": " Adding Login Functionality"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 56, "seconds": 8}, "tag": "linux hard", "line": " Making the script login upon starting"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 57, "seconds": 50}, "tag": "linux hard", "line": " Adding functionality to dump users"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 64, "seconds": 0}, "tag": "linux hard", "line": " Adding functionality to dump groups"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 65, "seconds": 25}, "tag": "linux hard", "line": " Adding functionality to add users"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 70, "seconds": 45}, "tag": "linux hard", "line": " Adding functionality to modify users"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows medium", "line": " Begin of intro"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 2, "seconds": 17}, "tag": "windows medium", "line": " Examining port 80 and 443"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "windows medium", "line": " Using gobuster to discover directories"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "windows medium", "line": " /remote discovered, nothing to do here"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 5, "seconds": 25}, "tag": "windows medium", "line": " /mvc discovered"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "windows medium", "line": " SQL Injection everywhere"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "windows medium", "line": " Attempt to perform union injection on search"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "windows medium", "line": " Having trouble, send to SQLMap look at other places in the applicaiton"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "windows medium", "line": " SQLMap having trouble with search SQL, change to ITEM"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "windows medium", "line": " Attempting XP_CMDSHELL (Fails)"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "windows medium", "line": " Using XP_DIRTREE to read files off SMBShare"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "windows medium", "line": " Use Responder to steal the authentication attempt of XP_DIRTREE"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "windows medium", "line": " Cracking the NetNTLMv2 Hash"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows medium", "line": " Logging into /remote with cracked credentials"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "windows medium", "line": " Discovering unifi video is installed, this has a known privesc"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "windows medium", "line": " Attempting to use Meterpreter. (Fail: AV)"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "windows medium", "line": " Grabbing and compiling a DotNet Reverse Shell"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "windows medium", "line": " Actually compiling the reverse shell"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 38, "seconds": 58}, "tag": "windows medium", "line": " Using xcopy to copy our reverse shell to the victim"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "windows medium", "line": " Attempting to find Unifi Service name so we can restart it. End up searching registry due to permission issues."}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "windows medium", "line": " Restarting Unifi Service so it executes TaskKill.exe"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " # Box Done"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 44, "seconds": 25}, "tag": "windows medium", "line": " Start of Bypassing AppLocker Bypass by copying executable into a directory under Windows"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "windows medium", "line": " Escaping powershell constrained mode with PSBypassCLM"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 60, "seconds": 25}, "tag": "windows medium", "line": " Showing the Powershell History file which contained a hint at Unifi"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Want the WireShark Sticker? http://weirdstuffis.online "}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 2, "seconds": 25}, "tag": "", "line": " Enumerating OpenBSD Patch Date via SSH Version"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Examining port 80... Use Wireshark to see why NMAP gets a response but firefox does not"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Invalid Requests, will cause HTTP Service to send error message"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Using ldapsearch to enumerate ldap, use wireshark to see how the nmap script works"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "", "line": " Using SMBMap to PassTheHash and enumerate fileshares and download Putty Key"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "", "line": " Using PuttyGen to convert Putty Key to an RSA Key"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 24, "seconds": 55}, "tag": "", "line": " Testing out ssh_enumusers to see if that would have worked to get valid usernames"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 26, "seconds": 30}, "tag": "", "line": " Logged in as Alice, use LinEnum"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 28, "seconds": 40}, "tag": "", "line": " Examining doas configuration (like Sudo -l)"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "", "line": " Examining HTTPD Configuration to see why we couldn't hit the webserver earlier"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "", "line": " Examining SSHD Configuration to see SSH is configured to allow CA Signed Keys"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 34, "seconds": 40}, "tag": "", "line": " Getting hashes from SSH Keys to know what publics go to which privates"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "", "line": " Playing with the SSHAUTH webservice to enumerate what principals go to which users"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 41, "seconds": 45}, "tag": "", "line": " Signing a SSH Key using DoAs to sign a key with the root Principal"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 45, "seconds": 30}, "tag": "", "line": " Testing the key, explaining how this all works"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 47, "seconds": 30}, "tag": "", "line": " Unintended privesc, Xorg exploit"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "linux hard", "line": " Begin of the box"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux hard", "line": " Checking the HTTP Ports out"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 4, "seconds": 38}, "tag": "linux hard", "line": " Using wfuzz to bruteforce a login on port 80"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "linux hard", "line": " Begin examining port 8080, use wfuzz to bruteforce a cookie"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Using wfuzz to enumerate the WAF and determine bad characters"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "linux hard", "line": " Doing a SSRF Like attack with wfuzz and enumerating open ports on localhost."}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux hard", "line": " Begin examining port 11211 (MemCache)"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "linux hard", "line": " Dumping data from Memcache"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux hard", "line": " Using CVE-2018-15473 to enumerate valid users over SSH"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 27, "seconds": 35}, "tag": "linux hard", "line": " Cracking the users hash and logging into the box"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux hard", "line": " Using R2 to analyzing rabbit hole application \"try_harder\""}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux hard", "line": " Going through LinEnum"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux hard", "line": " Using r2 to examine myexec to find password"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 40, "seconds": 13}, "tag": "linux hard", "line": " Using r2 to examine libseclogin.so"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "linux hard", "line": " Examining ld.so.conf.d to identify if we can use ldconfig to hijack a library"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 42, "seconds": 10}, "tag": "linux hard", "line": " Creating a malicious library to hijack seclogin()"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 45, "seconds": 10}, "tag": "linux hard", "line": " Lets bypass the login by hijacking printf()"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "linux insane", "line": " Begin of Recon (Port Scans)"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 4, "seconds": 9}, "tag": "linux insane", "line": " Reverse Image Searching an favicon to get application used"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "linux insane", "line": " NODE-RED: Reverse Shell Returned"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "linux insane", "line": " NODE-RED: Running IP and Port Scans to identify lateral movement targets"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 24, "seconds": 29}, "tag": "linux insane", "line": " Downloading Chisel (Go Program for Tunnels)."}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux insane", "line": " Shrinking Go Programs by using ldflags and upx packing from 10Mb to 3Mb!"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux insane", "line": " PowerPoint: Explaining Reverse Pivot Tunnel using Chisel"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 31, "seconds": 25}, "tag": "linux insane", "line": " WWW: Tunnel online, examining the website"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 34, "seconds": 23}, "tag": "linux insane", "line": " Full Port Scan to 172.19.0.2, discover REDIS"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "linux insane", "line": " Searching for ways to execute code against REDIS"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 38, "seconds": 7}, "tag": "linux insane", "line": " Using REDIS to create a PHP Shell"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 41, "seconds": 6}, "tag": "linux insane", "line": " PowerPoint: Explaining Local Pivot Tunnel using Chisel"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "linux insane", "line": " WWW: Reverse Shell Returned"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 45, "seconds": 45}, "tag": "linux insane", "line": " Notice wildcard used with RSYNC, go search GTFOBins"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 51, "seconds": 32}, "tag": "linux insane", "line": " Abusing the wildcard within RSYNC"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 57, "seconds": 23}, "tag": "linux insane", "line": " WWW: Got Root, but no flag... Lets go look at RSYNC again."}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 60, "seconds": 15}, "tag": "linux insane", "line": " Explaining how to tunnel from Backup - WWW - NODE-RED - Kali"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 77, "seconds": 50}, "tag": "linux insane", "line": " Getting reverse shell on BACKUP via uploading CronJob through rsync"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 80, "seconds": 30}, "tag": "linux insane", "line": " BACKUP: Reverse Shell Returned... No root.txt here either!?"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 86, "seconds": 30}, "tag": "linux insane", "line": " BACKUP: Noticing this is has /dev/sda*, where other dockers do not"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 88, "seconds": 15}, "tag": "linux insane", "line": " BACKUP: Dropping a cronjob on root disk to get shell on the host"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 90, "seconds": 45}, "tag": "linux insane", "line": " ExtraContent: PowerPoint Reverse SOCKS5 Proxy with Chisel"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "windows medium", "line": " Begin of recon"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "windows medium", "line": " Checking out the website"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "windows medium", "line": " Using wfuzz to enumerate usernames"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows medium", "line": " Logging in with an account we created"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 7, "seconds": 23}, "tag": "windows medium", "line": " Checking out Change Password and noticing it does this poorly"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 9, "seconds": 25}, "tag": "windows medium", "line": " Using the contact form, to see if tyler will follow links"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 14, "seconds": 14}, "tag": "windows medium", "line": " Changing Tyler's password by sending him to the ChangePassword Page"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "windows medium", "line": " Logged in and find SMB Share with credentials."}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "windows medium", "line": " Found a webshare but not sure the directory it executes from. Begin hunting for a different webserver."}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 17, "seconds": 48}, "tag": "windows medium", "line": " Port 8808 found via nmap'ing all ports. Creating a php script to gain code execution"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 19, "seconds": 15}, "tag": "windows medium", "line": " Downloading netcat for windows to use as a Reverse Shell"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 21, "seconds": 14}, "tag": "windows medium", "line": " Playing with Bash on Windows"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 22, "seconds": 35}, "tag": "windows medium", "line": " Finding the administrator password in ~/.bash_history"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " -- Box done"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "windows medium", "line": " Alternate way to find the .bash_history file"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 25, "seconds": 36}, "tag": "windows medium", "line": " Unintended way to bypass the CSRF. SQL Injection + bad Static Code analysis"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " In the Holiday video, I do a bit more that may be helpful with card type attacks "}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " : https://www.youtube.com/watch?v=FvHyt7KrsPE&app=desktop"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 0, "seconds": 50}, "tag": "linux hard", "line": " Start of the box"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "linux hard", "line": " Attempting GoBuster but wildcard response gives issue"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux hard", "line": " Start of doing wfuzz to find content"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 10, "seconds": 38}, "tag": "linux hard", "line": " Manually testing SQLInjection"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 13, "seconds": 7}, "tag": "linux hard", "line": " Running SQLMap and telling it exactly where the injection is"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 16, "seconds": 4}, "tag": "linux hard", "line": " Manually extracting files with the SQL Injection"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "linux hard", "line": " Cracking the hash with hashcat"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux hard", "line": " Start of examining the custom webapp, playing with Template Injection"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "linux hard", "line": " Explaining a way to enumerate language behind a webapp"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 35, "seconds": 17}, "tag": "linux hard", "line": " Reverse Shell returned on first Docker Container"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 38, "seconds": 0}, "tag": "linux hard", "line": " Examining SQL Database"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 39, "seconds": 40}, "tag": "linux hard", "line": " Doing the Port Knock to open up SSH"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 43, "seconds": 50}, "tag": "linux hard", "line": " Gain a foothold on the host of the docker container via ssh"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux hard", "line": " Identifying containers running"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 50, "seconds": 10}, "tag": "linux hard", "line": " Creating SSH Port Forwards without exiting SSH Session then NMAP through"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " SSH"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 55, "seconds": 11}, "tag": "linux hard", "line": " Begin looking into Portainer, finding a weak API Endpoint"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 59, "seconds": 0}, "tag": "linux hard", "line": " Start of creating a container in portainer that can access the root file"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " system"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 68, "seconds": 25}, "tag": "linux hard", "line": " Changing sudoers so dorthy can privesc to root"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 69, "seconds": 50}, "tag": "linux hard", "line": " Lets go back and create a python script to play with SQL Injection"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "linux insane", "line": " Begin of NMAP"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 2, "seconds": 30}, "tag": "linux insane", "line": " Extra nmaps, SNMP and AllPorts"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux insane", "line": " Playing with OneSixtyOne (SNMP BruteForce)"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux insane", "line": " Looking at SNMPWalk Output"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux insane", "line": " Installing SNMP Mibs so SMPWalk is readable"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 10, "seconds": 5}, "tag": "linux insane", "line": " Accessing the box over Link Local IPv6 Address"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux insane", "line": " Looking at Por 3366 (Website), getting PW from SNMP Info"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "linux insane", "line": " Getting IPv6 Routable Address via SNMP"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 19, "seconds": 20}, "tag": "linux insane", "line": " NMAP the IPv6 Address"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "linux insane", "line": " Accessing the page over IPv6"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "linux insane", "line": " Getting output from the command execution page"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 24, "seconds": 55}, "tag": "linux insane", "line": " Viewing Credentials Files and accessing the box via SSH"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "linux insane", "line": " Examining why loki cannot use /bin/su (getfacl)"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "linux insane", "line": " Getting a shell as www-data"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " 38;10 - Finding the root.txt file from using find command to search for files by"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " date"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "linux insane", "line": " Extra content, reading files via ICMP"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Looking at what Filtered means in Nmap"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " Start of looking at webpage (GoBuster)"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Manual HTTP Enumeration"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "", "line": " Start of exploiting with BurpSuite"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " SSH Key Found, logging in with nobody"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 19, "seconds": 12}, "tag": "", "line": " Discovering a second SSH Server"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 23, "seconds": 36}, "tag": "", "line": " Using the same SSH Key to login to the second SSH Server as monitor"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 24, "seconds": 38}, "tag": "", "line": " Escaping rBash by modifying an executable file in our current $PATH"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 28, "seconds": 13}, "tag": "", "line": " Running LinEnum.sh to search for PrivEscs"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 30, "seconds": 50}, "tag": "", "line": " Enabling ThoroughTests in LinEnum to see what else it will check"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "", "line": " Looking into capabilities permission sin linux"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "", "line": " Begin of second way to escape rBash and setup a SSH Tunnel for fun"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "windows easy", "line": " Begin of recon "}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "windows easy", "line": " Poking at DNS - Nothing really important."}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows easy", "line": " Examining what NMAP Scripts are ran. "}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 6, "seconds": 35}, "tag": "windows easy", "line": " Lets just try out smbclient to list shares available"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 7, "seconds": 25}, "tag": "windows easy", "line": " Using SMBMap to show the same thing, a great recon tool!"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "windows easy", "line": " Pillaging the Replication Share with SMBMap"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "windows easy", "line": " Discovering Groups.xml and then decrypting passwords from it"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 13, "seconds": 10}, "tag": "windows easy", "line": " Dumping Active Directory users from linux with Impacket GetADUsers"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 16, "seconds": 28}, "tag": "windows easy", "line": " Using SMBMap with our user credentials to look for more shares"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 18, "seconds": 25}, "tag": "windows easy", "line": " Switching to Windows to run BloodHound against the domain "}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "windows easy", "line": " Analyzing BloodHound Output to discover Kerberostable user"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 27, "seconds": 25}, "tag": "windows easy", "line": " Performing Kerberoast attack from linux with Impacket GetUsersSPNs"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "windows easy", "line": " Cracking tgs 23 with Hashcat"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows easy", "line": " Getting root on the box via PSEXEC"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Checking FTP Server for hidden files"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Creating a bunch of files varying in length to narrow likely ciphers down."}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 14, "seconds": 35}, "tag": "", "line": " Encrypting all of the above files and checking their file sizes"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "", "line": " Decrypting file, obtaining a password"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 24, "seconds": 25}, "tag": "", "line": " Begin looking at Drupal, running Droopescan"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 25, "seconds": 12}, "tag": "", "line": " Manually examining Drupal, finding a way to enumerate usernames"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Placing invalid emails in create account, is a semi-silent way to enumerate usernames"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "", "line": " Logging into Drupal with Admin. "}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 29, "seconds": 25}, "tag": "", "line": " Gaining code execution by enabling PHP Plugin, then previewing a page with php code"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 33, "seconds": 25}, "tag": "", "line": " Running LinEnum.sh - Discover H2 (Database) runs as root"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "", "line": " Hunting for passwords in Drupal Configuration"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 39, "seconds": 25}, "tag": "", "line": " Finding database connection settings. SSHing with daniel and the database password (not needed)"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "", "line": " Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk\u2019s Loopback. Only need to do one of those, just showing its possible without daniel"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 44, "seconds": 30}, "tag": "", "line": " Accessing Hawk\u2019s H2 Service (8082) via the loopback address"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console."}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 51, "seconds": 45}, "tag": "", "line": " Logging into H2 by using a non-existent database, then testing code execution"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 52, "seconds": 50}, "tag": "", "line": " Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service."}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 59, "seconds": 50}, "tag": "", "line": " Reverted box, cleaning up environment then getting reverse shell"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 62, "seconds": 45}, "tag": "", "line": " Discovering could have logged into the database with Drupal Database Creds."}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "windows easy", "line": " Introduction, nmap"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "windows easy", "line": " Clicking around in Tomcat"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "windows easy", "line": " Playing around with HTTP Authentication"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows easy", "line": " Bruteforcing tomcat default creds with Hydra and seclists"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "windows easy", "line": " Sending hydra through a proxy to examine what is happening"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "windows easy", "line": " Logging into tomcat and using msfvenom + metasploit to upload a malicious war file"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 22, "seconds": 42}, "tag": "windows easy", "line": " Begin of doing this box without MSF"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "windows easy", "line": " Downloading a cmd jsp shell and making a malicious war file"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 26, "seconds": 25}, "tag": "windows easy", "line": " WebShell returned"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "windows easy", "line": " Begin of installing SilentTrinity"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 30, "seconds": 55}, "tag": "windows easy", "line": " SilentyTrinity Started, starting listener and generating a payload"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "windows easy", "line": " Pasting the payload into the webshell"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "windows easy", "line": " Debugging SSL Handshake errors"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "windows easy", "line": " Starting SilentTrinity back up, how to use modules"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 39, "seconds": 10}, "tag": "windows easy", "line": " Start of Execute-Assembly, compiling Watson"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "windows easy", "line": " Running Watson"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 43, "seconds": 30}, "tag": "windows easy", "line": " Start of Seatbelt and debugging why some dotNet code may not run (versioning issues)"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " SilentTrinity Talk: https://www.youtube.com/watch?v=NaFiAx737qg"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 0, "seconds": 42}, "tag": "windows hard", "line": " Begin of Nmap"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 4, "seconds": 23}, "tag": "windows hard", "line": " Examining the anonymous FTP Directory and discovering email addresses in Meta Data"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "windows hard", "line": " Manually enumerating valid email addresses via SMTP"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 10, "seconds": 50}, "tag": "windows hard", "line": " Creating a \"Canary Document\" in Word to ping back to our server when a word document is opened"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 13, "seconds": 14}, "tag": "windows hard", "line": " Generating a malicious RTF Document (CVE-2017-0199)"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 26, "seconds": 28}, "tag": "windows hard", "line": " Shell Returned. Enumerating the AppLocker Policy"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 32, "seconds": 53}, "tag": "windows hard", "line": " Decrypting a PowerShell Secure String to reveal Tom's Password, Testing access with SSH"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 35, "seconds": 22}, "tag": "windows hard", "line": " Lets forget we had Tom and run Bloodhound from Nico!"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "windows hard", "line": " First time opening BloodHound on this box."}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 49, "seconds": 45}, "tag": "windows hard", "line": " Lets update Bloodhound, looks like some data is missing and there were errors when running it"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 53, "seconds": 25}, "tag": "windows hard", "line": " Finding a path from Nico to BACKUP_ADMINS and explaining Active Directory (AD) Security Objects (GenericWrite, WriteOwner,etc)"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 58, "seconds": 23}, "tag": "windows hard", "line": " Taking Ownership over Herman then allowing Nico to change his password and examining bloodhound"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 61, "seconds": 40}, "tag": "windows hard", "line": " Adding Herman to the Backup_Admins group"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "windows hard", "line": " Finding the Administrator Password within backup scripts."}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 67, "seconds": 0}, "tag": "windows hard", "line": " Attempting to run Watson (ends up not working)"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 83, "seconds": 22}, "tag": "windows hard", "line": " Using Metasploit to do the box"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 85, "seconds": 42}, "tag": "windows hard", "line": " Since Watson failed, lets just look at last patch times on the box to get an idea whats vulnerable."}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 87, "seconds": 19}, "tag": "windows hard", "line": " Attempting to do the ALPC Exploit within Metasploit"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 91, "seconds": 0}, "tag": "windows hard", "line": " That failed - Lets just prove the box is vulnerable, by overwriting a DLL"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "windows hard", "line": " Start of Recon"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "windows hard", "line": " TFTP Enumeration - Identifying configuration and OS information"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 6, "seconds": 32}, "tag": "windows hard", "line": " Finding a path to code execution"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 7, "seconds": 17}, "tag": "windows hard", "line": " Examining PSExec Metasploit Module"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 8, "seconds": 55}, "tag": "windows hard", "line": " Using irb within metasploit to print a powershell payload"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 12, "seconds": 30}, "tag": "windows hard", "line": " Examining PsExec()"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "windows hard", "line": " Examining native_upload"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "windows hard", "line": " Examining mof_upload"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 20, "seconds": 34}, "tag": "windows hard", "line": " Using irb within metasploit to print the MOF File"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 22, "seconds": 35}, "tag": "windows hard", "line": " Quick explanation of MOF Files"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 25, "seconds": 5}, "tag": "windows hard", "line": " Modifying the MOF to run NetCat"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "windows hard", "line": " Uploading nc to the target"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 28, "seconds": 50}, "tag": "windows hard", "line": " Uploading the malicious MOF File and getting a shell!"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 29, "seconds": 50}, "tag": "windows hard", "line": " Using Streams to view Hidden text within ADS"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows hard", "line": " ==== Box Done, Lets play with MSF"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 33, "seconds": 8}, "tag": "windows hard", "line": " Start of Bonus Content, finging a TFTP Exploit that uses MOF"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 35, "seconds": 5}, "tag": "windows hard", "line": " Attempting to use distrinct_ftp_traversal against DropZone"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 36, "seconds": 30}, "tag": "windows hard", "line": " Installing pry.byebug in order to allow us to drop to a debug console and step through metasploit modules"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 40, "seconds": 50}, "tag": "windows hard", "line": " Testing out pry.byebug"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "windows hard", "line": " Finding why the exploit module didn't work"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 44, "seconds": 50}, "tag": "windows hard", "line": " Module still doesn't work, TFTP Stopping mid transfer"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "windows hard", "line": " Whoops, changed the delay on the wrong timeout "}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 51, "seconds": 0}, "tag": "windows hard", "line": " Meterpreter Shell returned, showing off the extended API and some WMI Commands."}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 0, "seconds": 38}, "tag": "windows easy", "line": " Begin of recon"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 1, "seconds": 48}, "tag": "windows easy", "line": " Gobuster, using -x aspx to find aspx pages"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 3, "seconds": 16}, "tag": "windows easy", "line": " Playing with a file upload form, seeing what can be uploaded"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "windows easy", "line": " Using Burp Intruder to automate checking file extensions"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "windows easy", "line": " Finding a way to execute code from file upload in ASPX (web.config)"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "windows easy", "line": " Executing code via web.config file upload"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 13, "seconds": 8}, "tag": "windows easy", "line": " Installing Merlin to be our C2"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 15, "seconds": 25}, "tag": "windows easy", "line": " Compiling the Merlin Windows Agent"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 18, "seconds": 37}, "tag": "windows easy", "line": " Modifying web.config to upload and execute merlin"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 21, "seconds": 14}, "tag": "windows easy", "line": " Merlin Shell returned!"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 24, "seconds": 18}, "tag": "windows easy", "line": " Checking for SEImpersonatePrivilege Token then doing Juicy Potato"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 27, "seconds": 44}, "tag": "windows easy", "line": " Getting Admin via Juicy Potato"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 29, "seconds": 44}, "tag": "windows easy", "line": " Box completed"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 30, "seconds": 0}, "tag": "windows easy", "line": " Start of doing this box again, with Metasploit! Creating a payload with Unicorn"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 33, "seconds": 0}, "tag": "windows easy", "line": " Having troubles getting the server call back to us, trying Ping to see if the exploit is still working"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 34, "seconds": 17}, "tag": "windows easy", "line": " Reverted box. Have to update our payload with some updated VIEWSTATE parameters"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 36, "seconds": 45}, "tag": "windows easy", "line": " Metasploit Session Returned! Checking local_exploit_suggester"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 40, "seconds": 1}, "tag": "windows easy", "line": " Comparing local_exploit_suggester on x32 and x64 meterpreter sessions"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 40, "seconds": 30}, "tag": "windows easy", "line": " Getting Admin via MS10-092"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 42, "seconds": 5}, "tag": "windows easy", "line": " Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host #PivotProblems)"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 47, "seconds": 20}, "tag": "windows easy", "line": " Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " Discovery of Wordpress and fixing broken links with burp"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Start of WPScan"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 7, "seconds": 14}, "tag": "", "line": " Start of poking at Monstra, (Rabbit Hole)"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 13, "seconds": 5}, "tag": "", "line": " Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 16, "seconds": 30}, "tag": "", "line": " Reverse shell returned as www-data"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 18, "seconds": 8}, "tag": "", "line": " Confirming monstra was read-only"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "", "line": " Running LinEnum.sh to see www-data can run tar via sudo"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Use GTFOBins to find a way to execute code with Tar"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 22, "seconds": 0}, "tag": "", "line": " Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 24, "seconds": 10}, "tag": "", "line": " Examining backuperer script"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "", "line": " Hunting for vulnerabilities in Backuperer"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "", "line": " Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "", "line": " Begin of exploiting the backuperer service by exploiting intregrity check"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 36, "seconds": 40}, "tag": "", "line": " Creating our 32-bit setuid binary"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 39, "seconds": 16}, "tag": "", "line": " Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 40, "seconds": 54}, "tag": "", "line": " Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "", "line": " Exploiting the Backuperer Service via SetUID!"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "", "line": " Unintended Exploit: Using SymLinks to read files via backuperer service"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 0, "seconds": 54}, "tag": "", "line": " Start of Recon"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "", "line": " Start of GoBuster"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Looking at /upload, testing with a normal XML File"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 6, "seconds": 15}, "tag": "", "line": " Valid XML File created, begin of looking for XML Entity Injection XXE"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " XXE Returns a a local file off the server"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "", "line": " Grabbing the source code to the webserver to find newpost function."}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "", "line": " Discovery of vulnerability due to user data being passed to pickle"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 12, "seconds": 44}, "tag": "", "line": " Creating the script to exploit pickle"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 16, "seconds": 38}, "tag": "", "line": " Reverse shell returns!"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 19, "seconds": 55}, "tag": "", "line": " Poking around at Source Code"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 20, "seconds": 15}, "tag": "", "line": " Discover of an SSH Key within deployment stuff."}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "", "line": " Trying SSH Key for other users on the box to see if it is valid"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 22, "seconds": 57}, "tag": "", "line": " Hunting for git filers, the boxes name is \"Gitter\" and we have an SSH Key that goes nowhere. "}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Discovery ~roosa/work is the same as ~roosa/deploy but there's a .git repo in this one!"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 23, "seconds": 45}, "tag": "", "line": " Examining Git Log to see the SSH Key has changed!"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 25, "seconds": 20}, "tag": "", "line": " SSH'ing with the old key, to see it's root's key."}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 25, "seconds": 58}, "tag": "", "line": " The webserver could read Roosa's SSH Key. Could bypass the entire pickle portion"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "", "line": " Start of \"Extra Practice\""}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 27, "seconds": 40}, "tag": "", "line": " Creating a Python Script to automate the LFI With XXE"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " == Note this piece leads to failure. However, if we could convert the output to a more friendly format such as Base64 it would of worked. This is likely in PHP WebServers due to \"PHP Wrappers\", perhaps it is with python too but I don't know a way =="}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 35, "seconds": 50}, "tag": "", "line": " Script completed, lets improve it to try to download an exposed git repo"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 0, "seconds": 55}, "tag": "windows insane", "line": " Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 2, "seconds": 53}, "tag": "windows insane", "line": " Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and members.streetfighterclub.htb/old/login.asp"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows insane", "line": " Begin poking around the members.streetfighterclub.htb page - Find SQL Injection"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows insane", "line": " Boolean injection to force the query to return \"valid login\". Play with logins to find it always returns to \"Service not available\""}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 14, "seconds": 25}, "tag": "windows insane", "line": " Testing Union Injections for easy exfil of data"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "windows insane", "line": " Examining Stacked Queries to make running our own SQL Statements easy. Then bunch of injections to run Xp_CMDShell and get output."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "windows insane", "line": " Some valuable recon/information in debugging our SQL queries. Noticing small things really helps."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 34, "seconds": 40}, "tag": "windows insane", "line": " Start of making a program to give us a command shell."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 69, "seconds": 40}, "tag": "windows insane", "line": " Explaining the program we just created. Then fix a small bug."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 72, "seconds": 45}, "tag": "windows insane", "line": " Begin of popping the box the intended way. Finding powershell is blocked but specifying the 32-bit version is not"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 77, "seconds": 10}, "tag": "windows insane", "line": " Return of 32-bit PowerShell... Identifying we can append data to c:\\users\\decoder\\clean.bat -- That's odd lets try to place a shell in it to see if it is being ran."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 92, "seconds": 40}, "tag": "windows insane", "line": " Found the issue! Powershell is encoding in UTF-16 which is confusing cmd prompt. 64-bit Shell as Decoder returned!"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 95, "seconds": 30}, "tag": "windows insane", "line": " Exploiting Capcom Driver to gain root shell, this post is super helpful: http://www.fuzzysecurity.com/tutorials/28.html"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 102, "seconds": 18}, "tag": "windows insane", "line": " Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dll to our box so we can reverse it."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 107, "seconds": 25}, "tag": "windows insane", "line": " Looking at the binaries in Ida64 Free"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 111, "seconds": 14}, "tag": "windows insane", "line": " Explaining what's happening and then writing a script to bypass the password check."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 115, "seconds": 35}, "tag": "windows insane", "line": " Start of unintended way (Juicy Potato)"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 118, "seconds": 10}, "tag": "windows insane", "line": " Finding a world write-able spot under System32 for AppLocker Bypass, thanks @Bufferov3rride -- Then uploading JuicyPotato"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 126, "seconds": 10}, "tag": "windows insane", "line": " Start of modifying JuicyPotato to accept uppercase arguments."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 130, "seconds": 14}, "tag": "windows insane", "line": " Finding a vulnerable CLSID to get JuicyPotato working"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 148, "seconds": 25}, "tag": "windows insane", "line": " Running JuicyPotato with a vulnerable CLSID to gain a SYSTEM Shell, then create our own DLL to bypass the check."}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 0, "seconds": 48}, "tag": "linux easy", "line": " Begin of NMAP Discovery of Finger"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 3, "seconds": 36}, "tag": "linux easy", "line": " Enumerating Finger with Finger-User-Enum"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "linux easy", "line": " Nmap'ing all port quickly by lowering max-retries"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "linux easy", "line": " Adding an old Key Exchange Alogorithm to SSH"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "linux easy", "line": " Showing Hydra doesn't work, then using Patator"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " (Patator also can do Finger Enum! Try it out)"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 11, "seconds": 19}, "tag": "linux easy", "line": " Using find to count lines in all wordlist files"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 14, "seconds": 7}, "tag": "linux easy", "line": " Logged in with sunny:sunday"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "linux easy", "line": " Grabbing /backup/shadow.backup and cracking sha256crypt with Hashcat"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 16, "seconds": 46}, "tag": "linux easy", "line": " Just noticed this box is oooooold, try to privesc with sudo and ShellShock (Fail)"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 18, "seconds": 53}, "tag": "linux easy", "line": " Privesc by overwriting the /root/troll binary"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " == Box Done"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "linux easy", "line": " Using wget to exfil files quickly"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "linux easy", "line": " Viewing what wget --post-file looks like"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "linux easy", "line": " Creating a PHP Script to accept uploaded files"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "linux easy", "line": " Hardening our upload location to prevent executing PHP Files and/or reading what was uploaded"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "linux easy", "line": " Starting a php webserver with php -S (ip):(port) -t ."}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 31, "seconds": 10}, "tag": "linux easy", "line": " Replacing the root password by changing the shadow file"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux easy", "line": " Demoing a way to create directories and upload files!"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "", "line": " Begin of Recon, nmap filtered explanation"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Begin of initial DNSRecon, hunting for a domain name"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 6, "seconds": 4}, "tag": "", "line": " Web page enumeration, finding xdebug in header"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 9, "seconds": 47}, "tag": "", "line": " Installing xdebug plugin in Chrome to show its use"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 12, "seconds": 50}, "tag": "", "line": " Getting a reverse shell on the first docker (Icarus)"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "", "line": " Setting up nginx to accept files uploaded over HTTP / WebDav"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Examining the Wireless Capture from Icarus"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "", "line": " Cracking WPA with aircrack / hashcat"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "", "line": " Decrypting WPA traffic in Wireshark"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 27, "seconds": 50}, "tag": "", "line": " Enumerating valid usernames via SSH (CVE-2018-15473)"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 33, "seconds": 15}, "tag": "", "line": " SSH into port 2222 with information from Wireless Capture"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 34, "seconds": 40}, "tag": "", "line": " Domain Name found! Time to do a DNS Zone Transfer"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "", "line": " Port Knocking to open up port 22"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 40, "seconds": 5}, "tag": "", "line": " PrivEsc to root via being a member of the Docker Group"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 43}, "tag": "", "line": " Start of Recon, nmap and poking around the website"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Dirbusting a site that always respond 200"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 9, "seconds": 43}, "tag": "", "line": " Switching to a different Wordlist (SecLists/Discovery/Web/Common)"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 10, "seconds": 48}, "tag": "", "line": " Discovery of .git - Poking around to clone it and download"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "", "line": " Downloaded .git, examining commit history"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "", "line": " Start of Pickle Talk"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 21, "seconds": 25}, "tag": "", "line": " Begin writing of the pickle exploit"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 28, "seconds": 45}, "tag": "", "line": " Return of Reverse Shell as www-data"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 32, "seconds": 30}, "tag": "", "line": " Begin looking into CouchDB"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "", "line": " Poking around at documents within CouchDB"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "", "line": " Examining first exploit with creating a CouchDB User"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 39, "seconds": 50}, "tag": "", "line": " Exploring the passwords database with our newly created admin user and finding Homers Password."}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "", "line": " Getting root with sudo pip install"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 45, "seconds": 55}, "tag": "", "line": " Box Done. Begin second unintended way to get to Homer User"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 47, "seconds": 3}, "tag": "", "line": " Playing with the public RCE Exploit for CouchDB "}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 48, "seconds": 20}, "tag": "", "line": " Running the exploit"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 49, "seconds": 36}, "tag": "", "line": " Examining the exploit, doing each step manually to see where it fails"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 54, "seconds": 30}, "tag": "", "line": " Searching on how to create a new CouchDB Cluster, maybe it will allow this work?"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 55, "seconds": 55}, "tag": "", "line": " Digging into how erlang works"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 57, "seconds": 30}, "tag": "", "line": " Finding default CouchDB Cookie"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 59, "seconds": 10}, "tag": "", "line": " Connecting to the Erlang pool then searching for how to run commands."}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 61, "seconds": 54}, "tag": "", "line": " Exploring how to send long commands as distributed task"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 64, "seconds": 30}, "tag": "", "line": " Getting reverse shell"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Extra Links"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://malicious.link/post/2018/erlang-arce/"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Blackhat 2011 - Sour Pickles - https://www.youtube.com/watch?v=HsZWFMKsM08"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 0, "seconds": 56}, "tag": "", "line": " Start of recon, use Bootstrap XSL Script to make nmap pretty"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 3, "seconds": 10}, "tag": "", "line": " Looking at nmap in web browser "}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 3, "seconds": 52}, "tag": "", "line": " Navigating to the web page, and testing all the pages."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 6, "seconds": 25}, "tag": "", "line": " Testing for LFI"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "", "line": " Using PHP Filters to view the contents of php file through LFI (Local File Inclusion)"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 8, "seconds": 40}, "tag": "", "line": " Testing for RFI (Remote File Inclusion) [not vuln]"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Code Execution via LFI + phpinfo()"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Modifying the PHP-LFI Script code to get it working"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 17, "seconds": 10}, "tag": "", "line": " Debugging the script to see why tmp_name couldn't be found"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 20, "seconds": 12}, "tag": "", "line": " Shell returned!"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 21, "seconds": 25}, "tag": "", "line": " Looking at pwdbackup.txt and decoding 13 times to get password."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 23, "seconds": 37}, "tag": "", "line": " SSH into the box (Do not privesc right away!)"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 24, "seconds": 29}, "tag": "", "line": " Getting shell via Log Poisoning"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 26, "seconds": 39}, "tag": "", "line": " Whoops. Broke the exploit, because of bad PHP Code... We'll come back to this! (42:50)"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 28, "seconds": 47}, "tag": "", "line": " Begin of PrivEsc, grabbing secret.zip off"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 32, "seconds": 38}, "tag": "", "line": " Searching for processes running as root, find VNC"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 33, "seconds": 49}, "tag": "", "line": " Setting up SSH Tunnels without exiting SSH Session."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 37, "seconds": 43}, "tag": "", "line": " Something weird happend... Setting up SSH Tunnels manually."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "", "line": " PrivEsc: VNC through the SSH Tunnel, passing the encrypted VNC Password"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 41, "seconds": 40}, "tag": "", "line": " Decrypting the VNC Password because we can."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 42, "seconds": 50}, "tag": "", "line": " Examining the log file to see why our Log Poison Failed, then doing the Log Poison"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 1, "seconds": 11}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 3, "seconds": 48}, "tag": "", "line": " Manually checking the page out"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Discovering the webserver is java/tomcact"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 5, "seconds": 35}, "tag": "", "line": " Starting up GoBuster / Hydra"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 9, "seconds": 40}, "tag": "", "line": " The Directory /Monitoring was found - Discovering its Struts because of .action"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 11, "seconds": 0}, "tag": "", "line": " Stumbling upon an exploit trying to find out how to enumerate Struts Versions"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "", "line": " Searching Github for CVE-2017-5638 exploit script, exploiting the box to find out its firewalled off"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 21, "seconds": 10}, "tag": "", "line": " Using a HTTP Forward Shell to get around the strict firewall"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " # Sokar Video Explaining it: https://www.youtube.com/watch?v=k6ri-LFWEj4"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " # Inception - Another box where i modify the FWD Shell POC: https://www.youtube.com/watch?v=J2I-5xPgyXk&t=3s"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 22, "seconds": 40}, "tag": "", "line": " Go here if you want to start copying the Forward Shell Script"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 23, "seconds": 34}, "tag": "", "line": " Explaining how it works"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "", "line": " Explaining the code"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 31, "seconds": 6}, "tag": "", "line": " Forward Shell Returned - Enumerating Database to find creds"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 37, "seconds": 29}, "tag": "", "line": " Examining User.py"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "", "line": " Privesc: Abusing Python's Path to load a malicious library and sudo user.py"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 0, "seconds": 58}, "tag": "", "line": " Begin of Recon"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " Looking at the web application and finding the Serialized Cookie"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 4, "seconds": 38}, "tag": "", "line": " Googling for Node JS Deserialization Exploits"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Start of building our payload"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "", "line": " Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 9, "seconds": 10}, "tag": "", "line": " Moving our serialized object to \"Name\", hoping to get to read stdout"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE)"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 13, "seconds": 25}, "tag": "", "line": " Failing to convert an object (stdout) to string."}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 14, "seconds": 2}, "tag": "", "line": " Verifying code execution via ping"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 15, "seconds": 32}, "tag": "", "line": " Code execution verified, gaining a shell"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " (Get a shell via NodeJSShell at end of video)"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 18, "seconds": 49}, "tag": "", "line": " Reverse shell returned, running LinEnum.sh"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 21, "seconds": 26}, "tag": "", "line": " Examining logs to find the Cron Job running as root"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 22, "seconds": 9}, "tag": "", "line": " Privesc by placing a python root shell in script.py"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 24, "seconds": 15}, "tag": "", "line": " Going back and getting a shell with NodeJSShell"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 1, "seconds": 40}, "tag": "windows insane", "line": " Begin of Recon (nmap, setting hostname, dns, nmap, ipv6)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "windows insane", "line": " Checking websites (80,443,8080)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 8, "seconds": 10}, "tag": "windows insane", "line": " Attempting to enumerate users of OWA-2010 (Fails)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "windows insane", "line": " Checking out Joomla Version (/administrator/manifets/files/joomla.xml)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "windows insane", "line": " Using SearchSploit with (Complain Management System)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 19, "seconds": 38}, "tag": "windows insane", "line": " Register Account, Login, Verify/Play with SQL Union Injection"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 23, "seconds": 30}, "tag": "windows insane", "line": " Enumerating SQL Injection with SQLMap"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 29, "seconds": 18}, "tag": "windows insane", "line": " Going back to MSF/OWA_LOGIN and testing credentials."}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 32, "seconds": 15}, "tag": "windows insane", "line": " Logging into OWA and reading email to find out OpenOFfice, Defender, and Powershell Constain Mode is installed"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 36, "seconds": 20}, "tag": "windows insane", "line": " Creating a malicious OpenOffice macro with LibreOffice + Downloading an Executing a file without Powershell (certutil ftw)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 40, "seconds": 18}, "tag": "windows insane", "line": " Compiling Merlin (like MSF/Empire)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "windows insane", "line": " Sending the email and waiting."}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 50, "seconds": 20}, "tag": "windows insane", "line": " Merlin call back, Switch to Powershell Nishang to get a interactive shell"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 54, "seconds": 30}, "tag": "windows insane", "line": " Running PowerUp to find we are an Administrator"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 56, "seconds": 56}, "tag": "windows insane", "line": " Running JAWS to do some more Windows Enumeration"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 63, "seconds": 4}, "tag": "windows insane", "line": " Found an odd scheduled task \"System Maintenance\""}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 66, "seconds": 3}, "tag": "windows insane", "line": " Attempting to write a php shell to HTTPD"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " * Begin of weird issue with File Encoding breaking something *"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 72, "seconds": 30}, "tag": "windows insane", "line": " Frusterated creating a PHP Script... Switch to the SCHTask Privesc"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 78, "seconds": 20}, "tag": "windows insane", "line": " Uhh. Testing if echo is somehow breaking .bat/.php files"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " * Wth. That was actually the issue!?"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 81, "seconds": 50}, "tag": "windows insane", "line": " Going back to test PHP to verify it just didn't like echo."}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " Videos mentioned:"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " Charon - Exploring Union Injection: https://www.youtube.com/watch?v=_csbKuOlmdE"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " Enterprise - Exploring Double Union Injection - https://www.youtube.com/watch?v=NWVJ2b0D1r8"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "windows medium", "line": " Begin of recon"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "windows medium", "line": " Begin of installing SQLPlus and ODAT (Oracle Database Attack Tool)"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 8, "seconds": 45}, "tag": "windows medium", "line": " Bruteforcing the SID with ODAT"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "windows medium", "line": " Holy crap, this is slow lets also do it with Metasploit"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "windows medium", "line": " Bruteforcing valid logins with ODAT"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 16, "seconds": 0}, "tag": "windows medium", "line": " Credentials returned, logging into Oracle with SQLPlus as SysDBA"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "windows medium", "line": " Reading files from disk via Oracle"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 23, "seconds": 20}, "tag": "windows medium", "line": " Writing files to disk from Oracle. Testing it in WebRoot Directory"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 25, "seconds": 52}, "tag": "windows medium", "line": " File Written, lets write an ASPX WebShell to the Server"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 29, "seconds": 10}, "tag": "windows medium", "line": " WebShell Working! Lets get a Reverse Shell"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 31, "seconds": 28}, "tag": "windows medium", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 32, "seconds": 24}, "tag": "windows medium", "line": " Finding a DropBox link, but password doesn't display well."}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 33, "seconds": 55}, "tag": "windows medium", "line": " Attempting to copy file via SMB to view UTF8 Text"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 35, "seconds": 18}, "tag": "windows medium", "line": " That didn't work, lets transfer the file by encoding it in Base64."}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 36, "seconds": 55}, "tag": "windows medium", "line": " Got the password lets download the dump!"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 39, "seconds": 10}, "tag": "windows medium", "line": " Begin of Volatility"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "windows medium", "line": " Running the HashDump plugin from volatilty then PassTheHash with Administrator's NTLM!"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### Box Done"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 47, "seconds": 35}, "tag": "windows medium", "line": " Begin of unintended way, examining odat and uploading an meterpreter exe"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 50, "seconds": 30}, "tag": "windows medium", "line": " Using odat externaltable to execute meterpreter and get a system shell!"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 52, "seconds": 20}, "tag": "windows medium", "line": " Examining odat verbosity flag to see what commands it runs and try to learn."}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 0, "seconds": 25}, "tag": "linux easy", "line": " Start of Recon, identifying end of life OS from nmap"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 3, "seconds": 20}, "tag": "linux easy", "line": " Running vulnerability scripts in nmap to discover heartbleed"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " (In video on Blue, I go a bit more in NMAP Scripts. https://www.youtube.com/watch?v=YRsfX6DW10E)"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 4, "seconds": 16}, "tag": "linux easy", "line": " Going to the HTTP Page to see what it looks like"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "linux easy", "line": " Begin of Heartbleed - Grabbing Python Module"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 7, "seconds": 13}, "tag": "linux easy", "line": " Explaining Heartbleed -- XKCD ftw"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux easy", "line": " Explaining and running the exploit"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux easy", "line": " Exporting large chunks of memory by running in a loop"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 14, "seconds": 10}, "tag": "linux easy", "line": " Finding an encrypted SSH Key on the server"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 15, "seconds": 35}, "tag": "linux easy", "line": " Examining heartbleed output to discover SSH Key Password"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 17, "seconds": 45}, "tag": "linux easy", "line": " SSH as low priv user returned"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 21, "seconds": 55}, "tag": "linux easy", "line": " Finding a writable tmux socket to hijack session and find a root shell"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux easy", "line": " Alternative Privesc, DirtyC0w"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 1, "seconds": 26}, "tag": "", "line": " Start of Recon"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 3, "seconds": 25}, "tag": "", "line": " Notice SSH configured for Pub Key Only. Hint at what to grab later!"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "", "line": " Grabbing test.txt off ftp server via anonymous auth"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 4, "seconds": 7}, "tag": "", "line": " Determining if I want to go down the \"Exploit VSFTPD\" rabbit hole"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 5, "seconds": 54}, "tag": "", "line": " Viewing test.txt and hosts.php"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 6, "seconds": 48}, "tag": "", "line": " Figuring out how hosts.php works and discovering XXE"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 8, "seconds": 58}, "tag": "", "line": " Start of XXE Discovery"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 10, "seconds": 16}, "tag": "", "line": " Making the XXE Output /etc/passwd"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 11, "seconds": 33}, "tag": "", "line": " Encoding output in Base64 in order to view PHP Files"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 12, "seconds": 58}, "tag": "", "line": " Using Burp Intruder to BruteForce Files"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 16, "seconds": 20}, "tag": "", "line": " Creating a program to bruteforce home directories"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 26, "seconds": 41}, "tag": "", "line": " Program Finished. Finding SSH ID_RSA Key"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "", "line": " Low Priv Access Granted"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 30, "seconds": 24}, "tag": "", "line": " LinEnum.sh shows Wordpress CHMOD'd to 777"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 31, "seconds": 5}, "tag": "", "line": " Examining Wordpress Site (big hint left by author)"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 32, "seconds": 10}, "tag": "", "line": " Enumerating MySQL Database"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 35, "seconds": 15}, "tag": "", "line": " Giving up on MySQL, lets edit PHP Files to dump passwords!"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 36, "seconds": 50}, "tag": "", "line": " Identifying the file we want to backdoor"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 37, "seconds": 51}, "tag": "", "line": " Placing our PHP Code"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 42, "seconds": 6}, "tag": "", "line": " Got the password!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 1, "seconds": 54}, "tag": "windows medium", "line": " Begin Recon, Windows IIS/OS Mapping and GoBuster"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "windows medium", "line": " Explanation of Virtual Host Routing"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "windows medium", "line": " Developers name exposed in HTML Source, also discover /monitor"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 11, "seconds": 10}, "tag": "windows medium", "line": " Enumerating Username in PHP Server Monitor: Challenge Watch Sense to und"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " erstand CSRF and write an automated bruteforcer"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 16, "seconds": 33}, "tag": "windows medium", "line": " Discover of Internal-01.bart.htb"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 19, "seconds": 17}, "tag": "windows medium", "line": " Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /Log/log.php)"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 29, "seconds": 34}, "tag": "windows medium", "line": " Finally got Hydra to return the password!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "windows medium", "line": " Log Poisoning + LFI = Remote Code Execution"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 37, "seconds": 30}, "tag": "windows medium", "line": " Return of Reverse Shell"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "windows medium", "line": " Why you should check if you're a 32-bit process on a 64-bit machine"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### Start of Failing attempting to do a RunAs... Lol."}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 48, "seconds": 35}, "tag": "windows medium", "line": " Attempting to use b33f/FuzzySecurity Invoke-RunAs"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 56, "seconds": 0}, "tag": "windows medium", "line": " Mistake with Invoke-RunAs is probably pointing it to the wrong port. D:"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 63, "seconds": 40}, "tag": "windows medium", "line": " ARGH! Lets try to use this account via Empire"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 71, "seconds": 0}, "tag": "windows medium", "line": " Bring out the big guns, it's Metasploit Time!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 78, "seconds": 10}, "tag": "windows medium", "line": " Alright, lets poke a hole in the firewall and connect over SMB!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 81, "seconds": 17}, "tag": "windows medium", "line": " Failed to PSExec in MSF"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### End of Failing!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 81, "seconds": 40}, "tag": "windows medium", "line": " Found Impacket-PSExec! And it works!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### Box Done"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 83, "seconds": 45}, "tag": "windows medium", "line": " Lets go hunt for creds!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 95, "seconds": 23}, "tag": "windows medium", "line": " Cracking Salted Hashes with Hashcat (Sha265.Salt)"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " Original Video with In-Depth Explanations of Intended Solution: https://youtu.be/frh-jYaUvrU"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "linux insane", "line": " End of intro, Start of nmap"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 2, "seconds": 47}, "tag": "linux insane", "line": " Playing with Second-Order Union Injection"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 5, "seconds": 44}, "tag": "linux insane", "line": " Dumping all users"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "linux insane", "line": " Converting SFTP Exploit from 64bit to 32bit"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 13, "seconds": 27}, "tag": "linux insane", "line": " Reversing SLS Binary"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 15, "seconds": 19}, "tag": "linux insane", "line": " Kernel Exploit"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 22, "seconds": 31}, "tag": "linux insane", "line": " First Method - Executing ELF Binaries from memory (Reflective loading elf)"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 35, "seconds": 57}, "tag": "linux insane", "line": " Second Method - Crashing a program to create a write-able file."}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " Edit: Whoops forgot @stefano_118 helped create this machine! "}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "linux insane", "line": " Start of Recon"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 4, "seconds": 58}, "tag": "linux insane", "line": " /documents and /secret rabbit hole enumeration"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 8, "seconds": 13}, "tag": "linux insane", "line": " Using wfuzz on the /secret rabbit hole to find argument for download.php"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux insane", "line": " Begin of Web Application Enumeration, some XSS Found"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 18, "seconds": 23}, "tag": "linux insane", "line": " Throwing bad characters in username and finding Second-Order SQL Injection."}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "linux insane", "line": " Begin of Union Injection to dump the database via second order sql injection"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 39, "seconds": 36}, "tag": "linux insane", "line": " Dumping users and passwords from SysAdmin table and using Hydra to bruteforce SSH"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 43, "seconds": 54}, "tag": "linux insane", "line": " Enumerating SFTP (Using SSHFS to Dump a File Listing)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 53, "seconds": 0}, "tag": "linux insane", "line": " Converting 64-Bit SFTP Exploit to 32-Bit"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 71, "seconds": 46}, "tag": "linux insane", "line": " Reverse Shell Returned, some stuff and finding Set-GID Binary"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 82, "seconds": 55}, "tag": "linux insane", "line": " Reversing SLS binary with Radare2 (r2)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 107, "seconds": 53}, "tag": "linux insane", "line": " Exploiting SLS Binary with new line character (Get to Decoder User)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 111, "seconds": 47}, "tag": "linux insane", "line": " Begin of Kernel Exploitation (CVE-2017-1000112)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 116, "seconds": 0}, "tag": "linux insane", "line": " Kernel Exploit Compiled (silly mistake before)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 119, "seconds": 52}, "tag": "linux insane", "line": " Creating a new lsb-release file so exploit can identify kernel"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 127, "seconds": 3}, "tag": "linux insane", "line": " Recap of Box"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 129, "seconds": 56}, "tag": "linux insane", "line": " Creating a Tamper Script to do Second-Order SQL Injection"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " ###"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " #Referenced Videos:"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " ## Holiday Hack Analytics - https://www.youtube.com/watch?v=zcJyhDC9kgo/watch?v=zcJyhDC9kgo"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " ## Charon (Union Injection) - https://www.youtube.com/watch?v=_csbKuOlmdE"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Testing out a new microphone, enjoy the random video."}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 1, "seconds": 18}, "tag": "", "line": " Downloading Empire + PowerShell Port Forward"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 2, "seconds": 13}, "tag": "", "line": " Explaining Empire Directory Structure"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 3, "seconds": 28}, "tag": "", "line": " Copying the PowerShell Template (Empire Module) to a working directory"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Creating the Empire Module"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "", "line": " Converting PowerShell Port Forward Script to an Empire Friendly Format"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 14, "seconds": 54}, "tag": "", "line": " Starting Empire"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 16, "seconds": 58}, "tag": "", "line": " Empire Agent Active"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 19, "seconds": 50}, "tag": "", "line": " Checking if the module worked. It did not, begin troubleshooting!"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "", "line": " Found the Error! Huzzah!"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "", "line": " Reloading the module"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 26, "seconds": 4}, "tag": "", "line": " Executing the module again, this time it works."}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 0, "seconds": 18}, "tag": "linux easy", "line": " Start of Recon"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux easy", "line": " Finding hidden directory via Source"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 2, "seconds": 15}, "tag": "linux easy", "line": " Downloading NibbleBlog to help us with finding version information"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 3, "seconds": 59}, "tag": "linux easy", "line": " Identifying what vresion of NibblesBlog is running"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 4, "seconds": 42}, "tag": "linux easy", "line": " Using SearchSploit to find vulnerabilities"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 5, "seconds": 36}, "tag": "linux easy", "line": " Examining the Exploit"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 6, "seconds": 8}, "tag": "linux easy", "line": " Explanation of exploit"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 7, "seconds": 25}, "tag": "linux easy", "line": " Attempting to find valid usernames for NibblesBlog"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 9, "seconds": 13}, "tag": "linux easy", "line": " Finding usernames in /content/private"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 10, "seconds": 15}, "tag": "linux easy", "line": " Using Hydra to attempt to bruteforce"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 14, "seconds": 8}, "tag": "linux easy", "line": " Oh crap. Hydra not good idea we're blocked..."}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux easy", "line": " -- Some minor panicing about how to continue"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 15, "seconds": 40}, "tag": "linux easy", "line": " Using SSH Proxies to hit nibbles from another box (Falafel)"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "linux easy", "line": " Guessing the password"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 20, "seconds": 10}, "tag": "linux easy", "line": " Logged in, lets attempt our exploit!"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 22, "seconds": 46}, "tag": "linux easy", "line": " Code Execution achieved. Lets get a reverse shell"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 24, "seconds": 53}, "tag": "linux easy", "line": " Reverse shell returned."}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 26, "seconds": 0}, "tag": "linux easy", "line": " Running sudo -l examine sudoer, then finding out why sudo took forever to return"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 26, "seconds": 50}, "tag": "linux easy", "line": " Privesc via bad sudo rules"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 32, "seconds": 10}, "tag": "linux easy", "line": " Alternative PrivEsc via RationalLove"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " *Note: RationalLove was patched after I did this box. So mistakenly thought it was still vulnerable. Enjoy the fails/confusion!"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "linux hard", "line": " Begin of Recon"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 4, "seconds": 25}, "tag": "linux hard", "line": " Bruteforcing valid users"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux hard", "line": " Manually finding SQL Injection"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 13, "seconds": 13}, "tag": "linux hard", "line": " Using --string with SQLMap to aid Boolean Detection"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 15, "seconds": 41}, "tag": "linux hard", "line": " PHP Type Confusion ( == vs === with 0e12345) [Type Juggling]"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 18, "seconds": 35}, "tag": "linux hard", "line": " Attempting Wget Exploit with FTP Redirection (failed)"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 26, "seconds": 39}, "tag": "linux hard", "line": " Exploiting wget's maximum file length"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 33, "seconds": 30}, "tag": "linux hard", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 36, "seconds": 19}, "tag": "linux hard", "line": " Linux Priv Checking Enum"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "linux hard", "line": " Checking web crap for passwords"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 44, "seconds": 0}, "tag": "linux hard", "line": " Grabbing the screenshot of tty"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "linux hard", "line": " Privesc via Yossi being in Disk Group (debugfs)"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 50, "seconds": 15}, "tag": "linux hard", "line": " Grabbing ssh root key off /dev/sda1"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 52, "seconds": 15}, "tag": "linux hard", "line": " Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll)"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 67, "seconds": 42}, "tag": "linux hard", "line": " Manually exploiting the SQL Injection! with Python"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 1, "seconds": 18}, "tag": "windows medium", "line": " Begin of Recon"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 4, "seconds": 55}, "tag": "windows medium", "line": " Start of aChat buffer Overflow: Finding the exploit script with Searchsploit"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 7, "seconds": 24}, "tag": "windows medium", "line": " Begin of replacing POC's Calc Shellcode with what is generated from MSFVenom"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 9, "seconds": 42}, "tag": "windows medium", "line": " Correction: Payload Size wrong, should be 3,xxx -- look at \"Payload Size\" I accidentally highlighted the size of the python file."}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 14, "seconds": 30}, "tag": "windows medium", "line": " Whoops, erased too much out of POC. Lets correctly replace the shellcode this time and get a shell."}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "windows medium", "line": " Running PowerUp to find AutoLogon Credentials"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 20, "seconds": 5}, "tag": "windows medium", "line": " Running Code as Administrator"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 24, "seconds": 18}, "tag": "windows medium", "line": " First Privesc Method: Using Start-Process to execute commands as a different user because Invoke-Command did not work. "}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 27, "seconds": 30}, "tag": "windows medium", "line": " Alternate way to read root.txt -- Alfred owns root.txt, so he can edit the files access list. Get-ACL to view access list and cacls to modify"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 33, "seconds": 12}, "tag": "windows medium", "line": " Summary of the box"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### BOX DONE"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 34, "seconds": 37}, "tag": "windows medium", "line": " Doing the box with Metasaploit, Warning: Lots of fails."}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "windows medium", "line": " Using meterpreters PortFwd to bypass ChatterBox's firewall and access port 445"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 51, "seconds": 25}, "tag": "windows medium", "line": " Doing the box with Empire !"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 58, "seconds": 20}, "tag": "windows medium", "line": " Using Empire's Run_As module to execute commands as Administrator"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 2, "seconds": 8}, "tag": "linux insane", "line": " Begin of Recon"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux insane", "line": " XXE Detection on Fulcrum API"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "linux insane", "line": " XXE Get Files"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 23, "seconds": 40}, "tag": "linux insane", "line": " XXE File Retrieval Working"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 24, "seconds": 30}, "tag": "linux insane", "line": " Lets Code a Python WebServer to Aid in XXE Exploitation"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 39, "seconds": 45}, "tag": "linux insane", "line": " Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 47, "seconds": 28}, "tag": "linux insane", "line": " Shell Returned + Go Over LinEnum"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 56, "seconds": 49}, "tag": "linux insane", "line": " Finding WebUser's Password and using WinRM to pivot"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 66, "seconds": 0}, "tag": "linux insane", "line": " Getting Shell via WinRM, finding LDAP Credentials"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 74, "seconds": 0}, "tag": "linux insane", "line": " Using PowerView to Enumerate AD Users"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 87, "seconds": 6}, "tag": "linux insane", "line": " Start of getting a Shell on FILE (TroubleShooting FW)"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 95, "seconds": 35}, "tag": "linux insane", "line": " Getting shell over TCP/53 on FILE"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 97, "seconds": 58}, "tag": "linux insane", "line": " Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 118, "seconds": 10}, "tag": "linux insane", "line": " Troubleshooting the error correctly and getting Domain Admin!"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 123, "seconds": 54}, "tag": "linux insane", "line": " Begin of unintended method (Rooting the initial Linux Hop)"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 129, "seconds": 54}, "tag": "linux insane", "line": " Root Exploit Found"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 132, "seconds": 25}, "tag": "linux insane", "line": " Mounting the VMDK Files and accessing AD."}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 1, "seconds": 18}, "tag": "linux hard", "line": " Begin of Recon: Getting ubuntu version"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "linux hard", "line": " Navigating to the CrimeStoppers Page"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "linux hard", "line": " First Hint - Read The Source!"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux hard", "line": " 2nd Hint - No SQL Databases and playing with the upload form"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 7, "seconds": 55}, "tag": "linux hard", "line": " 3rd Hint - Setting Admin cookie to 1 to see whiterose.txt"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "linux hard", "line": " Explanation of PHP App and why I went down testing $op parameter"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "linux hard", "line": " Testing $op parameter, another hint what year is it?"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "linux hard", "line": " Finding out $op appends .php"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 13, "seconds": 5}, "tag": "linux hard", "line": " Using php b64 filter to view php files (\"Read the source luke\")"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "linux hard", "line": " Looking into PHP Wrappers to try to gain code execution"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "linux hard", "line": " Placing our PHP Script in a zip so we can reference it with zip://, also improperly upload it to the server"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 26, "seconds": 20}, "tag": "linux hard", "line": " Attempting to use the zip:// wrapper to execute our php script, then troubleshooting the bad upload."}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "linux hard", "line": " Easy way to copy binary data into BurpSuite (Base64)"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 34, "seconds": 10}, "tag": "linux hard", "line": " Getting a shell"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 37, "seconds": 18}, "tag": "linux hard", "line": " Downloading ThunderBird Directory and reading email + getting dom's password"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 46, "seconds": 20}, "tag": "linux hard", "line": " Begin of looking into Apache Rootkit (mod_rootme)"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 48, "seconds": 4}, "tag": "linux hard", "line": " Begin of using r2 (Radare) to analyze rootkit, basic intro"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 50, "seconds": 55}, "tag": "linux hard", "line": " Analyzing DarkArmy Function"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 55, "seconds": 30}, "tag": "linux hard", "line": " Grabbing the strings and using python to XOR them to get secret that allows root"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 58, "seconds": 35}, "tag": "linux hard", "line": " Get Root "}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " ##### BOX DONE"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 59, "seconds": 10}, "tag": "linux hard", "line": " Potential rabbit hole in the binary /var/www/html/whiterose.txt in the binary"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 64, "seconds": 20}, "tag": "linux hard", "line": " Second way to get root, looking around at file modification times to find FunSociety in logs"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "windows hard", "line": " Start of NMAP"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 4, "seconds": 17}, "tag": "windows hard", "line": " Begin of Sharepoint/GoBuster (Special Sharepoint List)"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 6, "seconds": 32}, "tag": "windows hard", "line": " Manually browsing to Sitecontent (Get FTP Creds)"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 10, "seconds": 18}, "tag": "windows hard", "line": " Mirror FTP + Pillage for information, Find keypass in Tim's directory and crack it."}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 18, "seconds": 22}, "tag": "windows hard", "line": " Mounting/Mirroring ACCT Share with found Creds and finding hardcoded SQL Creds"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 25, "seconds": 24}, "tag": "windows hard", "line": " Logging into MSSQL with SQSH, enabling xp_cmdshell and getting a Nishang Rev Shell"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 34, "seconds": 35}, "tag": "windows hard", "line": " Finding SPBestWarmUp.ps1 Scheduled Task that runs as Administrator"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "windows hard", "line": " Begin of RottenPotato without MSF (Decoder's Lonely Potato)"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 45, "seconds": 56}, "tag": "windows hard", "line": " Using Ebowla Encoding for AV Evasion to create an exe for use with Lonely Potato"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 58, "seconds": 0}, "tag": "windows hard", "line": " Lonely Potato Running to return a Admin Shell"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows hard", "line": " ### BOX DONE"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 64, "seconds": 22}, "tag": "windows hard", "line": " Finding CVE-2017-0213"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 68, "seconds": 33}, "tag": "windows hard", "line": " Installing Visual Studio 2015 && Compiling the exploit"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 75, "seconds": 50}, "tag": "windows hard", "line": " Exploit Compiled, trying to get it to work...."}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 78, "seconds": 11}, "tag": "windows hard", "line": " Just noticed the SPBestWarmUp.ps1 executed and gave us a shell!"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 88, "seconds": 37}, "tag": "windows hard", "line": " Found the issue, exploit seems to require interactive process"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 90, "seconds": 0}, "tag": "windows hard", "line": " Begin of Firefox Exploit Cluster (Not recommended to watch lol). It's a second unreliable way to get user"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 1, "seconds": 19}, "tag": "windows medium", "line": " Begin of Enumeration"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 4, "seconds": 15}, "tag": "windows medium", "line": " Avoiding the Rabbit Hole on port 80 (IIS)"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 6, "seconds": 0}, "tag": "windows medium", "line": " Begin of Jenkins"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "windows medium", "line": " Using Jenkins Script Console (Groovy) to gain code execution"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "windows medium", "line": " Reverse TCP Shell via Nishang"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "windows medium", "line": " Reverse Shell returned. PowerSplit dev branch to find unintended privesc (Tokens)"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 22, "seconds": 20}, "tag": "windows medium", "line": " Powersploit's Invoke-AllChecks completes"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 24, "seconds": 20}, "tag": "windows medium", "line": " Finding Keepass Database using Impack-SMBServer to transfer files"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "windows medium", "line": " Cracking the KeePass Database"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 30, "seconds": 20}, "tag": "windows medium", "line": " Using KeePass2 to open database"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 34, "seconds": 25}, "tag": "windows medium", "line": " PassTheHash via pth-winexe to gain administrator shell"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 35, "seconds": 20}, "tag": "windows medium", "line": " Grabbing root.txt that is hidden via Alternate Data Streams (ADS)"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### BOX DONE"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 39, "seconds": 0}, "tag": "windows medium", "line": " Using RottenPotato to escalate to root via MSF"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "windows medium", "line": " Using Unicorn to gain a reverse MSF SHell"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 45, "seconds": 20}, "tag": "windows medium", "line": " Performing the attack"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "windows medium", "line": " Impersonating Token to gain root"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " ### Unintended Done. Rest of video is me failing around, may be useful?"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " Good Read: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " If you want to try Rotten Potato without MSF Read this: https://decoder.cloud/2017/12/23/the-lonely-potato/"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 1, "seconds": 25}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "", "line": " Wiresharking NMAP to identify fingerprint"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 5, "seconds": 53}, "tag": "", "line": " Checking the WebPage"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 9, "seconds": 15}, "tag": "", "line": " Finding /sync and why web browser has a 403"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "", "line": " Using wfuzz to find what arguments /sync takes"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 15, "seconds": 45}, "tag": "", "line": " The actual wfuzz command"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 20, "seconds": 30}, "tag": "", "line": " Finding Bad Characters with wfuzz"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 24, "seconds": 51}, "tag": "", "line": " Getting command execution"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "", "line": " Privesc to root abusing custom script"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " #### Box Done"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 47, "seconds": 48}, "tag": "", "line": " Examining how NGINX/OpenResty was configured"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 0, "seconds": 23}, "tag": "linux insane", "line": " Explaining VM Layout"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 1, "seconds": 47}, "tag": "linux insane", "line": " Nmap Start"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 5, "seconds": 20}, "tag": "linux insane", "line": " Poking at Virtual Host Routing (Beehive & Calvin)"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 10, "seconds": 25}, "tag": "linux insane", "line": " Fixing GoBuster to find /cgi-bin/"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 11, "seconds": 48}, "tag": "linux insane", "line": " Enumerating WAF (Web Application Firewall), to see how it detects Shellshock"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 15, "seconds": 8}, "tag": "linux insane", "line": " Using VirtualHostRouting to navigate to Calvin.htb.htb"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 18, "seconds": 15}, "tag": "linux insane", "line": " Using ImageTragick to exploit Calvin"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 25, "seconds": 30}, "tag": "linux insane", "line": " Calvin Reverse shell returned"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 31, "seconds": 35}, "tag": "linux insane", "line": " Poking at /common, which allows pivot to Bastion Host"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "linux insane", "line": " SSH into the Bastion Host"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 38, "seconds": 45}, "tag": "linux insane", "line": " Explain SSH Local and Remote Port Forwarding"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 46, "seconds": 0}, "tag": "linux insane", "line": " Beehive Reverse Shell Returned"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux insane", "line": " Finding the root password via /common/containers/bastion-live/Dockerfile"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 54, "seconds": 50}, "tag": "linux insane", "line": " PrivEsc via Docker (much like the LXC shown in Calamity)"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 57, "seconds": 5}, "tag": "linux insane", "line": " Getting root access to filesystem"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " ==== BOX DONE."}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 58, "seconds": 10}, "tag": "linux insane", "line": " Failing to get root shell via Crontab"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 66, "seconds": 20}, "tag": "linux insane", "line": " Yeah screw crontab, lets just create an ssh key."}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " The CSRF Video I refer to is here: https://www.youtube.com/watch?v=d2nVDoVr0jE at 42m"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "", "line": " Start of Recon, nmap + dump web users"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 3, "seconds": 35}, "tag": "", "line": " Writing Python Program to dump uers."}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 12, "seconds": 0}, "tag": "", "line": " Dumping Users/Group done. Now to dump PW Hints"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 24, "seconds": 0}, "tag": "", "line": " Python coding done."}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 24, "seconds": 57}, "tag": "", "line": " Examining the PW Reset Functionality, reset King (Unintended)"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 29, "seconds": 40}, "tag": "", "line": " Start of examining File Upload"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 33, "seconds": 37}, "tag": "", "line": " Finding local user + Exploiting File Upload"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 35, "seconds": 45}, "tag": "", "line": " Unintended Privilege Kernel Escalation (CVE-2017-16995)"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ----- Box Done, Rest is extra content -----"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 41, "seconds": 45}, "tag": "", "line": " Stealing CoolDude89's Cookie to gain Moderator Access"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 61, "seconds": 0}, "tag": "", "line": " Playing with moderator function to promote user to Admin"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 69, "seconds": 50}, "tag": "", "line": " Using Admin Permission to unmod admin and gain access to PM's"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 74, "seconds": 50}, "tag": "", "line": " Poking around the box looking for intended PrivEsc"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 82, "seconds": 50}, "tag": "", "line": " Exploiting Calc NodeJS App on Port 88"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 96, "seconds": 45}, "tag": "", "line": " Final Exploits of Calc App"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Troll Cave VM Download: https://www.vulnhub.com/entry/trollcave-12,230/"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 1, "seconds": 5}, "tag": "", "line": " Start of Recon + Finding dompdf"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 8, "seconds": 30}, "tag": "", "line": " PHP Wrappers + Failed testing for RCE"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "", "line": " Writing Python Program to automate file disclosure bug"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 18, "seconds": 40}, "tag": "", "line": " Finding WebDav Configuration + Uploading Files for RCE"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Modifying Sokar's Forward Shell (PTY over HTTP)"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 33, "seconds": 55}, "tag": "", "line": " Forward shell returned"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 38, "seconds": 50}, "tag": "", "line": " Using Squid to pivot to ports listening locally + NMAP via ProxyChains"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 47, "seconds": 48}, "tag": "", "line": " Getting nmap on Inception to speed up scanning private network"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 59, "seconds": 16}, "tag": "", "line": " Nmap results returned for 192.168.0.1, FTP Anonymous Login"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 61, "seconds": 15}, "tag": "", "line": " Finding TFTP as a Running Service"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 66, "seconds": 35}, "tag": "", "line": " Using TFTP to grab crontab & creating a pre-invoke apt script"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://www.vulnhub.com/entry/pinkys-palace-v2,229/"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 0, "seconds": 47}, "tag": "", "line": " Start of Recon, get debian rev from apache header."}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "", "line": " Explanation of NMAP Filtered // TCPWrapped"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 6, "seconds": 45}, "tag": "", "line": " Enumerating Wordpress"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 9, "seconds": 58}, "tag": "", "line": " Finding /secret folder with Port Knock Ports"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 10, "seconds": 42}, "tag": "", "line": " Trying to take advantage of open wordpress installer (Rabbit Hole)"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "", "line": " Writing port knock script"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 34, "seconds": 10}, "tag": "", "line": " Finally successful port knock, lets see what ports are open"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 38, "seconds": 40}, "tag": "", "line": " Using Cewl to build a wordlist, then using Hydra to bruteforce HTTP Post Login"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 44, "seconds": 57}, "tag": "", "line": " Login, ignoring an SSH Key :( and instead playing with an LFI!"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "", "line": " Reverse Shell via LFI + Log Poisoning"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 67, "seconds": 50}, "tag": "", "line": " Enough playing, lets crack SSH Key with John + sshng2john"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 73, "seconds": 35}, "tag": "", "line": " Analyzing qsub binary with radare2"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 84, "seconds": 0}, "tag": "", "line": " Finding the command injection in send function"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 86, "seconds": 14}, "tag": "", "line": " Exploiting command injection to setup SetUID Binary (Stefano - Pinky)"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 89, "seconds": 29}, "tag": "", "line": " Using SSH Keys to get proper session to pinky, then exploit cron script to get to demon"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 96, "seconds": 49}, "tag": "", "line": " Analyzing panel with Radare2"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 108, "seconds": 29}, "tag": "", "line": " Enough of me learning, lets just take the easy route and use GDB+PEDA"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 116, "seconds": 39}, "tag": "", "line": " Finishing up the exploit with some Shell Code"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 1, "seconds": 8}, "tag": "", "line": " Start of Recon (NetDiscover/Masscan/Nmap)"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 5, "seconds": 37}, "tag": "", "line": " Finding the CGI Script and using Shellshock"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Start creating ShellShock python script"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 16, "seconds": 8}, "tag": "", "line": " Converting script \"Forward Shell\" for FW Evasion with mkfifo"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "", "line": " Adding Threading (Background Task) to improve script"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 45, "seconds": 0}, "tag": "", "line": " Script completed - Attempt to enumerate FW Rules"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 49, "seconds": 0}, "tag": "", "line": " Fumbling around with IPv6 (Check out Sneaky Video for more)"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 53, "seconds": 25}, "tag": "", "line": " Reverse shell via IPv6 and ncat"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 65, "seconds": 0}, "tag": "", "line": " Reading Bynarr's mail to get password and PrivEsc via LIME/Memory Dum"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " p"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 67, "seconds": 20}, "tag": "", "line": " Unintended PrivEsc via ShellShock + Environment Variables"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 78, "seconds": 20}, "tag": "", "line": " Begin of MITM (Man in the Middle) First with Ettercap"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 84, "seconds": 19}, "tag": "", "line": " Installing Bettercap2 + Usage"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 93, "seconds": 40}, "tag": "", "line": " Spoofing ARP and DNS with BetterCap"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 101, "seconds": 11}, "tag": "", "line": " Privesc to root via Git on case-insensitive FS"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 113, "seconds": 30}, "tag": "", "line": " Woot root, lets take a look at the IPTable FW"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 116, "seconds": 0}, "tag": "", "line": " Explaining the exploit a bit better"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows insane", "line": " Every time I saw CSRF, I means SSRF."}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "windows insane", "line": " Begin of Recon"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "windows insane", "line": " Start of GoBuster"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "windows insane", "line": " Finding a SSRF"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "windows insane", "line": " Passing arguments to cmd.aspx via SSRF"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 12, "seconds": 5}, "tag": "windows insane", "line": " Firewall Enumeration "}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 16, "seconds": 35}, "tag": "windows insane", "line": " Begin of setting up ICMP Reverse Shell"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 22, "seconds": 25}, "tag": "windows insane", "line": " Begin of sending ICMP Rev Shell to Server (Warning: Lots of Fail)"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 46, "seconds": 31}, "tag": "windows insane", "line": " Return of ICMP Rev Shell"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 52, "seconds": 20}, "tag": "windows insane", "line": " PrivEsc form IIS to Decoder"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 71, "seconds": 15}, "tag": "windows insane", "line": " Unzipping via Powershell"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 74, "seconds": 5}, "tag": "windows insane", "line": " Finding Administrator password hidden in NTFS File Stream"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 76, "seconds": 30}, "tag": "windows insane", "line": " Using Net Use to mount C: As Administrator"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 79, "seconds": 30}, "tag": "windows insane", "line": " Using IDA to analyze root.exe and grab the flag (Misses last character of hash)"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 84, "seconds": 15}, "tag": "windows insane", "line": " Using Invoke Command to execute root.exe as admin (Lots of Fail)"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 92, "seconds": 52}, "tag": "windows insane", "line": " Opening up the Firewall then just using RDP to gain access"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "linux easy", "line": " Star of Recon"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux easy", "line": " GoBuster"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 4, "seconds": 45}, "tag": "linux easy", "line": " Getting banned and Pivoting to verify"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 10, "seconds": 20}, "tag": "linux easy", "line": " Logging into PFSense"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "linux easy", "line": " Manually Exploiting PFsense "}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "linux easy", "line": " Using Metasploit to exploit"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux easy", "line": " Creating a Bruteforce Script in Python ( CSRF )"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "", "line": " Begin of recon"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "", "line": " Finding the vulnerable Wordpress Plugin"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 17, "seconds": 50}, "tag": "", "line": " Exploiting lcars plugin "}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "", "line": " Logging into WP and Getting Reverse Shell"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 35, "seconds": 0}, "tag": "", "line": " Wordpress RevShell Returned"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 40, "seconds": 0}, "tag": "", "line": " Using Meterpreter to pivot and provide access to MySQL"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " MySQL Shell Returned"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 52, "seconds": 0}, "tag": "", "line": " Logging into Joomla and Getting Reverse Shell"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 57, "seconds": 20}, "tag": "", "line": " Joomla Reverse Shell returned"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 59, "seconds": 0}, "tag": "", "line": " Getting Reverse Shell on Host OS (port 443)"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 62, "seconds": 0}, "tag": "", "line": " Shell Returned begin of local privesc recon"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 72, "seconds": 6}, "tag": "", "line": " Beginning of Binary Exploitation "}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 81, "seconds": 0}, "tag": "", "line": " Start writing exploit script "}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ===== Extra Content ======"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 88, "seconds": 30}, "tag": "", "line": " Analyzing the PHP SQL Injection Scripts"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 96, "seconds": 30}, "tag": "", "line": " Viewing what SQLMap does to exploit this"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 100, "seconds": 0}, "tag": "", "line": " Stepping through Double Query Injection"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 107, "seconds": 20}, "tag": "", "line": " Writing our own SQL Injection Exploit Script"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " For the unintentional method, I'm just downloading a file versus doing it live on the box because I wanted to save doing it live for another video. "}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " A really good SSRF Presentation: https://www.youtube.com/watch?v=D1S-G8rJrEk"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 1, "seconds": 38}, "tag": "linux hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux hard", "line": " Accessing port 60000"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux hard", "line": " Manually enumerating ports on localhost via SSRF"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "linux hard", "line": " Using wfuzz to portscan localhost via SSRF"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "linux hard", "line": " Tomcat creds exposed & Uploading tomcat reverse shell"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "linux hard", "line": " Return of shell"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 14, "seconds": 20}, "tag": "linux hard", "line": " Extracting NTDS + SYSTEM Hive"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "linux hard", "line": " Using HashKiller to crack the hashes"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 21, "seconds": 30}, "tag": "linux hard", "line": " Escalating to Atanas & Identifying wget vulnerability"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "linux hard", "line": " Starting exploit"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 33, "seconds": 22}, "tag": "linux hard", "line": " Exploit failed, light debugging"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 35, "seconds": 40}, "tag": "linux hard", "line": " Issue found, not listening all interfaces"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 39, "seconds": 35}, "tag": "linux hard", "line": " Root shell returned."}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 40, "seconds": 10}, "tag": "linux hard", "line": " Unintentional Root Method (Edited Footage, IP Change)"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Begin of NMAP"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 3, "seconds": 0}, "tag": "", "line": " GoBuster (Fails)"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 8, "seconds": 15}, "tag": "", "line": " Screw GoBuster, BurpSpider FTW"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 9, "seconds": 12}, "tag": "", "line": " Examing Routes File to find more pages"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 10, "seconds": 10}, "tag": "", "line": " Finding Credentials and downloading backup"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Cracking the zip with fcrackzip"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "", "line": " Finding more credentials (SSH) within MongoSource"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "", "line": " Privesc to Tom User"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 35, "seconds": 4}, "tag": "", "line": " Analyzing Backup Binary File"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 36, "seconds": 49}, "tag": "", "line": " Using strace to find binary password"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 40, "seconds": 25}, "tag": "", "line": " Finding blacklisted characters/words"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "", "line": " Unintended method one, abusing CWD"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 52, "seconds": 20}, "tag": "", "line": " Unintended method two, wildcards to bypass blacklist"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 54, "seconds": 45}, "tag": "", "line": " Unintended method three, command injection via new line"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 59, "seconds": 15}, "tag": "", "line": " Intended root Buffer Overflow ASLR Brute Force"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " If you want to see more detail on the ret2libc check out October: https://www.youtube.com/watch?v=K05mJazHhF4&t=21m14s"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows hard", "line": " Intro"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "windows hard", "line": " Start of nmap"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 3, "seconds": 22}, "tag": "windows hard", "line": " Poking at a rabbit hole (8080)"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 8, "seconds": 8}, "tag": "windows hard", "line": " GoBuster to find hidden directory"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "windows hard", "line": " Finding SQL Creds in hidden directory"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "windows hard", "line": " Using dbeaver to enumerate database"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 16, "seconds": 50}, "tag": "windows hard", "line": " Impacket-PSExec to Admin"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "windows hard", "line": " Proving James is not an Admin"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 20, "seconds": 35}, "tag": "windows hard", "line": " Using MSF to Enable Remote Desktop to do Incident Response"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 27, "seconds": 0}, "tag": "windows hard", "line": " Start of Remote Desktop Looking at Event Log + Active Directory"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 31, "seconds": 0}, "tag": "windows hard", "line": " Installing Sysmon to get better logs"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 36, "seconds": 15}, "tag": "windows hard", "line": " Looking at Sysmon Logs"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 42, "seconds": 20}, "tag": "windows hard", "line": " Proving the PrivEsc was due to Impacket-PSExec not cleaning up"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 48, "seconds": 0}, "tag": "windows hard", "line": " Using Forensics to get Service Creation Date"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 53, "seconds": 30}, "tag": "windows hard", "line": " Finding a HTB User creating a Git Issue to Impacket (LOL)"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 55, "seconds": 10}, "tag": "windows hard", "line": " Intended Route - Forging a Kerberos Ticket MS14-068"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 71, "seconds": 0}, "tag": "windows hard", "line": " Explaining why the unintended route probably got created"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " If you want some more details about the actual ShellShock exploit, check out the Beep Video. "}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 0, "seconds": 39}, "tag": "", "line": " Begin Nmap, OS Enum via SSH/HTTP Banner"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 5, "seconds": 0}, "tag": "", "line": " GoBuster"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 7, "seconds": 8}, "tag": "", "line": " Viewing CGI Script"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " Begin NMAP Shellshock"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "", "line": " Debugging Nmap HTTP Scripts via Burp"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 11, "seconds": 10}, "tag": "", "line": " Fixing the HTTP Request & nmap script"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Performing Shellshock & more fixing"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 18, "seconds": 25}, "tag": "", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 21, "seconds": 19}, "tag": "", "line": " Running LinEnum.sh"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Rooting the box"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 0, "seconds": 49}, "tag": "", "line": " Nmap"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 1, "seconds": 31}, "tag": "", "line": " Examining some odd behavior. Nmap different result than browser."}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Getting to /admin and testing for Zone Transfer"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Testing SSH Default Raspberry Pi Creds"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 6, "seconds": 11}, "tag": "", "line": " Escalate to root 'sudo su'"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 7, "seconds": 10}, "tag": "", "line": " Recovering the deleted root.txt"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 8, "seconds": 38}, "tag": "", "line": " GrepFu"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 10, "seconds": 40}, "tag": "", "line": " Downloading /dev/sdb via SSH"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 12, "seconds": 48}, "tag": "", "line": " Running Binwalk against it"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 13, "seconds": 18}, "tag": "", "line": " Trying to recover with TestDisk"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 14, "seconds": 37}, "tag": "", "line": " Trying to recover with PhotoRec"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 1, "seconds": 0}, "tag": "linux hard", "line": " Nmap"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 2, "seconds": 23}, "tag": "linux hard", "line": " Examining the Web Page"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 4, "seconds": 8}, "tag": "linux hard", "line": " GoBuster"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 4, "seconds": 53}, "tag": "linux hard", "line": " Finding /uploads/ Directory"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 5, "seconds": 50}, "tag": "linux hard", "line": " Finding /secret_area_51/ Directory"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 6, "seconds": 20}, "tag": "linux hard", "line": " Using Audacity to find Steg in Audio"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "linux hard", "line": " FTP With Creds revealed from Steg"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 10, "seconds": 6}, "tag": "linux hard", "line": " Examining files downloaded from FTP"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 12, "seconds": 43}, "tag": "linux hard", "line": " Finding decryption key + blob"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 14, "seconds": 33}, "tag": "linux hard", "line": " Using Python seccure to decrypt ecc"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 16, "seconds": 5}, "tag": "linux hard", "line": " SSH Into Shrek as SEC"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 16, "seconds": 35}, "tag": "linux hard", "line": " Farquad Rabbit Hole"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 17, "seconds": 42}, "tag": "linux hard", "line": " Incident Response : Finding files modified between two times"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 20, "seconds": 47}, "tag": "linux hard", "line": " What is /usr/src/thoughts.txt?"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 21, "seconds": 45}, "tag": "linux hard", "line": " Privesc through cron running: chown *"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " Blog Post: https://reboare.github.io/lxd/lxd-escape.html"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 1, "seconds": 28}, "tag": "linux hard", "line": " Begin of recon"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 2, "seconds": 20}, "tag": "linux hard", "line": " GoBuster"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "linux hard", "line": " admin.php discovered, finding the pw"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 4, "seconds": 50}, "tag": "linux hard", "line": " Getting Code Execution"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 7, "seconds": 45}, "tag": "linux hard", "line": " Finding out why Reverse Shells weren't working"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux hard", "line": " Getting a reverse shell by renaming nc"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "linux hard", "line": " Transfering files via nc"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "linux hard", "line": " Opening the wav file"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 16, "seconds": 25}, "tag": "linux hard", "line": " Using audiodiff to identify differences in sound"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 17, "seconds": 5}, "tag": "linux hard", "line": " The next step, why is the same song there twice?"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "linux hard", "line": " Importing files into Audacity and Inverting"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 22, "seconds": 25}, "tag": "linux hard", "line": " Attempting to exploit the process blacklist"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 24, "seconds": 25}, "tag": "linux hard", "line": " Unintended root LXC Background"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 28, "seconds": 30}, "tag": "linux hard", "line": " Creating an Alpine LXC"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 30, "seconds": 40}, "tag": "linux hard", "line": " Importing the image into lxc"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 32, "seconds": 0}, "tag": "linux hard", "line": " Creating the container"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 32, "seconds": 40}, "tag": "linux hard", "line": " Adding the host drive to container"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 34, "seconds": 20}, "tag": "linux hard", "line": " Starting the container and entering it"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 35, "seconds": 5}, "tag": "linux hard", "line": " Examining the Process Blacklist script "}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 35, "seconds": 54}, "tag": "linux hard", "line": " Running through the exploit again on a Ubuntu Host"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 0, "seconds": 38}, "tag": "windows easy", "line": " Start of Recon"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "windows easy", "line": " Finding NMAP Scripts (Probably a stupid way)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "windows easy", "line": " Running Safe Scripts - Not -sC, which is default."}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 2, "seconds": 52}, "tag": "windows easy", "line": " Listing NMAP Script Categories (Prob a really stupid way)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 3, "seconds": 18}, "tag": "windows easy", "line": " Really Cool Grep (Only show matching -oP)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "windows easy", "line": " Nmap Safe Script Output"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "windows easy", "line": " Exploiting MS17-010 with MSF"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "windows easy", "line": " Setting up Dev Branch of Empire"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 9, "seconds": 7}, "tag": "windows easy", "line": " Starting a Listener"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 10, "seconds": 55}, "tag": "windows easy", "line": " Getting a PowerShell Oneliner to launch payload"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 12, "seconds": 16}, "tag": "windows easy", "line": " Invoke-Expression (IEX) to Execute Launcher"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 13, "seconds": 25}, "tag": "windows easy", "line": " Interacting with a single agent"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "windows easy", "line": " Using Modules - PowerUp Invoke-AllChecks"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "windows easy", "line": " Fixing weird issue with PS Module"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "windows easy", "line": " Invoke-AllChecks finished"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 17, "seconds": 15}, "tag": "windows easy", "line": " Loading PS Modules into Memory"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 17, "seconds": 40}, "tag": "windows easy", "line": " Executing funcitons out of above module"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 18, "seconds": 20}, "tag": "windows easy", "line": " Why I don't pass to MSF via InjectShellcode"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 22, "seconds": 45}, "tag": "windows easy", "line": " How I pass from Empire to MSF (Unicorn + IEX)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 25, "seconds": 53}, "tag": "windows easy", "line": " Just running Powershell CMDs from Empire (Shell)"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 0, "seconds": 52}, "tag": "linux insane", "line": " Recon - NMAP"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 4, "seconds": 5}, "tag": "linux insane", "line": " Recon - Getting Linux Distro"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 4, "seconds": 35}, "tag": "linux insane", "line": " Recon - GoBuster"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "linux insane", "line": " Analyzing Jail.c source"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "linux insane", "line": " Begin Binary Exploitation"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 15, "seconds": 10}, "tag": "linux insane", "line": " Verify Buffer Overflow"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 17, "seconds": 35}, "tag": "linux insane", "line": " Create Exploit Skeleton"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 20, "seconds": 50}, "tag": "linux insane", "line": " Finding EIP Overwrite"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 23, "seconds": 2}, "tag": "linux insane", "line": " Adding Reverse TCP Shellcode"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 30, "seconds": 15}, "tag": "linux insane", "line": " Switching to \"Socket Re-Use\" Shellcode"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 32, "seconds": 20}, "tag": "linux insane", "line": " Shell Returned"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 34, "seconds": 0}, "tag": "linux insane", "line": " NFSv3 Privesc Begin"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "linux insane", "line": " Begin incorrectly playing with SetUID"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 43, "seconds": 10}, "tag": "linux insane", "line": " SELinux Escape"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 45, "seconds": 25}, "tag": "linux insane", "line": " Using SELinux Escape to copy SSH Key"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 48, "seconds": 55}, "tag": "linux insane", "line": " Logging in as Frank"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 50, "seconds": 0}, "tag": "linux insane", "line": " Privesc to adm (sudo rvim)"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 51, "seconds": 44}, "tag": "linux insane", "line": " Begin of finding a way to root"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 55, "seconds": 58}, "tag": "linux insane", "line": " Begin cracking rar file "}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 57, "seconds": 18}, "tag": "linux insane", "line": " Using Hashcat to generate custom wordlist"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 60, "seconds": 40}, "tag": "linux insane", "line": " Cracking with JohnTheRipper"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 62, "seconds": 30}, "tag": "linux insane", "line": " RsaCtfTool to exploit weak SSH Pub Key"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 63, "seconds": 36}, "tag": "linux insane", "line": " Login as root with SSH Private Key"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 64, "seconds": 11}, "tag": "linux insane", "line": " EXTRA CONTENT: Alternative Privesc to ADM (NFS)"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 65, "seconds": 21}, "tag": "linux insane", "line": " Creating a directory to give other users NFS Write access"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 67, "seconds": 30}, "tag": "linux insane", "line": " Correct way to do SetUID Program"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 71, "seconds": 4}, "tag": "linux insane", "line": " Using SetUID Programs to write to disk"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 1, "seconds": 58}, "tag": "", "line": " Begin Recon (NMAP)"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 4, "seconds": 19}, "tag": "", "line": " GoBuster HTTP + HTTPS"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 6, "seconds": 35}, "tag": "", "line": " Accessing Pages "}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 7, "seconds": 5}, "tag": "", "line": " Using Hydra against HTTP + HTTPS Web Forms"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "", "line": " Logging into HTTP and hunting for vulns"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 17, "seconds": 0}, "tag": "", "line": " Second Hydra attempt against HTTPS"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 17, "seconds": 57}, "tag": "", "line": " Logging into HTTPS (phpLiteAdmin)"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 20, "seconds": 17}, "tag": "", "line": " Chaining Exploits to get Code Execution"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 26, "seconds": 38}, "tag": "", "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "", "line": " LinEnum.sh Script Review"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "", "line": " Watching for new Processes"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 37, "seconds": 0}, "tag": "", "line": " Found the error in script :)"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 39, "seconds": 30}, "tag": "", "line": " Getting reverse root shell"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 41, "seconds": 51}, "tag": "", "line": " Intended Route to get User"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 46, "seconds": 12}, "tag": "", "line": " Reviewing Knockd configuration"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 49, "seconds": 33}, "tag": "", "line": " Doing the PortKnock"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " The STTY command I messed up was simply `stty rows ## cols ##`"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "", "line": " Begin Recon with Reconnoitre"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 3, "seconds": 15}, "tag": "", "line": " Examining findings from Reconnoitre"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 6, "seconds": 50}, "tag": "", "line": " Decompiling java Jar Files with JAD"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 8, "seconds": 18}, "tag": "", "line": " Using JD-GUI"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 10, "seconds": 33}, "tag": "", "line": " Running WPScan"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "", "line": " Manually enumerating wordpress users"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 12, "seconds": 43}, "tag": "", "line": " SSH To the box and PrivEsc"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " ------ Box Completed, Below extra content (Some mistakes, pretty much do this live without prep)"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Rabbit hole, gaining access through FTP"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 17, "seconds": 9}, "tag": "", "line": " Finding Wordpress DB Password"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 18, "seconds": 33}, "tag": "", "line": " Switching to WWW-DATA by using phpMyAdmin + Wordpress"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 20, "seconds": 10}, "tag": "", "line": " Generating a PHP Password for Wordpress"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 21, "seconds": 50}, "tag": "", "line": " Gaining code execution with Wordpress Admin access"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 25, "seconds": 40}, "tag": "", "line": " Shell as www-data"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 26, "seconds": 40}, "tag": "", "line": " Enumerating Kernel Exploits with Linux-Exploit-Suggester"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 30, "seconds": 10}, "tag": "", "line": " Attempting CVE-2017-6074 Dccp Kernel Exploit (Unstable AF)"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 0, "seconds": 17}, "tag": "", "line": " Why I like Tmux"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "", "line": " Creating Tmux Session"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "", "line": " Bash: Ctrl + R - Recursive Search"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 2}, "tag": "", "line": " Tmux: Prefix Key (default Ctrl+B)"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 5}, "tag": "", "line": " Tmux: New Window - Prefix c"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 7}, "tag": "", "line": " Tmux: Switch Window - Prefix #"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 36}, "tag": "", "line": " My Tmux Config"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 50}, "tag": "", "line": " Demo of \"nested tmux\""}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 4, "seconds": 0}, "tag": "", "line": " Tmux: Rename Window - Prefix ,"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 4, "seconds": 20}, "tag": "", "line": " Tmux: Send/Join Pane Prefix [s|j]"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 5, "seconds": 8}, "tag": "", "line": " Tmux: Setting Search to Vi mode"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Tmux: Enter edit mode Ctrl+["}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "", "line": " Tmux: Showing off tmux Searching"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 6, "seconds": 3}, "tag": "", "line": " Tmux: Copy and pasting lots of text"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 6, "seconds": 27}, "tag": "", "line": " Tmux: Logging Plugin"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://github.com/tmux-plugins/tmux-logging"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 7, "seconds": 30}, "tag": "", "line": " Tmux: Splitting"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Tmux: Zooming - Prefix z"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Tmux: Moving Panes"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 9, "seconds": 20}, "tag": "", "line": " Bash: Cycle through past arguments Alt+."}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 9, "seconds": 50}, "tag": "", "line": " Bash: Moving cursor to begin, end or skipping words"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 10, "seconds": 45}, "tag": "", "line": " Tmux: Help Page Prefix ?"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Image in the intro is an XKCD comic if you didn't immediately recognize it as XKCD check out https://xkcd.com"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 0, "seconds": 24}, "tag": "", "line": " Recon with Sparta"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Enumerating SSL Certificate "}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 3, "seconds": 55}, "tag": "", "line": " Manually View SSL Certificate"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 4, "seconds": 35}, "tag": "", "line": " VirtualHostRouting Explanation"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 7, "seconds": 42}, "tag": "", "line": " SQL Injection - Auth Bypass"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "", "line": " Dumping the Database with SQLMap"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 16, "seconds": 45}, "tag": "", "line": " Begin of Web Exploit (Regex //e)"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 23, "seconds": 0}, "tag": "", "line": " Getting a Shell"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 27, "seconds": 10}, "tag": "", "line": " Begin PrivEsc (CronJob)"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 1, "seconds": 26}, "tag": "", "line": " Enumeration Start"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 2, "seconds": 58}, "tag": "", "line": " WPScan Start"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 5, "seconds": 40}, "tag": "", "line": " Directory Scanning with GoBuster"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 10, "seconds": 54}, "tag": "", "line": " Examining WPScan Output"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 13, "seconds": 40}, "tag": "", "line": " Bruteforcing with WPScan"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 14, "seconds": 40}, "tag": "", "line": " Bruteforcing HTTP Post with Hydra"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 18, "seconds": 30}, "tag": "", "line": " Edit WP Theme to get Code Execution"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 22, "seconds": 9}, "tag": "", "line": " Return of Reverse Shell"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 26, "seconds": 25}, "tag": "", "line": " Privelege Escalation Word Writeable Passwd"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " Articles Mentioned:"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " https://ictf.cs.ucsb.edu/pages/the-2016-2017-ictf-ddos.html"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/index.html"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 46}, "tag": "linux hard", "line": " NMAP Scan and Review"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 1, "seconds": 53}, "tag": "linux hard", "line": " GoBuster and identify User Agent based Routing"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 4, "seconds": 9}, "tag": "linux hard", "line": " SQLMap the Login"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "linux hard", "line": " Login to the page"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 8, "seconds": 55}, "tag": "linux hard", "line": " Begin of XSS"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 11, "seconds": 15}, "tag": "linux hard", "line": " Bypass first XSS Filter"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "linux hard", "line": " Encoded JS Payload - Getting XSS to call back to us"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 16, "seconds": 56}, "tag": "linux hard", "line": " Using Python to encode JS which will call back to us."}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 24, "seconds": 25}, "tag": "linux hard", "line": " Executing the paylaod"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 25, "seconds": 6}, "tag": "linux hard", "line": " Stage 2 XSS Attack - XMLHttpRequest"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 31, "seconds": 30}, "tag": "linux hard", "line": " Troubleshooting, No code works the first time."}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 36, "seconds": 0}, "tag": "linux hard", "line": " Stage 2 Fixed."}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 40, "seconds": 57}, "tag": "linux hard", "line": " Initial access to /admin"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 42, "seconds": 0}, "tag": "linux hard", "line": " Finding Command Injection"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 43, "seconds": 40}, "tag": "linux hard", "line": " Explanation of IP \"Encoding\""}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "linux hard", "line": " Rev Shell obtained"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 49, "seconds": 30}, "tag": "linux hard", "line": " How I found out about the IP Encode Trick"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 51, "seconds": 40}, "tag": "linux hard", "line": " Begin of PrivEsc"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux hard", "line": " Creator: g0blin"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " If you're wondering how this could be an hour long video, over half the video is talking about IPv6."}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 0, "seconds": 44}, "tag": "", "line": " Recon + Web Enum"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 1, "seconds": 33}, "tag": "", "line": " SQL Injection"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 5, "seconds": 30}, "tag": "", "line": " Start of IPv6 Talk"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " What is an IPv6 IP Address?"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 11, "seconds": 27}, "tag": "", "line": " Types of IPv6 Addresses"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 14, "seconds": 6}, "tag": "", "line": " IPv6 Subnetting Explained"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " End of IPv6 Primer, Exploit time!"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 22, "seconds": 43}, "tag": "", "line": " Method 1: Getting MAC and calculating fe80"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "", "line": " Method 2: Enumerating Networks by pinging Multicast"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 33, "seconds": 56}, "tag": "", "line": " Extra: Getting Windows to respond from Multicast Ping"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 38, "seconds": 7}, "tag": "", "line": " Extra: NMAP Scanning ipv6 local networks"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 40, "seconds": 15}, "tag": "", "line": " Convert RPM to DEB (Needed for install nmap on tenten)"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "", "line": " Intended Solution: Getting IPv6 via SNMP"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 43, "seconds": 58}, "tag": "", "line": " No SNMP MIB Output"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 45, "seconds": 58}, "tag": "", "line": " Getting SNMP MIBS Installed and Configured"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 47, "seconds": 52}, "tag": "", "line": " Tool: Enyx - SNMPv6 Enumeration via Python"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 50, "seconds": 44}, "tag": "", "line": " Privesc Enumeration"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 52, "seconds": 49}, "tag": "", "line": " Buffer Overflow"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 1, "seconds": 30}, "tag": "linux hard", "line": " Rabbit Hole - Searching for SuperCMS"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 6, "seconds": 23}, "tag": "linux hard", "line": " Running enumeration in the background (GoBuster)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "linux hard", "line": " Rabbit Hole - SQLMap Blog SinglePost.php"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 12, "seconds": 4}, "tag": "linux hard", "line": " Finding PHP Files in /cmsdata/ (GoBuster)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 12, "seconds": 53}, "tag": "linux hard", "line": " Manual Identification of SQL Injection"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "linux hard", "line": " SQL Injection Explanation"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 17, "seconds": 20}, "tag": "linux hard", "line": " Rabbit Hole - Starting SQLMap in the Background"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 18, "seconds": 10}, "tag": "linux hard", "line": " SQL Union Injection Explanation"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 19, "seconds": 30}, "tag": "linux hard", "line": " Identifying \"Bad/Filtered Words\" in SQL Injection"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 21, "seconds": 2}, "tag": "linux hard", "line": " SQL Union Finding number of items returned"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 21, "seconds": 48}, "tag": "linux hard", "line": " Returning data from Union Injection"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 22, "seconds": 48}, "tag": "linux hard", "line": " SQL Concat Explanation"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 23, "seconds": 55}, "tag": "linux hard", "line": " Enumerating SQL Databases Explanation (Information_Schema)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 25, "seconds": 46}, "tag": "linux hard", "line": " Returning Database, Table, Columns from Information_Schema"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 29, "seconds": 30}, "tag": "linux hard", "line": " Scripting to dump all columns"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 36, "seconds": 45}, "tag": "linux hard", "line": " Listing of columns in SuperCMS"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 37, "seconds": 15}, "tag": "linux hard", "line": " Dumping User Credentials"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 41, "seconds": 36}, "tag": "linux hard", "line": " Logging in and exploiting SuperCMS"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 47, "seconds": 0}, "tag": "linux hard", "line": " Return of reverse shell"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 48, "seconds": 40}, "tag": "linux hard", "line": " Transfering small files from shell to my machine"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 50, "seconds": 56}, "tag": "linux hard", "line": " Using RsaCtfTool to decrypt contents with weak public key"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 52, "seconds": 52}, "tag": "linux hard", "line": " Breaking weak RSA manually"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 61, "seconds": 20}, "tag": "linux hard", "line": " Begin PrivEsc to Root"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 62, "seconds": 40}, "tag": "linux hard", "line": " Transering large files with NC"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 63, "seconds": 50}, "tag": "linux hard", "line": " Analyzing SuperShell with BinaryNinja (Paid)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 66, "seconds": 4}, "tag": "linux hard", "line": " Analyzing SuperShell with Radare2 (Free)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 68, "seconds": 22}, "tag": "linux hard", "line": " Exploiting SuperShell"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 72, "seconds": 46}, "tag": "linux hard", "line": " Encore. Getting a Root Shell with SetUID Binary"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 1, "seconds": 38}, "tag": "windows easy", "line": " Go to HTTPFileServer"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 2, "seconds": 56}, "tag": "windows easy", "line": " Explanation of Vulnerability"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 4, "seconds": 49}, "tag": "windows easy", "line": " Testing the Exploit"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 6, "seconds": 25}, "tag": "windows easy", "line": " Getting rev tcp shell with Nishang"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 11, "seconds": 54}, "tag": "windows easy", "line": " Shell returned"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 13, "seconds": 15}, "tag": "windows easy", "line": " Finding exploits with Sherlock"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "windows easy", "line": " Using Empire Module without Empire for Privesc"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 21, "seconds": 0}, "tag": "windows easy", "line": " Start of doing the box with Metasploit"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 22, "seconds": 36}, "tag": "windows easy", "line": " Reverse Shell Returned (x32)"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 24, "seconds": 45}, "tag": "windows easy", "line": " MSF Error during PrivEsc"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 25, "seconds": 35}, "tag": "windows easy", "line": " Reverse Shell Returned (x64)"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 26, "seconds": 19}, "tag": "windows easy", "line": " Same PrivEsc as earlier, different result"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 28, "seconds": 47}, "tag": "windows easy", "line": " Examining how Rejetto MSF Module works with Burp"}, {"machine": "HackTheBox - Pivoting Update: Granny and Grandpa", "videoId": "HQkDL-xh7es", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " Really wanted to show people this method of pivoting, but ran into issues last video. This video doesn't explain any exploits, just uses plink.exe to set up a tunnel which we can use as a gateway for Reverse_TCP Sessions."}, {"machine": "HackTheBox - Pivoting Update: Granny and Grandpa", "videoId": "HQkDL-xh7es", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " If you wanted to see the explanations behind exploits check out the original video: https://www.youtube.com/watch?v=ZfPVGJGkORQ"}, {"machine": "HackTheBox - Pivoting Update: Granny and Grandpa", "videoId": "HQkDL-xh7es", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " Apologies for any confusion/wasted time."}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " Heads up. The pivot idea, was a pretty big fail. Should of prep'd more but was short on time. Enjoy watching me struggle, if you wanted to see the pivot stuff working I uploaded an updated video here: https://youtu.be/HQkDL-xh7es"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "windows easy", "line": " Nmap Results (Discovery of WebDav)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 4, "seconds": 35}, "tag": "windows easy", "line": " DavTest"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 6, "seconds": 22}, "tag": "windows easy", "line": " HTTP PUT Upload Files"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 7, "seconds": 0}, "tag": "windows easy", "line": " MSFVenom Generate aspx payload"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 13, "seconds": 0}, "tag": "windows easy", "line": " User Shell Returned"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 16, "seconds": 23}, "tag": "windows easy", "line": " Get Admin Shell (ms14-070)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 17, "seconds": 14}, "tag": "windows easy", "line": " Beginning of Pivot Fail. Socks Proxy"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 29, "seconds": 35}, "tag": "windows easy", "line": " Shell on Grandpa (CVE-2017-7269)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 32, "seconds": 45}, "tag": "windows easy", "line": " Using portfwd to access ports not exposed to routable interfaces"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 34, "seconds": 45}, "tag": "windows easy", "line": " Cracking LM Hash Explanation"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 38, "seconds": 30}, "tag": "windows easy", "line": " Cracking LM Hashes via Hashcat"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 41, "seconds": 30}, "tag": "windows easy", "line": " Grandpa acts cranky. Revert. "}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 42, "seconds": 30}, "tag": "windows easy", "line": " Expected behavior when exploiting via CVE-2017-7269. None of that auto system weirdness (45:20 gets admin)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 45, "seconds": 50}, "tag": "windows easy", "line": " Using Hashcat to crack NTLM using LM Hashes"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 48, "seconds": 50}, "tag": "windows easy", "line": " Finally log into SMB using the portfwd from 32:45"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 49, "seconds": 7}, "tag": "windows easy", "line": " Random pivot attempt failure."}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " OLEVBA - https://github.com/decalage2/oletools/wiki/olevba"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 1, "seconds": 58}, "tag": "", "line": " Extract Macro with olevba"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "", "line": " ExifTool to examine Document Metadata (Comments used in Macro)"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 3, "seconds": 48}, "tag": "", "line": " Examining Macro Code"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 4, "seconds": 21}, "tag": "", "line": " Using Python to explan Right(left))"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Opening ProcMon"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 9, "seconds": 7}, "tag": "", "line": " Why you should be careful when executing portions of \"bad code\""}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 9, "seconds": 55}, "tag": "", "line": " Viewing Macro's in Word and DeObfuscating by changing Shell to Print"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 12, "seconds": 17}, "tag": "", "line": " Start of Obfuscated Powershell (after de-base64)"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 13, "seconds": 21}, "tag": "", "line": " Malicious Powershell Code "}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 15, "seconds": 15}, "tag": "", "line": " Upload to VirusTotal"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 16, "seconds": 51}, "tag": "", "line": " Looking at process explorer"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 20, "seconds": 21}, "tag": "", "line": " Looking at Wireshark"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 1, "seconds": 2}, "tag": "windows easy", "line": " Going over NMAP"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "windows easy", "line": " Anonymous FTP + File Upload"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "windows easy", "line": " MSFVenom "}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "windows easy", "line": " Metasploit"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 10, "seconds": 0}, "tag": "windows easy", "line": " Exploit Suggestor"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 11, "seconds": 30}, "tag": "windows easy", "line": " Getting Root"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Introduction"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 1, "seconds": 20}, "tag": "", "line": " Using CheckSEC to explain the binary protections that can be applied."}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 2, "seconds": 45}, "tag": "", "line": " Running the binary to discover a segfault with long string of A's"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 4, "seconds": 10}, "tag": "", "line": " This is a 64 bit Binary so we overwrite RSP (Stack Pointer) not RIP (Instruction Pointer)"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 4, "seconds": 30}, "tag": "", "line": " Using Pattern Create to identify where we can overwrite RSP"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 5, "seconds": 15}, "tag": "", "line": " Using PwnTools to create a skeleton exploit"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 7, "seconds": 20}, "tag": "", "line": " Using objdump to dump the PLT (Procedural Link Address) and GOT (Global Offset Table) Address for PUTS so we can use ROP to write to the screen"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 9, "seconds": 0}, "tag": "", "line": " Using R2 (radare) to find the location to a pop rdi function"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "", "line": " Building the gadget chain to print the location of PUTS"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 12, "seconds": 20}, "tag": "", "line": " Packing the addresses in our exploit with p64(), then showing the leaked address"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 14, "seconds": 0}, "tag": "", "line": " Storing the leaked address as a variable so we can convert it to hex"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 15, "seconds": 50}, "tag": "", "line": " Memory address retrieved! It changes every time the program loads, so adding a ROP back to MAIN"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 18, "seconds": 50}, "tag": "", "line": " Looking for a SYSTEM() Address with ReadElf"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Using strings to find the location of \"/bin/sh\" within libc"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 19, "seconds": 55}, "tag": "", "line": " Using the leaked addresses to find where libc is loaded"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 24, "seconds": 50}, "tag": "", "line": " Fixing up some memory addresses then getting a shell!"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 25, "seconds": 10}, "tag": "", "line": " Using Pwntools to the max! Having it automate a lot of stuff."}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 25, "seconds": 50}, "tag": "", "line": " Mapping the ELF + LIBC within PwnTools"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 26, "seconds": 45}, "tag": "", "line": " Using PwnTools to build the ROP Chain to leak PUTS"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 28, "seconds": 15}, "tag": "", "line": " Using PwnTools to rebase LibC From our memory leak"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 29, "seconds": 0}, "tag": "", "line": " Using PwnTools to pull the SYSTEM and /bin/sh information from LibC"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 30, "seconds": 30}, "tag": "", "line": " Debugging some errors then getting a shell!"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Bitterman: https://github.com/ctfs/write-ups-2015/blob/master/camp-ctf-2015/pwn/bitterman-300/bitterman?raw=true"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Good Links."}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " PLT/GOT explanation: https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Great Writeup to similar CTF Challenge: https://blog.skullsecurity.org/2015/defcon-quals-r0pbaby-simple-64-bit-rop"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 0, "seconds": 39}, "tag": "", "line": " Basic Web Page Discovery"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 3, "seconds": 30}, "tag": "", "line": " Examining Cookies - Pt1 (Burp Sequencer)"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 5, "seconds": 5}, "tag": "", "line": " Fuzzing Usernames (2nd Order SQL Injection)"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 7, "seconds": 15}, "tag": "", "line": " Examining Cookies - Pt2"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 7, "seconds": 40}, "tag": "", "line": " Cookie Bitflip"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 12, "seconds": 45}, "tag": "", "line": " Oracle Padding Attack - Pt1"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 15, "seconds": 30}, "tag": "", "line": " Rooting the Box"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 22, "seconds": 50}, "tag": "", "line": " Oracle Padding Attack - Pt2"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 1, "seconds": 45}, "tag": "", "line": " GoBuster"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 4, "seconds": 40}, "tag": "", "line": " Exploiting exposed.php"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 11, "seconds": 40}, "tag": "", "line": " Getting Shell"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 20, "seconds": 9}, "tag": "", "line": " Screen Privesc"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 0, "seconds": 27}, "tag": "", "line": " Port Enumeration"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 2, "seconds": 54}, "tag": "", "line": " UDP Port Review"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "", "line": " TFTP Enumeration"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 6, "seconds": 30}, "tag": "", "line": " Cracking Squid PW"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 8, "seconds": 0}, "tag": "", "line": " FoxyProxy Setup"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 9, "seconds": 45}, "tag": "", "line": " Burp Setup"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Running Commands"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 21, "seconds": 20}, "tag": "", "line": " Reverse Shell"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 22, "seconds": 30}, "tag": "", "line": " PrivEsc to Alekos #1"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 28, "seconds": 0}, "tag": "", "line": " PrivEsc to Alekos #2"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 30, "seconds": 37}, "tag": "", "line": " Root #1 (SymLink)"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 30, "seconds": 48}, "tag": "", "line": " Root #2 (Tar Checkpoint)"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 44, "seconds": 45}, "tag": "", "line": " Root #3 (Remove Development)"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 0, "seconds": 39}, "tag": "", "line": " Nmap Results"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 1, "seconds": 15}, "tag": "", "line": " DNS Enumeration"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 4, "seconds": 8}, "tag": "", "line": " HTTP VirtualHost Routing"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 5, "seconds": 28}, "tag": "", "line": " DirSearch (Web Enumeration) "}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 8, "seconds": 50}, "tag": "", "line": " HTTP Redirect Vulnerability"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 13, "seconds": 23}, "tag": "", "line": " PW in Balance-Transfer"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 18, "seconds": 0}, "tag": "", "line": " File Upload, WebShell"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 21, "seconds": 48}, "tag": "", "line": " First Shell"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 30, "seconds": 10}, "tag": "", "line": " First Privesc Method (SUID)"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 31, "seconds": 38}, "tag": "", "line": " Second Privesc Method (passwd)"}, {"machine": "HackTheBox - Bastard", "videoId": "lP-E5vmZNC0", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " Sherlock was fixed, should no longer report the false negative https://github.com/rasta-mouse/Sherlock/commit/ceb49f5b54be54effbada47fa3198abf744af390"}, {"machine": "HackTheBox - Bastard", "videoId": "lP-E5vmZNC0", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows medium", "line": " If you wanted to do this with MSF -- Watch the Arctic Video and use the exploit shown in the video. If it doesn't work, try changing the payload with the exploit and ensure you're a 64 bit process."}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Watch me fail my way to victory as I exploit beep 4 different ways. Next time I try to exploit something multiple ways, I'll probably split it up in multiple videos."}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 1, "seconds": 35}, "tag": "", "line": " Method 1: LFI + Password"}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 16, "seconds": 3}, "tag": "", "line": " Method 2: Turning LFI into RCE"}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 37, "seconds": 46}, "tag": "", "line": " Method 3: Code exec via call"}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 54, "seconds": 0}, "tag": "", "line": " Method 4: Shellshock"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 0, "seconds": 20}, "tag": "linux insane", "line": " Recon"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 3, "seconds": 40}, "tag": "linux insane", "line": " Start of WP Hacking"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 10, "seconds": 30}, "tag": "linux insane", "line": " Logged into WP"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 15, "seconds": 0}, "tag": "linux insane", "line": " Login to SuperSecretForum"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 25, "seconds": 0}, "tag": "linux insane", "line": " Cracking the SSH Key"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 27, "seconds": 15}, "tag": "linux insane", "line": " Begin of getting root.txt (RSA Cracking)"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "linux insane", "line": " http://rumkin.com/tools/cipher/ -- Site used to during the SecretForum stuff."}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "windows easy", "line": " Intro"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 12}, "tag": "windows easy", "line": " Enumerate with nmap"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 40}, "tag": "windows easy", "line": " Going to the webpage"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 1, "seconds": 50}, "tag": "windows easy", "line": " Using SearchSploit to find ColdFusion Exploits"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "windows easy", "line": " Attempt to exploit through MSF. Debug why it failed."}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 3, "seconds": 50}, "tag": "windows easy", "line": " Setting up a Burp Redirect listener"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 4, "seconds": 55}, "tag": "windows easy", "line": " Examining request send by MSF Exploit"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 6, "seconds": 35}, "tag": "windows easy", "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 7, "seconds": 50}, "tag": "windows easy", "line": " Using Unicorn to create a Powershell Meterpreter Loa"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "windows easy", "line": " der"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 11, "seconds": 35}, "tag": "windows easy", "line": " Reverseshell returned"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "windows easy", "line": " Using the MSF post module local_exploit_suggestor"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 15, "seconds": 29}, "tag": "windows easy", "line": " Privesc via MS10-092"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Twitter @ippSec"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Low Priv: Default Account + File Upload"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " PrivEsc: Return to LibC + ASLR Bruteforce"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 45}, "tag": "", "line": " Pulling up Web Page."}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 1, "seconds": 10}, "tag": "", "line": " Searchsploit"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "", "line": " Enumerating Version (Download Versions, Hash Static Files)"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 8, "seconds": 20}, "tag": "", "line": " Default cred /backend -- Upload Shell"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 9, "seconds": 51}, "tag": "", "line": " User Reverse Shell"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 12, "seconds": 10}, "tag": "", "line": " Transfering file over nc"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 14, "seconds": 45}, "tag": "", "line": " Begin \"fuzzing\" Binary"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 16, "seconds": 15}, "tag": "", "line": " GDB Analysis"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 18, "seconds": 46}, "tag": "", "line": " Get a full reverse shell with tab autocomplete."}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 19, "seconds": 0}, "tag": "", "line": " Showing ASLR changing address "}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 20, "seconds": 20}, "tag": "", "line": " Disable ASLR on Exploit Dev Machine"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 21, "seconds": 15}, "tag": "", "line": " Start of exploit development for ovrflw binary (Pattner_Create)"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 27, "seconds": 27}, "tag": "", "line": " Start of Return to LibC attack - Getting Addresses"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 37, "seconds": 20}, "tag": "", "line": " Grabbing memory locations off October Machine"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 41, "seconds": 0}, "tag": "", "line": " Convert script to Bruteforce ASLR"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 0}, "tag": "", "line": " Intro"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 25}, "tag": "", "line": " TMUX and Connecting to HTB"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 2, "seconds": 0}, "tag": "", "line": " Virtual Host Routing Explanation"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 2, "seconds": 40}, "tag": "", "line": " File Enumeration (Dirb)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 3, "seconds": 59}, "tag": "", "line": " Discover of Web App"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 5, "seconds": 45}, "tag": "", "line": " Starting SQLMap in the Background"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 9, "seconds": 30}, "tag": "", "line": " Uploading a PHP Shell"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 14, "seconds": 1}, "tag": "", "line": " Python PTY Reverse Shell (Tab Autocomplete!)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 19, "seconds": 25}, "tag": "", "line": " MOTD Root (Method 1)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 23, "seconds": 50}, "tag": "", "line": " Dirtyc0w Root (Method 2)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Twitter: @ippSec"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Low Priv - File Upload (Torrent image)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Roots: MOTD/PAM exploit and DirtC0w"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Stuff about phpinfo(): https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Python PTY Shells: https://github.com/infodox/python-pty-shells"}, {"machine": "HHC2016 - Getting Coins", "videoId": "ylBjVicempc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Getting Coins", "videoId": "ylBjVicempc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/tokens/"}, {"machine": "HHC2016 - Getting Coins", "videoId": "ylBjVicempc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Note: Video may contain slight errors, most notably in this video is using \"function\" and \"variable\" interchangeably."}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-4/#analytics"}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Note: Video may contain slight errors, most notably in this video is mistakenly saying \"Hash\" instead of \"Encrypt\" (ex: @5 minutes). "}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " A full text writeup can be found at:"}, {"machine": "HHC2016 - Exception", "videoId": "2jQ2W5epPYc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Exception", "videoId": "2jQ2W5epPYc", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-4/#exception"}, {"machine": "HHC2016 - Debug", "videoId": "fcemTQaosOQ", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Debug", "videoId": "fcemTQaosOQ", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-4/#debug"}, {"machine": "HHC2016 - Ads", "videoId": "5UZy8OdqA4o", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Ads", "videoId": "5UZy8OdqA4o", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-4/#ad"}, {"machine": "HHC2016 - Terminal Speedrun", "videoId": "yy6z3fL3vi8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up Link:"}, {"machine": "HHC2016 - Terminal Speedrun", "videoId": "yy6z3fL3vi8", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-3/"}, {"machine": "HHC2016 - Dungeon", "videoId": "hWC7mlIYOtU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " Write Up:"}, {"machine": "HHC2016 - Dungeon", "videoId": "hWC7mlIYOtU", "timestamp": {"minutes": 0, "seconds": 1}, "tag": "", "line": " https://ippsec.github.io/holidayhack2016/part-4/#dungeon"}]