forked from IppSec/ippsec.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdataset.json
1 lines (1 loc) · 702 KB
/
dataset.json
1
[{"machine": "Academy: Learning Process", "academy": "9", "line": "Free HackTheBox Course on getting into the right mindset to learn.\n"}, {"machine": "Academy: Intro to Academy", "academy": "15", "line": "Free HackTheBox Course on using the Academy Platform\n"}, {"machine": "Academy: Hacking Wordpress", "academy": "17", "line": "HackTheBox Course on Hacking Wordpress. This cost 100 cubes, which is ~$10\n"}, {"machine": "Academy: Network Enumeration with Nmap", "academy": "19", "line": "HackTheBox Course on using NMAP to its fullest. This cost 50 cubes, which is ~$5\n"}, {"machine": "Academy: Cracking Passwords with Hashcat", "academy": "20", "line": "HackTheBox Course on using Hashcat to its fullest. This cost 100 cubes, which is ~$10\n"}, {"machine": "Academy: Active Directory LDAP", "academy": "22", "line": "HackTheBox Course on Enumerating Active Directory over LDAP. This cost 1000 cubes, which is ~$100\n"}, {"machine": "Academy: File Inclusion / Directory Traversal", "academy": "23", "line": "Free HackTheBox Course on performing Directory Traversal and File Inclusion attacks\n"}, {"machine": "Academy: Web Requests", "academy": "35", "line": "Free HackTheBox Course about HTTP or Web Requests\n"}, {"machine": "Academy: Secure Coding 101: Javascript", "academy": "38", "line": "HackTheBox Course on Javascript Coding. This cost 1000 cubes, which is ~$100\n"}, {"machine": "Academy: Javascript Deobfuscation", "academy": "41", "line": "Free HackTheBox Course on Deobfuscating Javascript\n"}, {"machine": "Academy: Whitebox Pentesting 101: Command Injection", "academy": "48", "line": "HackTheBox Course on Command Injection Vulnerabilities. This cost 500 cubes, which is ~$50\n"}, {"machine": "Academy: Windows Fundamentals", "academy": "49", "line": "Free HackTheBox Introductory Course on Windows\n"}, {"machine": "Academy: Linux Privilege Escalation", "academy": "51", "line": "HackTheBox Course on Linux Privilege Escalation. This cost 500 cubes, which is ~$50\n"}, {"machine": "Academy: Attacking Web Applications with FFUF", "academy": "54", "line": "Free HackTheBox Course on using FFUF\n"}, {"machine": "Academy: Login Brute Forcing", "academy": "57", "line": "Free HackTheBox course on bruteforcing common logins\n"}, {"machine": "Academy: Active Directory PowerView", "academy": "68", "line": "HackTheBox course on Active Directory Enumeration and Exploitation with PowerView. This cost 1000 cubes, which is $100\n"}, {"machine": "Academy: Active Directory BloodHound", "academy": "69", "line": "HackTheBox Course on using Bloodhound, including writing cypher queries for custom graphs! This cost 500 cubes, which is $50\n"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 0, "seconds": 57}, "line": " Start of nmap discovering the HTTP Site bucket.htb"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Poking at the website, using the developer console to discover s3.bucket.htb"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Using curl to view HTTP Headers and discovering amazon"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Oh god... I forgot to edit the URL in this gobuster! Actually created a feature request in GoBuster to fix this mistake from happening."}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 5, "seconds": 45}, "line": " Installing AWS CLI"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Using the aws to connect to a custom endpoint, then configure credentials"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 7, "seconds": 30}, "line": " Exploring the S3 Bucket "}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 9, "seconds": 25}, "line": " Using S3 to add a reverse shell to the website"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 11, "seconds": 15}, "line": " Reverse Shell returned, spending some time to start taking notes."}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 16, "seconds": 30}, "line": " End of notes, poking around on the terminal to find"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Discovering some weird ports, checking the apache configuration to see if they are related"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 20, "seconds": 55}, "line": " The Apache mpm_itk_module specifies the site is running as root and not www-data"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 23, "seconds": 50}, "line": " Poking at DynamoDB to get user credentials"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 26, "seconds": 10}, "line": " Doing some jq fu to get exactly the information we want and building a username/password list"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Explaining extended file attributes and using getfacl to see Roy can access bucket-app"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 33, "seconds": 30}, "line": " Exploring the bucket-app to see it pull information from DynamoDB to build PDF's"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 35, "seconds": 5}, "line": " Using Flameshot to explain exactly what is happening in the code"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 40, "seconds": 0}, "line": " Looking at pd4ml (library used to make PDF) to see we can attach a file"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 41, "seconds": 45}, "line": " Doing a port forward to forward port 8000 back to our box"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 43, "seconds": 0}, "line": " Creating the alerts table in DynamoDB"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 45, "seconds": 50}, "line": " Creating the JSON Document we want to insert into the alert table"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 48, "seconds": 10}, "line": " Using AWS dynamodb --put-item to put the document into the table"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 49, "seconds": 50}, "line": " Creating the PDF and pulling /etc/passwd from the server"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 52, "seconds": 0}, "line": " Because this is java if we fopen a directory, we get a listing, discovering .ssh"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 53, "seconds": 0}, "line": " Pulling the SSH Key"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 54, "seconds": 22}, "line": " Exploring our notes to see what else we wanted to do"}, {"machine": "HackTheBox - Bucket", "videoId": "SgWhuTxm2oY", "timestamp": {"minutes": 56, "seconds": 20}, "line": " Showing off the timeline plugin in obsidian"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Start of nmap, looking at SSL Certificates to get a hostname"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 2, "seconds": 20}, "line": " Examining the website"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Getting git.Laboratory.htb out of the certificate and checking that host"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 6, "seconds": 10}, "line": " Registering for a GitLab Account then poking at gitlab"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 7, "seconds": 20}, "line": " Getting the GitLab Version and finding a Vulnerability"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 9, "seconds": 20}, "line": " Creating two issues, so we can perform the LFI"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 11, "seconds": 45}, "line": " Using the LFI to extract the application secret then b"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 15, "seconds": 55}, "line": " Installing a vulnerable gitlab docker so we can build our serialized payload"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 17, "seconds": 0}, "line": " Starting the docker container, then executing bash inside of it"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 17, "seconds": 55}, "line": " Changing the docker secret to the one of Laboratory"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 18, "seconds": 25}, "line": " Restarting with gitlab-ctl restart, then entering the console with gitlab-rails console"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 19, "seconds": 20}, "line": " Creating the serialization payload"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 22, "seconds": 10}, "line": " Reverse shell as git returned. Discovering we are inside of docker"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Running the automated docker script DeepCe "}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 24, "seconds": 50}, "line": " Playing with the gitlab console to turn our user into an admin"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Sorry for the abrupt cut, phone went off and edited that out poorly."}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 27, "seconds": 15}, "line": " Viewing projects on gitlab as admin to find an SSH Key"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 31, "seconds": 20}, "line": " Shell as dexter, running LinPEAS"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 34, "seconds": 5}, "line": " SetUID Binary docker-security found, searching for strings then running ltrace"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 34, "seconds": 50}, "line": " ltrace shows the binary does not use absolute path, doing a PATH HIJACK to trick the program into executing a shell"}, {"machine": "HackTheBox - Laboratory", "videoId": "ozmHeApuSj8", "timestamp": {"minutes": 36, "seconds": 50}, "line": " Going over notes"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 1, "seconds": 42}, "line": " Start of nmap and poking at the webserver"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 9, "seconds": 45}, "line": " Looking into MSRPC, showing MSF info overflow which is why I had historically ignored it"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 14, "seconds": 10}, "line": " Poking at RPC with Impacket's RPCMap"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 18, "seconds": 30}, "line": " Converting a RPC Script to get IPv6 address from Python2 to Python3"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 20, "seconds": 15}, "line": " Using nmap to scan the IPv6 Address"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Showing how I would enumerate a Firewall, nothing works here but something I do."}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Finding SMB accepts anonymous users and contains an Active Directory Backup"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 32, "seconds": 45}, "line": " Using Impacket's SecretsDump to extract the NTDS.DIT with password last set, user status, and history"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 41, "seconds": 15}, "line": " Using KerBrute to enumerate valid users on the box based upon the AD Backup"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 49, "seconds": 15}, "line": " Using PyKerbrute to bruteforce Henry.Vinson's account"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 64, "seconds": 0}, "line": " Using Socat + CrackMapExec to enumerate IPv6 (if i updated CME, it would be able to do IPv6)"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 68, "seconds": 0}, "line": " Using Impacket's reg.py to query Windows Registry remotely from linux"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 77, "seconds": 30}, "line": " Using Evil-WINRM to run WinPEAS/Seatbelt and bypass AMSI"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 86, "seconds": 0}, "line": " Some good information talking about LmCompatibilityLevel and NetNTLMv1"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 89, "seconds": 15}, "line": " Unintended method. Using Defender to make a SMB Request then decrypting the NetNTLM-v1 hash"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 90, "seconds": 50}, "line": " Editing responder to use a pre-set challenge (1122334455667788 used by Crack.SH)"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 95, "seconds": 30}, "line": " Modifying RoguePotato to allow for IPv6"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 101, "seconds": 15}, "line": " RoguePotato flagged by defender... Some weird AV Bypass..."}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 108, "seconds": 30}, "line": " Showing the Compiler flags will make RoguePotato undetectable by defender"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 118, "seconds": 5}, "line": " RoguePotato working, lets start modifying impacket to allow us to stand up an RPC Server"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 141, "seconds": 3}, "line": " Start debugging our impacket studd with pdb set_trace"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 150, "seconds": 0}, "line": " Got the NetNTLM v1 hash from Rogue Potato"}, {"machine": "HackTheBox - APT", "videoId": "eRnqtXwCZVs", "timestamp": {"minutes": 159, "seconds": 50}, "line": " Cleaning up notes"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Start of nmap"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Poking at the website"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 4, "seconds": 20}, "line": " Finding a way to generate error messages"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 6, "seconds": 45}, "line": " Researching the error message"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 8, "seconds": 50}, "line": " Throwing a random exploit from the internet and getting a new error"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 11, "seconds": 40}, "line": " Trying another exploit but this one will make a HTTP Request back to our server"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 14, "seconds": 0}, "line": " Testing RCE with this exploit with a simple ping"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 15, "seconds": 50}, "line": " RCE Confirmed switching to a reverse shell"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 18, "seconds": 4}, "line": " Running LinPEAS"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 22, "seconds": 40}, "line": " Exploring the custom System Backup Timer Service"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 25, "seconds": 30}, "line": " Editing the Timer Backup Shell Script to get Root"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 26, "seconds": 25}, "line": " Extra Content - Explaining some forensics with time stamps"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 29, "seconds": 20}, "line": " Writing a quick script to search our path for files with full time stamps"}, {"machine": "HackTheBox - Time", "videoId": "JfonPpbX-oI", "timestamp": {"minutes": 31, "seconds": 25}, "line": " Cleaning up our notes."}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Introduction"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Starting nmap, using min-rate to speed up things and explaining why I don't normally show this"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 3, "seconds": 20}, "line": " Doing basic recon on /, noticing authentication isn't required everywhere find robots.txt"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 7, "seconds": 5}, "line": " Taking a look at port 9001, searching for default credentials"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 13, "seconds": 10}, "line": " Once logged into Supervisord, we can examine processes see HTTP is using LUA"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 15, "seconds": 40}, "line": " Using FFUF to fuzz the /weather/ endpoint based upon the Supervisord and robots.txt "}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 18, "seconds": 15}, "line": " Using FFUF to fuzz the city parameter of /weather/forecast for special characters"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Confirmed injection, failing to get it to work"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 24, "seconds": 45}, "line": " Going back to FFUF to fuzz for another character after the single quote. We can now inject into the LUA"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 30, "seconds": 20}, "line": " Reverse shell returned, attempt to crack the hash on my VM and crash my VM... Reboot use John to crack it"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 38, "seconds": 0}, "line": " Using the webapi_user in order to access the webserver"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 42, "seconds": 40}, "line": " Looking into the arguments for HTTP Running on port 3001, since we can hit that directly from our reverse shell"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 49, "seconds": 45}, "line": " Looks like nginx supports going into home directories, looking at r.michaels to get his ssh key"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 53, "seconds": 10}, "line": " Looks like r.michaels has some PGP Keys associated with his account, finding a tar backup and decrypting"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 57, "seconds": 0}, "line": " The encrypted tar had a different password for webapi_user, decrypting it and using doas to get root"}, {"machine": "HackTheBox - Luanne", "videoId": "-KxvC3NY0Wo", "timestamp": {"minutes": 57, "seconds": 50}, "line": " Box done, cleaning up notes"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 1, "seconds": 8}, "line": " Installing Obsidian which lets us take notes in Markdown format"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 3, "seconds": 10}, "line": " Running nmap to see FTP over SSL and it has certificates"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 5, "seconds": 20}, "line": " Using openssl to grab the SSL Certificate from FTP"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 6, "seconds": 50}, "line": " Going over the web page extracting emails, people, and user input locations"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Installing flameshot, which helps us take better screenshots"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 18, "seconds": 15}, "line": " Testing each contact form with XSS Cross Site Scripting"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 19, "seconds": 10}, "line": " XSS in blog-single.php Triggers an security error saying admins will be looking over our request, attempt to attack admins"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 23, "seconds": 10}, "line": " Putting XSS Payloads in the User Agent"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 25, "seconds": 25}, "line": " XSS Attempting to steal cookies with a basic payload, failing here. Document.location is lazy, should do document.write to write an image so the user is not redirected."}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 27, "seconds": 50}, "line": " Using ffuf to bruteforce domains via the CORS Origin header to discover FTP"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 33, "seconds": 35}, "line": " XSS Using XMLHttpRequest to use the victims browser like a proxy and return web pages to us"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 38, "seconds": 20}, "line": " XSS Using XMLHttpRequest to grab a CSRF Token then send a post request to create a user"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 46, "seconds": 50}, "line": " Using lftp to login to the ftp and upload a webshell to development-test"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 57, "seconds": 50}, "line": " Shell returned as www-data, finding a Hank's password in /etc/ansible/playbooks"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 76, "seconds": 5}, "line": " SSH as hank and examine the send_updates.php file to find command injection "}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 84, "seconds": 40}, "line": " Finding credentials for ftpadm which lets us create a file to trigger the command injection"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 93, "seconds": 40}, "line": " SSH as Isaac and doing some basic enumeration, explaining why we can't see processes from other users hidepid is set on /proc"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 95, "seconds": 50}, "line": " Using find to do a bunch of IR to find what is unique about hank"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 97, "seconds": 50}, "line": " Using find to look for files modified between two dates and dbmsg stands out"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 102, "seconds": 10}, "line": " The dbmsg stands out due to its timestamp having nanoseconds, it is the only file like this in /usr/bin"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 111, "seconds": 0}, "line": " Going over DBMSG in Ghidra, explaining the SRAND setting seed to current time"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 116, "seconds": 15}, "line": " Attempting to name variables based upon what we think they are"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 123, "seconds": 0}, "line": " Attempting to explain how we are going to get code execution through symlinks"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 127, "seconds": 50}, "line": " Creating a C Program to set the seed to be the next minute + 1 second and call RAND()"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 133, "seconds": 40}, "line": " Incorrectly putting data into database in order to trigger the file write exploit"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 141, "seconds": 40}, "line": " Changing up how we put things into the database and hoping we write the key correctly"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 147, "seconds": 45}, "line": " Explaining why we broke the ssh key up into multiple variabes. The fputsc(0x20) is the spaces"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 148, "seconds": 50}, "line": " Cleaning up our notes"}, {"machine": "HackTheBox - Crossfit", "videoId": "Z3Lj_YN0crc", "timestamp": {"minutes": 163, "seconds": 10}, "line": " using cat to combine all pages into one, then exporting to PDF"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 1, "seconds": 10}, "line": " Start of NMAP"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 4, "seconds": 20}, "line": " Gobuster using a case insensitive wordlist because windows"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 8, "seconds": 50}, "line": " Checking out the application on port 8080, wallstant"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 10, "seconds": 30}, "line": " OWA Discovering the Exchange version based upon login interface"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 12, "seconds": 0}, "line": " OWA How the \"User Enumeration\" of Exchange may work... It's time based "}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 14, "seconds": 20}, "line": " Troubleshooting the Metasploit Module, SSL Error prevents it from loading ECONNRESET SSL_CONNECT"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Using Wallstant to build a username list to perform password spray"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 24, "seconds": 15}, "line": " Using Username Anarchy to take our list of names and build a wordlist of usernames"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 32, "seconds": 0}, "line": " For some reason when using Metasploit's OWA Password Spray, OWA_2010 is broken... but settiing it to OWA_2013 works."}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 34, "seconds": 30}, "line": " Showing SprayingToolkit to bruteforce OWA without metasploit"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 39, "seconds": 10}, "line": " Sending an email address to all users and seeing if anyone clicks the link"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 41, "seconds": 40}, "line": " Using Responder to attempt to force the user's computer to give up an NTLMv2 Hash over HTTP"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 47, "seconds": 0}, "line": " Cracking the NTLMv2 Hash of k.svensson"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 49, "seconds": 50}, "line": " Failing to use Evil-WinRM to access the box, switching to powershell on linux"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 54, "seconds": 10}, "line": " Using Powershell on Linux to Enter-PSSession on a Windows Box then finding out we are in constrainedlanguage mode"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 56, "seconds": 20}, "line": " Breaking out of ConstrainedLanguage Mode by creating a function"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 60, "seconds": 0}, "line": " Getting a reverse shell in FullLanguage mode, then looking at some PSRC and PSSC files"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 64, "seconds": 20}, "line": " Finding a link to StickyNotes on the desktop"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 66, "seconds": 50}, "line": " Doing a hex dump of the stickynote log to see there is a password written"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 68, "seconds": 30}, "line": " Attempting to use the JEA_TEST_ACCOUNT but failing without ConfigurationName parameter due to JEA"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 71, "seconds": 50}, "line": " Using an LFI Vulnerability in the function JEA can do in order to access any file"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 73, "seconds": 30}, "line": " Using the LFI to get root.txt"}, {"machine": "HackTheBox - Reel2", "videoId": "Ro2vXt_WFDQ", "timestamp": {"minutes": 74, "seconds": 30}, "line": " Box is done.. Trying to dump the proces and flailing, never get it working but figured people may still enjoy it."}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 1, "seconds": 10}, "line": " Start of nmap"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 2, "seconds": 10}, "line": " Identifying this is likely Ubuntu Xenial"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Attempting basic SQL Map"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 5, "seconds": 20}, "line": " Failing to find a way to enumerate CuteNews version"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 6, "seconds": 55}, "line": " Looking over an exploit script from SearchSploit"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 8, "seconds": 15}, "line": " Finding there is a page that exposes a bunch of user hashes... wat?"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 10, "seconds": 20}, "line": " Copying a bunch of PHP Blobs, then using grep to only show us the hashes"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 11, "seconds": 50}, "line": " Going back to looking over the exploit script"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 14, "seconds": 0}, "line": " Sent the exploit script through burpsuite and looking at each request"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 15, "seconds": 45}, "line": " Getting a reverse shell and fixing out TTY"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Searching CuteNews PHP Files for passwords"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 20, "seconds": 35}, "line": " Decoding the php files within the users directory to get password hashes"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 20, "seconds": 50}, "line": " Writing a nasty bash one liner to go over all the files and output the base64, then use grep to only show what we want to get hashes"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Using Hash Identifier to get an idea what the hash is, then using CrackStation to quickly crack"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 26, "seconds": 15}, "line": " The Cred we decrypted was for John, using SU to switch to the john user"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Oddly enough the SSH Public key is John's directly wasn't generated by him... Validating that is the public key to the private key"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Using Nadav's key to SSH into the box"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 31, "seconds": 48}, "line": " Exploring VIMINFO to see some forensics on what this user has done"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 34, "seconds": 14}, "line": " Looking for USBCreator Privesc's"}, {"machine": "HackTheBox - Passage", "videoId": "kbw4_4jUP_U", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Running the GDBus command to copy files and get root."}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Start of nmap"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Adding academy to our host file, then taking a look at the web page"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 8, "seconds": 50}, "line": " Discovering a weird port (33060), attempting to enumerate it manually"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 13, "seconds": 15}, "line": " Discovering admin.php from our gobuster results"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 14, "seconds": 20}, "line": " Playing with having spaces in usernames, then seeing roleid in the parameter"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Creating and logging in with an admin to see a new vhost"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 18, "seconds": 0}, "line": " Looking for Laravel Exploits, finding a metasploit module"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Getting the APP_KEY from the laravel error page, which is needed for exploitation"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 19, "seconds": 50}, "line": " Using metasploit to exploit Laravel and send the requests through burpsuite so we can analyze the exploit"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 21, "seconds": 30}, "line": " Analyzing the exploit, going to CyberChef to decrypt the payload"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Reverse Shell returned"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 31, "seconds": 50}, "line": " Looking at .env files to get passwords, then failing at logging into the database"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 33, "seconds": 40}, "line": " Creating a list of users on the box"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 36, "seconds": 10}, "line": " Running crackmapexec with users and the password we found"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 38, "seconds": 45}, "line": " Running LinPEAS"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 43, "seconds": 40}, "line": " We are in the ADM Group so taking a look at /var/log"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 48, "seconds": 50}, "line": " Looking at AuditD logs, then running aureport to get more details"}, {"machine": "HackTheBox - Academy", "videoId": "yQl5RA6APyQ", "timestamp": {"minutes": 54, "seconds": 30}, "line": " Finding mrb3n can run sudo, then doing a simple GTFOBin with composer to get root"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Start of nmap digging into Version numbers of applications"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Finding Tomcat is an old version"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Checking out the web page "}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 7, "seconds": 45}, "line": " Playing with the file upload, uploading an EICAR to test virus scanning"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Finding if we put a directory or nothing for filename we get an error message"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 14, "seconds": 0}, "line": " Looking at Tomcat exploits to see that we may be able to perform a deserialization attack by uploading a serialized object"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 17, "seconds": 0}, "line": " Using ysoserial to generate a CommonsCollection payload"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 18, "seconds": 15}, "line": " Showing a trick to copy binary content into BurpSuite"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Testing RCE by making the application ping us"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Failing to get a reverse shell, going through a lot of issues, attempting to encode our command to avoid bad characters"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 29, "seconds": 20}, "line": " Attempting to use a different one-liner to get a shell"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 32, "seconds": 30}, "line": " Giving up using one liners, sometimes two payloads are better than one. Downloading a script and then executing it."}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Discovering Docker is running on this box"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 40, "seconds": 35}, "line": " Finding out SALT is running on this box, which did have an unauth RCE recently (Salt Stack)"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 44, "seconds": 40}, "line": " Running chisel to forward SALT Ports which are listening on localhost (firewall bypass)"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 50, "seconds": 20}, "line": " Downloading a different exploit as the one we had doesn't seem to be working"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 53, "seconds": 0}, "line": " Getting a reverse shell with the SALTSTACK exploit and using script to log all the output of our reverse shell"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 56, "seconds": 0}, "line": " Reverse shell returned and we are in a Docker Container. This is weird."}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 57, "seconds": 55}, "line": " Running LinPEAS and discovering it has docker.sock exposed in it, along with .bash_history works."}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 58, "seconds": 50}, "line": " Exploring the Docker Web API, which we can access through the exposed docker socket"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 63, "seconds": 25}, "line": " Doing some redirection magic to allow the Web API Request to be sent to our box which automatically does JQ to prettify it"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 65, "seconds": 50}, "line": " Creating a JSON File which we will use in our HTTP Request to create a new docker container"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 67, "seconds": 30}, "line": " Using CURL To make the request and send our JSON File"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 68, "seconds": 45}, "line": " Fixing up our terminal with the STTY command as our line wrapping is behaving oddly"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 72, "seconds": 0}, "line": " Having trouble running the CMD, changing it up the command"}, {"machine": "HackTheBox - Feline", "videoId": "2QdK7tQUFac", "timestamp": {"minutes": 79, "seconds": 15}, "line": " Finally getting the command right and getting a reverse shell"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Introduction"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 0, "seconds": 54}, "line": " Start of nmap, going into why it needs sudo"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 4, "seconds": 15}, "line": " Checking Phusion Passenger version"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 6, "seconds": 15}, "line": " Downloading the source code from port 8000 (GitWeb)"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 7, "seconds": 50}, "line": " Using Brakeman to analyze the source code to the RAILS App"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 9, "seconds": 15}, "line": " Checking Rails release date to see it is old"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 11, "seconds": 35}, "line": " Researching CVE-2020-8165 and checking if our application is vulnerable"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 15, "seconds": 30}, "line": " Performing the CVE-2020-8165 serialization exploit"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Fixing my APT from expired: signature could not be verified because public key is not available NO_PUBKEY"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 18, "seconds": 15}, "line": " Installing RAILS Then building our deserialization"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 27, "seconds": 50}, "line": " Reverse shell returned"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 31, "seconds": 0}, "line": " LinPEAS showed some password hashes, lets check out those files to see if there was more passwords"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 33, "seconds": 15}, "line": " Cracking the passwords, then finding sudo requires a 2FA Password"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 35, "seconds": 45}, "line": " Finding .google_authenticator"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Installing oathtool"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 42, "seconds": 50}, "line": " Using OathTool to read out google_auth file to generate the One Time Pad (OTP)"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 44, "seconds": 30}, "line": " Switching to TOTP Mode, then lots of issues because of AM/PM"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 51, "seconds": 51}, "line": " Changing the timezone of our box to Europe/London to get away from conversions"}, {"machine": "HackTheBox - Jewel", "videoId": "OO9by3_Zmpk", "timestamp": {"minutes": 56, "seconds": 0}, "line": " Our date went up an entire day! Fixing the day then getting a shell"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 0, "seconds": 57}, "line": " Start of Nmap"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 1, "seconds": 40}, "line": " Poking at the website and doing Gobuster/SQLMap In the BG"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 7, "seconds": 50}, "line": " Registering an account and enumerating the new features, looking for XSS"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 8, "seconds": 30}, "line": " Testing if the box will click links, discovering Curl reaches back to us"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 11, "seconds": 20}, "line": " Finding command injection in the URL, finding a way to execute commands with spaces"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 13, "seconds": 37}, "line": " Brace expansion isn't working, but IFS allows us bypass space being a bad character"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 15, "seconds": 30}, "line": " Trying to get a reverse shell but failing due to bad characters"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 18, "seconds": 47}, "line": " Using Curl to download a rev shell script and then execute it in order to avoid bad characters"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Transfering site.db to our box, so we can view the contents and attemp to crack the admins password"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 29, "seconds": 40}, "line": " Finding out we are part of the ADM Group and can read logs! Log contains a password"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 33, "seconds": 50}, "line": " Checking the Splunk Version and looking for exploits"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 34, "seconds": 55}, "line": " Didn't see anything in SearchSploit googling for an exploit then getting root"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 38, "seconds": 22}, "line": " Unintended: Exploring the SSTI Vulnerability"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 39, "seconds": 45}, "line": " Using Basic SSTI to identify what framework the website is using"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 42, "seconds": 20}, "line": " Creating an SSTI Jinja2 Reverse Shell payload and getting a shell"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 45, "seconds": 0}, "line": " Exploring the CURL Vulnerability"}, {"machine": "HackTheBox - Doctor", "videoId": "JcOR9krOPFY", "timestamp": {"minutes": 47, "seconds": 0}, "line": " Deep dive into the SSTI Vulnerability and patching it"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Start of nmap"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 2, "seconds": 50}, "line": " Checkign out the open SVN Port"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 3, "seconds": 45}, "line": " Adding the discovered domains to /etc/hosts and checking out the websites"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Some grep magic to show only what we want, which is URLS"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 9, "seconds": 15}, "line": " Using GoBuster to see if there are any more more VHOSTS"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 11, "seconds": 0}, "line": " Checking out the SVN and seeing creds in a previous revision (commit)"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 13, "seconds": 0}, "line": " Logging into Azure Devops (devops.worker.htb) and discovering the pipelin to deploy master branch to a server"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 15, "seconds": 0}, "line": " Pushing our webshell to the git master branch and getting shell on the box"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 16, "seconds": 10}, "line": " Choosing the revshell out of the tennc github page"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 21, "seconds": 40}, "line": " Creating a powershell one liner to get a reverse shell via Nishang"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 24, "seconds": 30}, "line": " Discovering SVN Credentials and using CrackMapExec to find valid passwords"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 28, "seconds": 50}, "line": " CrackMapExec was giving me issues, installing it from source with Poetry"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Using CrackMapExec to test a list of credentials without bruteforcing all passwords to all users"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 32, "seconds": 10}, "line": " Using WinRM to get a shell as Robisl"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 35, "seconds": 10}, "line": " Logging into Azure Devops as Robisl and discovering we can edit the build pipeline"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 39, "seconds": 45}, "line": " Copying our reverse shell to the box, so we can easily execute it from the build pipeline and getting admin"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 41, "seconds": 30}, "line": " UNINTENDED: Doing the box via RoguePotato"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 42, "seconds": 50}, "line": " Poorly explaining why we need to use chisel"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 45, "seconds": 50}, "line": " Running Chisel to setup a reverse port forward between the target and our box"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 52, "seconds": 15}, "line": " Setting up SoCAT to go through our tunnel"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 52, "seconds": 50}, "line": " Executing RoguePotato to get an admin shell"}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 53, "seconds": 30}, "line": " Explaining the tunneling again in MSPaint. Hope this helps."}, {"machine": "HackTheBox - Worker", "videoId": "Auqt-NSB4SQ", "timestamp": {"minutes": 61, "seconds": 40}, "line": " Doing RoguePotato without socat, just a single Chisel tunnel"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Start of nmap, discover web and ssh. Discover litecart, fail to find a way to identify version"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 3, "seconds": 10}, "line": " Running GoBuster to find the backup directory"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 5, "seconds": 20}, "line": " Examining the tar archive"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Talking about the unix time being 32-bit timestamps but tar did not keep entire timestamp"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 9, "seconds": 10}, "line": " Using find with printf to sort files by modified time"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 10, "seconds": 30}, "line": " Discovering the admin/login.php file was modified to drop the credentials to disk"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 11, "seconds": 50}, "line": " Logging into LiteCart as admin"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 13, "seconds": 20}, "line": " Finding exploits on searchsploit, then manually running through the exploit because its Python2 with some annoying libraries"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 17, "seconds": 20}, "line": " Uploading our PHP Shell but it doesn't work, checking for PHP Disabled functions by using a simple php file. Then doing phpinfo() to see other functions"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 20, "seconds": 50}, "line": " Running through Chankro even thoe it wouldn't work."}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 23, "seconds": 50}, "line": " Uploading large binary files in BURPSUITE by pasting base64 and decoding it within burpsuite"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 25, "seconds": 33}, "line": " Chankro wont work due to putenv being disabled. Looks like there's a PHP 7.0 - 7.4 bypass. Trying this!"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 28, "seconds": 15}, "line": " Attempting a reverse shell but it doesn't work. Viewing iptables configuration"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 29, "seconds": 45}, "line": " Using my Forward Shell script to get a TTY on the box"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 34, "seconds": 0}, "line": " Again, talking about 32-bit timestamps to find files that were put into /lib/ not by a Apt"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 36, "seconds": 30}, "line": " Discovering the PAM Backdoor (pam_unix.so), then reversing it to get a skeleton password"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 43, "seconds": 30}, "line": " BOX COMPLETED. Doing USER/ROOT a different way"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 45, "seconds": 0}, "line": " Generating a Weevely Reverse shell which will let us do more things in PHP"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 47, "seconds": 0}, "line": " Discovering MySQL has a bash shell"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 49, "seconds": 30}, "line": " Discovering the MySQL has a UDF (User Defined Function) that allows for code execution"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 53, "seconds": 30}, "line": " Dropping an SSH Key, then seeing a strace-log.dat file which acts as a keylogger on linux. Also the 32 bit timestamp sticks out"}, {"machine": "HackTheBox - Compromised", "videoId": "yaV09XCDDqI", "timestamp": {"minutes": 60, "seconds": 15}, "line": " Discovering a LD_PRELOAD Rootkit (libdate.so),reversing it to see a hidden privesc"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 1, "seconds": 15}, "line": " Start of nmap"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Checking out the webpages, find Gitlab and Page about a custom chrome"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 3, "seconds": 25}, "line": " Viewing the Git log for the custom v8 javascript project and finding the vulnerability"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Finding an XSS in Contact Us"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 8, "seconds": 15}, "line": " Using the banners to find what version of Ubuntu the target is using"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 11, "seconds": 50}, "line": " Building v8 in Ubuntu 18.04"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 18, "seconds": 20}, "line": " Warning about needing 4 gigs of memory."}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 23, "seconds": 30}, "line": " Everything is compiled! Start of the exploit, looking at some webpages that help out"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 24, "seconds": 30}, "line": " Starting v8 in gdb, then examining some memory structures"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 29, "seconds": 0}, "line": " Explaining Smi, Immediate Small Integer"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Starting our helper script with number conversions (float/bigint/hex)"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 34, "seconds": 10}, "line": " Doing DebugPrints on our float arrays to examine memory"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 38, "seconds": 40}, "line": " Digging into the memory to see where Map/Property/Elements/Length are in the memory"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 50, "seconds": 20}, "line": " Showing Objects in memory"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 58, "seconds": 15}, "line": " Precursor material to AddrOf and FakeObject, why type confusion leads to memory shenanigans "}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 66, "seconds": 30}, "line": " Finding GetLastElement() behaves different on object arrays"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 77, "seconds": 0}, "line": " Doing Faiths AddrOf and troubleshooting why it doesn't work in ours "}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 82, "seconds": 27}, "line": " Recoding the AddrOf, to start out with an array not object"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 86, "seconds": 45}, "line": " Explaining the FakeObj Primative"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 93, "seconds": 20}, "line": " Doing the Read Memory portion"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 97, "seconds": 50}, "line": " Coding the Write Memory function"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 100, "seconds": 40}, "line": " Using Web Assembly to create RWX"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 102, "seconds": 30}, "line": " Doing some memory analysis to find where our RWX location is"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 106, "seconds": 30}, "line": " Doing some memory analysis to find where the Backing Store address is"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 110, "seconds": 10}, "line": " Using MSFVenom to create some shellcode to touch a file"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 114, "seconds": 20}, "line": " Replacing the shellcode with a reverse shell!"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 116, "seconds": 30}, "line": " Testing on the custom chrome browser"}, {"machine": "HackTheBox - Rope2", "videoId": "m6Fpc3zxrJg", "timestamp": {"minutes": 118, "seconds": 30}, "line": " Running our exploit against the target!"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 0, "seconds": 55}, "line": " Begin of nmap"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 2, "seconds": 45}, "line": " Finding out this is Windows IOT"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Showing the BlackHat paper on Hacking Windows IOT "}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Trying SirepRAT out against this box"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 11, "seconds": 0}, "line": " Finally getting code execution witht he SirepRAT tool, trying to run powershell"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Finally getting Powershell working, trying to get a Reverse Shell"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 19, "seconds": 45}, "line": " Getting a Reverse shell by downloading NC64.EXE and running it"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Reverse shell returned"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Extracting the SAM/SYSTEM Registry hive so we can run SECRETSDUMP to pull user hashes"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 30, "seconds": 50}, "line": " Had trouble with Impacket's SMB Server, editing smbd.conf"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 36, "seconds": 40}, "line": " Getting a shell as APP using the website, so we can decrypt the user.txt and iot-admin.txt secure strings"}, {"machine": "HackTheBox - Omni", "videoId": "MVDNV_bvJcI", "timestamp": {"minutes": 40, "seconds": 40}, "line": " Getting a shell as ADMINISTRATOR using the website so we can decrypt root.txt"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 1, "seconds": 11}, "line": " Running nmap"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 3, "seconds": 20}, "line": " Discovering port 9100, and poking at it with nmap/pret"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Got access to the printer via PRET, dumping print jobs"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 7, "seconds": 20}, "line": " Running ENT to see the entropy is 7.99 which means it is probably encrypted... Then doing the same thing in Cyber Chef"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 10, "seconds": 50}, "line": " Discovering the encryption algorithm via inspecting variables on the printer. Then dumping the memory of the printer to get the AES Key and trying to decrypt in Cyber Chef"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 12, "seconds": 50}, "line": " Cutting up the Print Job with DD to extract the IV/Encrypted payload out of the print job."}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 18, "seconds": 58}, "line": " CyberChef decrypted our AES! Reading the PDF"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 23, "seconds": 46}, "line": " Creating the Protobuf object and converting to python"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 27, "seconds": 20}, "line": " Interacting with Port 9000 with our protobuf payload"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 31, "seconds": 10}, "line": " Attempting to Pickle a deserialization payload, to see its disabled"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 34, "seconds": 30}, "line": " Taking the example JSON Data and sending it to port 9000 and finding a SSRF Vulnerability!"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 41, "seconds": 0}, "line": " Using SSRF to scan ports on localhost and discovering SOLR"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 54, "seconds": 0}, "line": " Forcing the SSRF to send an HTTPS Post Request via GOPHER"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 58, "seconds": 0}, "line": " Sending the SOLR Post Payload"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 67, "seconds": 30}, "line": " Creating the second payload for SOLR"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 79, "seconds": 50}, "line": " Verifying our payloads doing some JSON Validation"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 91, "seconds": 50}, "line": " Finally fixed our payload! Darn URL Encoding issues."}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 95, "seconds": 50}, "line": " Reverse shell returned, doing some basic enumeration and seeing SSHPass"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 103, "seconds": 10}, "line": " Using PSPY to monitor processes and catching SSHPASS before it can rewrite its commandline"}, {"machine": "HackTheBox - Laser", "videoId": "vD3jSJlc0ro", "timestamp": {"minutes": 108, "seconds": 0}, "line": " Gaining root on the Docker Container, disabling SSH, and bending the port back at the host and gaining code execution"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Introduction"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 0, "seconds": 31}, "line": " Begin of nmap"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 1, "seconds": 10}, "line": " Nmap shows it is BSD, going over some command differences"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 2, "seconds": 0}, "line": " Running GoBuster to find other PHP Scripts"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Looking at the includes directory and finding source code"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 10, "seconds": 14}, "line": " Reversing the Check_Auth binary with Ghidra, to see it doesn't decompile well"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Using VirusTotal to find out if this an old binary"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 13, "seconds": 20}, "line": " Using Cutter to decompile this binary, to see it does a better job than Ghidra!"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 17, "seconds": 50}, "line": " Finding some BSD Exploits related to authentication"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 20, "seconds": 0}, "line": " Putting SCHALLENGE as the username, causes a different error message. Then doing some code analysis around $_REQUEST"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 24, "seconds": 50}, "line": " Abusing the $_REQUEST() feature to overwrite the username file with a valid user and grab their SSH Key"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 26, "seconds": 10}, "line": " Showing how OpenBSD has some different command line switches"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 31, "seconds": 0}, "line": " Going back to the earlier CVE, since it showed a privesc aswell and explaining CVE-2019-19520"}, {"machine": "HackTheBox - OpenKeyS", "videoId": "krsGwWrTQ7E", "timestamp": {"minutes": 40, "seconds": 45}, "line": " EXTRA: Looking at the PHP Code to explain the $_REQUEST exploit again"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Introduction"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 1, "seconds": 3}, "line": " Start of nmap"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 2, "seconds": 27}, "line": " Setting Squid up to do a portscan while we work on something else"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Poking at RSYNC and seeing we can download encrypted config backups"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 9, "seconds": 40}, "line": " Examining files downloaded from RSYNC, specifically looking at entropy to validate encryption"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 14, "seconds": 30}, "line": " Finding the EncFS Config file, and then using John to Crack it"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 18, "seconds": 15}, "line": " Decrypting the config directory and finding a squid password and some hostnames"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Examining the new website exposed to us, configuring BurpSuite to use the squid proxy"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 24, "seconds": 0}, "line": " Showing the Intranet-Host header is changing, then accessing Squid Cache Manager to find some more ip addresses"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 26, "seconds": 15}, "line": " Using curl to view Squid Cache Information"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 28, "seconds": 25}, "line": " Finding a new IP Address for a decomissioned server. Looks like this one has a vulnerability"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 32, "seconds": 15}, "line": " Poking at the login form on the intranet-host1, looks like its vulnerable to SQL Injection"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 37, "seconds": 30}, "line": " Trying SQL Injection in the Password Field since the User was behaving weirdly.. Password behaving slightly differently"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 38, "seconds": 20}, "line": " Examining what XPATH Injection is"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 39, "seconds": 15}, "line": " Confirming it is XPATH Injection by using standard XPATH Payloads"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 44, "seconds": 10}, "line": " Using a XPATH Payload to extract the password length for a user"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Using XPATH Injection to bruteforce the password one character at a time"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 48, "seconds": 40}, "line": " Using Python to Automate the XPATH Injection to dump passwords"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 61, "seconds": 30}, "line": " Script near done, grabbing the password for all users"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 66, "seconds": 40}, "line": " Using Hydra to find one of the users had SSH Access"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 68, "seconds": 30}, "line": " Reading the TODO and finding pi-hole by checking arp with ip neigh"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 70, "seconds": 10}, "line": " Creating an SSH Port Forward to access Pi-Hole"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 73, "seconds": 55}, "line": " Finding Pi-Hole Exploits"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 75, "seconds": 0}, "line": " Using FFUF to bruteforce the Pi Hole login form"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 77, "seconds": 50}, "line": " Failing to use public exploits for this"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 79, "seconds": 45}, "line": " Finding a blog post to examine how this exploit works"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 81, "seconds": 45}, "line": " Using CyberChef to edit the payload for our Pi Hole exploit"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 83, "seconds": 55}, "line": " Manually sending the exploit and getting a shell"}, {"machine": "HackTheBox - Unbalanced", "videoId": "L_FYYJPVywM", "timestamp": {"minutes": 85, "seconds": 0}, "line": " Finding the root password in a config file, then using SU to get root"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Start of nmap"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 3, "seconds": 10}, "line": " Poking a the websites"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 4, "seconds": 20}, "line": " Starting gobusters in the background while we look at the site"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Grabbing a list of emails off of the website"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 8, "seconds": 40}, "line": " Using SWAKS to mass email users with a link"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 14, "seconds": 45}, "line": " User went to our website, grabbed credentials"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 17, "seconds": 50}, "line": " Failing to do FTP User Enumeration, do this at the end of the video"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Failing with Thunderbird to login"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Switching to the Evolution Mail client to check mailboxes, finding FTP Details in Sent Mail"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 28, "seconds": 40}, "line": " Using wget to mirror the FTP Directory, then poking at PHP Files"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 30, "seconds": 50}, "line": " Showing pypi/Register.php, which *should* have been used during the phishing stage"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 31, "seconds": 30}, "line": " Checking if we can upload files to the FTP Directory and finding the dev VHOST "}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 35, "seconds": 0}, "line": " Shell Returned"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Discovering a HTPASSWD file, then cracking it with hashcat"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 39, "seconds": 50}, "line": " Checking out pypi.sneakycorp.htb:8080 and finding a pypi server"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 41, "seconds": 0}, "line": " Creating a Malicious PyPi Package"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 43, "seconds": 30}, "line": " Adding a reverse shell to our pypi package"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 44, "seconds": 45}, "line": " Creating a pypi configuration file"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 47, "seconds": 0}, "line": " Uploading the package and getting a shell as low"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 50, "seconds": 10}, "line": " Checking sudoers, and finding low can run pip3 - Use GTFO Bin to get root"}, {"machine": "HackTheBox - SneakyMailer", "videoId": "f4vQhI4ADmI", "timestamp": {"minutes": 53, "seconds": 30}, "line": " EXTRA: Enumerating the FTP Users by creating a quick webapp then using FFUF against it."}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Introduction"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Begin of nmap and poking at the website"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Checking when an image was uploaded to the server with wget and exiftool"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 4, "seconds": 10}, "line": " Contact.php discloses the software Gym Management Software is being used. Examining the exploit"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 6, "seconds": 10}, "line": " Editing the Python Exploit to force everything through a proxy, so we can examine what the exploit does."}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 8, "seconds": 30}, "line": " Running the exploit and examining in Burp"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 14, "seconds": 20}, "line": " Having trouble getting a reverse shell via PS, Uploading NC.EXE to do it"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 17, "seconds": 10}, "line": " Running WinPEAS.exe "}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 21, "seconds": 0}, "line": " Discovering CloudMe in the Downloads directory then looking at the exploit"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 23, "seconds": 20}, "line": " CloudMe isn't listening on a port... Reverting and getting a shell again"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 25, "seconds": 30}, "line": " Reverse shell returned... Still waiting for CloudMe to listen on a port"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 27, "seconds": 27}, "line": " Uploading Chisel to the box, then doing a port forward for MySQL to enumerate the database"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 31, "seconds": 0}, "line": " Finding MySQL Credentials in db.php, then checking the database from our box thanks to Chisel"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 34, "seconds": 30}, "line": " Replacing the payload in the CloudMe exploit with a reverse shell"}, {"machine": "HackTheBox - Buff", "videoId": "-KBm3tBNK74", "timestamp": {"minutes": 37, "seconds": 20}, "line": " Running the exploit and getting root"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 1, "seconds": 15}, "line": " Begin of nmap"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Examining the Message, pointing out the endpoint does not need authentication"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 6, "seconds": 15}, "line": " Using FFUF to fuzz the API End Point and show importence of Content-Type"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Starting SQLMAP then manually fuzzing this application"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 14, "seconds": 30}, "line": " SQLite Boolean Injection, with CASE IF/THEN/ERROR"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 20, "seconds": 0}, "line": " SQLite Boolean Injection, Enumerating Usernames"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 24, "seconds": 0}, "line": " SQLite Boolean Injection, Start of Dumping Password"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 26, "seconds": 10}, "line": " SQLite Boolean Injeciton, Optimization chat about UNICODE and SUBSTR"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 29, "seconds": 40}, "line": " Start of coding out python script to dump the hash"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 41, "seconds": 20}, "line": " This hash looks weird... Tons of troubleshooting"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 45, "seconds": 12}, "line": " Explaining the issue, we are hitting the 140 character limit... Switching script up to do SUBSTR"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 51, "seconds": 55}, "line": " Script completed to dump hashes."}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 53, "seconds": 15}, "line": " Static source code analysis, find its vulnerable to Hash Length Extension Attack"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 59, "seconds": 50}, "line": " Using HashPumpy to perform the Hash Length Extension Attack"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 71, "seconds": 30}, "line": " We base64'd the signing portion wrong"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 73, "seconds": 30}, "line": " Now we have access to /admin, can use its API to read files and directories, showing Sched_debug and /proc/net/tcp,udp,environ to get important information"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 83, "seconds": 30}, "line": " Finding a RW SNMP Community string and then using snmp-shell to get code execution "}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 89, "seconds": 0}, "line": " Generating a SSH Key then copying it slowly to the box"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 95, "seconds": 0}, "line": " Doing a Local Port Forward with the Debian-SNMP User"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 97, "seconds": 20}, "line": " Binary Exploitation with Note_Server: Going over Source and recompiling with ggdb flag"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 101, "seconds": 0}, "line": " Binary Exploitation: Setting up PwnTools so we can interact with the binary"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 106, "seconds": 40}, "line": " Binary Exploitation: Defeating ASLR by leaking an address"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 116, "seconds": 20}, "line": " Binary Exploitation: Leaking LibC and Getting Code Execution"}, {"machine": "HackTheBox - Intense", "videoId": "nBg6zUalb7c", "timestamp": {"minutes": 125, "seconds": 30}, "line": " Binary Exploitation: Creating offset's for our remote server to get it working"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Academy URL: https://academy.hackthebox.eu"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 1, "seconds": 3}, "line": " Accessing Academy"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 1, "seconds": 45}, "line": " Talking about Paths"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 2, "seconds": 10}, "line": " Talking about what a Cube is"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 3, "seconds": 25}, "line": " Showing all the modules and tiers"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Starting the Intro to Academy Course"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Showcasing interactive modules by starting a pwnbox instance"}, {"machine": "HackTheBox - Academy Intro", "videoId": "hBjksyVmspY", "timestamp": {"minutes": 10, "seconds": 30}, "line": " Spawning a lab to interact with"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 0, "seconds": 55}, "line": " Start of Nmap"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 1, "seconds": 25}, "line": " Taking a look at the web page"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 2, "seconds": 40}, "line": " Discovering Megahosting.HTB and adding it to /etc/hosts"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 4, "seconds": 4}, "line": " Playing with news.php and explaining the logic of LFI"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 8, "seconds": 40}, "line": " Discovering it is a file_get_contents(), which means we can skip all our \"RCE Tests\" as it won't execute PHP Code"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 11, "seconds": 20}, "line": " Poking at Tomcat and hunting for its tomcat-users.xml file to use with our LFI on apache2"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 17, "seconds": 30}, "line": " Uploading a JSP Webshell to tomcat with credentials found in tomcat-users.xml"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 20, "seconds": 20}, "line": " Using Curl to upload the JSP webshell."}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 23, "seconds": 10}, "line": " Whoops was uploading to the wrong port and then forgot to convert the JSP to a WAR File"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 25, "seconds": 38}, "line": " Reverse shells having trouble running due to bad characters."}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 27, "seconds": 55}, "line": " Downloading the shell to disk, then executing it in order to avoid special characters"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 31, "seconds": 15}, "line": " Reverse shell returned and TTY fixed. Discovering an encrypted zip file that we crack with John"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 35, "seconds": 0}, "line": " Exploring the Zip file to find there's nothing really interesting"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 39, "seconds": 0}, "line": " Trying the zip password as users on the box and getting a shell as Ash, dropping an SSH key and logging in with ash"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Running linpeas"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 43, "seconds": 0}, "line": " Discovering user is a member of LXD Group"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 44, "seconds": 42}, "line": " Building an alpine container, then uploading it to the target machine"}, {"machine": "HackTheBox - Tabby", "videoId": "yTHtLi9YZ2s", "timestamp": {"minutes": 47, "seconds": 45}, "line": " Uploading the alpine container and using lxc to privesc"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin of nmap, see a Active Directory server with HTTP"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 5, "seconds": 20}, "line": " Gathering usernames from the website"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 6, "seconds": 20}, "line": " Using KerBrute to enumerate which users are valid "}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 8, "seconds": 0}, "line": " Using Cewl to generate a password list for brute forcing"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 9, "seconds": 25}, "line": " Using Hashcat to generate a password list for brute forcing"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 15, "seconds": 50}, "line": " Trying to use RPCClient to change the password. Cannot"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 18, "seconds": 0}, "line": " Using SMBPasswd to change the password"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Logging in via RPCClient and enumerating Active Directorry with EnumDomUsers and EnumPrinters"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 24, "seconds": 40}, "line": " Password for SVC-PRINT found via Printer description (EnumPrinters) in Active Directory, Logging in with WinRM"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 26, "seconds": 50}, "line": " Discovering SeLoadDriverPrivilege"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Switching to Windows Downloading everything needed for loading the Capcom Driver and Exploiting it"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 28, "seconds": 50}, "line": " Compiling the EoPLoadDriver from TarlogicSecurity"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 31, "seconds": 50}, "line": " Compiling ExploitCapcom from FuzzySecurity"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 35, "seconds": 0}, "line": " Copying everything to our Parrot VM then to Fuse"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 37, "seconds": 45}, "line": " Loading the Capcom Driver then failing to get code execution"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 41, "seconds": 30}, "line": " Creating a DotNet Reverse shell incase the Capcom Exploit didn't like PowerShell"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 47, "seconds": 50}, "line": " Exploring the ExploitCapcom source and editing it to execute our reverse shell"}, {"machine": "HackTheBox - Fuse", "videoId": "VxbC03xmS60", "timestamp": {"minutes": 50, "seconds": 11}, "line": " Copying our new ExploitCapcom file and getting a shell"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 1, "seconds": 10}, "line": " Start of the box, running nmap with all ports."}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Using a Google Image Search to map icons with applications"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 4, "seconds": 20}, "line": " Manually fuzzing test.dyplesher.htb to check if there's any easy vulns"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 7, "seconds": 30}, "line": " Running NMAP Scripts against the results of our full port scan with awk and ORS"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 10, "seconds": 15}, "line": " Discovering a .git repo exposed on the website, using git-dumper to download it"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 13, "seconds": 0}, "line": " Memcache credentials discovered, download and test auth"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Creating a simple web application that will let us fuzz the remote memcat service"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Logging into GOGS as Felamos to download another repo, using git to restore a git bundle file"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 29, "seconds": 30}, "line": " Logging into dyplesher.htb with creds in the Git Repo"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 33, "seconds": 40}, "line": " MINECRAFT PLUGIN: Setting up our environment (IntelliJ)"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 37, "seconds": 20}, "line": " MINECRAFT PLUGIN: Skeleton Code"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 42, "seconds": 10}, "line": " MINECRAFT PLUGIN: Uploading the plugin and checking console"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 43, "seconds": 30}, "line": " MINECRAFT PLUGIN: Adding the ability to READ FILES and print Current Username"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 50, "seconds": 0}, "line": " MINECRAFT PLUGIN: Had trouble getting it to run, had to revert"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 51, "seconds": 30}, "line": " MINECRAFT PLUGIN: Add the ability to write files and drop SSH Key + Web Shell"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 63, "seconds": 0}, "line": " MINECRAFT PLUGIN: SSH Key and WebShell dropped! Logging into the server"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 66, "seconds": 15}, "line": " Discovering DumpCap can be ran by our user, dumping localhost then running wireshark"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 73, "seconds": 25}, "line": " Discovering credentials in AMQP Traffic, these work on SSH"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 75, "seconds": 40}, "line": " Downloading AMQP-PUBLISH to send a URL to the queue as the note says"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 80, "seconds": 15}, "line": " Running PSPY while we dig through the wireshark some more, find the password in WireShark"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 82, "seconds": 20}, "line": " Using AMQP-PUBLISH with the correct credential and get the server to download a file"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 84, "seconds": 40}, "line": " Searching Cuberite plugins, to see its just lua. Writing a quick plugin and getting code execution"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 87, "seconds": 0}, "line": " Getting a root shell"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 89, "seconds": 40}, "line": " Failing to do some ERLANG stuff. May be useful if you want to try it yourself but i didn't get it working"}, {"machine": "HackTheBox - Dyplesher", "videoId": "F6oSpOWOjSQ", "timestamp": {"minutes": 95, "seconds": 0}, "line": " Exploring iptable/ufw rules and common mistakes"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 1, "seconds": 3}, "line": " Start of NMAP"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Discovering install.php, which says bludit is being installed."}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Looking for exploits searchsploit, everything requires Auth"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 7, "seconds": 35}, "line": " Attempting a login and noticing the CSRF Tokens"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 9, "seconds": 20}, "line": " Looking for exploits online that haven't made it to SearchSploit yet"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Placing the X-FORWARDED-FOR header to bypass brute force protection"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 15, "seconds": 40}, "line": " Creating a Python Brute Forcer"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 16, "seconds": 45}, "line": " Scripting: Grabbing the CSRF Value with python requests"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 18, "seconds": 20}, "line": " Scripting: Grabbing the PHP Session Cookie with python requests"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 18, "seconds": 20}, "line": " Scripting: Sending a login request with python requests"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 18, "seconds": 20}, "line": " Scripting: Telling request to not follow and detect a valid login"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 31, "seconds": 10}, "line": " Using Cewl to build a wordlist, then changing our python script to pull passwords from our wordlist"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 34, "seconds": 30}, "line": " Scripting: Setting a random IP in X-Forwarded-For header"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 37, "seconds": 50}, "line": " Scripting: Scripting fixing a bug then getting a password via brute force!"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 41, "seconds": 0}, "line": " Start of playing around with the Bludit Image Upload Vulnerability."}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 45, "seconds": 10}, "line": " Having trouble, running the exploit with metasploit through a proxy to understand what is going on"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 47, "seconds": 50}, "line": " Uploading a PHP Reverse shell then HTAccess file to get code execution"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 62, "seconds": 30}, "line": " Reverse shell returned, finding passwords in the bludit database, then cracking them."}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 68, "seconds": 20}, "line": " Cracked a password for hugo, switching to his user"}, {"machine": "HackTheBox - Blunder", "videoId": "G5iw8c2vXuk", "timestamp": {"minutes": 69, "seconds": 30}, "line": " Doing the SUDO underflow exploit"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 1, "seconds": 10}, "line": " Running NMAP and checking out the page"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Author page contains a hint to do some type Domain Brute Forcing"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 4, "seconds": 25}, "line": " The Login form won't go to burpsuite, lets check out javascript"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 8, "seconds": 5}, "line": " Doing VirtualHost (VHOST) Bruteforcing with GoBuster to discover hms.htb"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Discovering OpenEMR, running searchsploit, attempting to find the version of it"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 15, "seconds": 25}, "line": " Searchsploit doesn't have any exploits, checking one on google to find a SQL Injection"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Discovering error based SQL Injection (XPATH)"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 23, "seconds": 10}, "line": " Manually extracting data from error based SQL Injection (XPATH)"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 27, "seconds": 25}, "line": " Using BurpSuite Intruder to aid us in running a bunch of SQL Injections, incrementing a number to get all the fields"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 33, "seconds": 8}, "line": " XPATH Injection only extracts 32 characters, we need to use SUBSTRING to extract fields longer than 32"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 37, "seconds": 40}, "line": " Logging into OpenEMR then using file upload functionality to upload a webshell"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 46, "seconds": 15}, "line": " Enumerating Memcache to discover credentials for luffy"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 50, "seconds": 40}, "line": " Luffy is a member of Docker, using GTFO Bins to use docker to privesc"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 56, "seconds": 0}, "line": " EXTRA: Going back to memcache, lets forward the memcache port to our box via chisel, so we can easily run tools against it."}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 61, "seconds": 25}, "line": " Using Metasploit to dump memcache"}, {"machine": "HackTheBox - Cache", "videoId": "kfLU5-Eeyhw", "timestamp": {"minutes": 62, "seconds": 40}, "line": " Using Memcache utilities to manually enumerate memcache"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Start of nmap"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Enumerating fileshares with SMBClient and CrackMapExec, highlighting some picky syntax"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 6, "seconds": 15}, "line": " Mounting the profiles$ directory so we can build a username list"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 9, "seconds": 0}, "line": " Using Kerbrute to enumerate valid usernames"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 13, "seconds": 40}, "line": " Running GetNPUsers to perform an ASREP Roast"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 17, "seconds": 50}, "line": " Checking what we can do with the Support User from the ASREP Roast"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 20, "seconds": 45}, "line": " Running the python Bloodhound ingestor from Linux"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 27, "seconds": 55}, "line": " Bloodhound ran, playing around with the data, eventually seeing support can reset audit2020's password"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 32, "seconds": 20}, "line": " Setting an Windows users (Audit2020) password from linux using RPCClient"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 36, "seconds": 45}, "line": " Audit2020 has access to the forensic share which has a memory dump of lsass, running pypykatz to extract credentials"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 42, "seconds": 20}, "line": " Using Evil-WinRM to access the box as SVC_Backup and discovering the backup privilege"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 43, "seconds": 30}, "line": " Failing to get WBADMIN to send a backup file to impacket"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 47, "seconds": 30}, "line": " Creating a NTFS Block Device/Partition but does not fix our impacket issues"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 49, "seconds": 45}, "line": " Editing samba to create a windows fileshare from linux. Purposefully don't point it to our NTFS Disk so you can see the errors."}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 54, "seconds": 54}, "line": " Pointing samba to our NTFS Directory, to show it works much better"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 55, "seconds": 50}, "line": " Running wbadmin to create a backup to our fileshare and include ntds.dit"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 57, "seconds": 0}, "line": " Running wbadmin to restore a ntds.dit out of our backup and creating a backup of the SYSTEM Registry hive"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 62, "seconds": 0}, "line": " Using secretsdump to extract credentials out of the ntds.dit and show the history flag"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 64, "seconds": 20}, "line": " Showing you can't grab the flag as SYSTEM user due to EFS (Encrypted File System). Using WMIExec to get a shell as the actual user"}, {"machine": "HackTheBox - Blackfield", "videoId": "IfCysW0Od8w", "timestamp": {"minutes": 72, "seconds": 30}, "line": " Using Mimikatz to restore the password of Audit2020, so it's like we were never there."}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 1, "seconds": 15}, "line": " Doing nmap quickly by not running scripts to get open ports, then using that output to run scripts."}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 4, "seconds": 50}, "line": " Checking out the webserver, discovering robots.txt"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 7, "seconds": 55}, "line": " Running gobuster on the admin-dir with the extensions txt and php"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 11, "seconds": 15}, "line": " Finding credentials.txt within that admin-dir"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 13, "seconds": 15}, "line": " Logging into FTP to discover the web directory source"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 21, "seconds": 30}, "line": " Running gobuster again on utility-scripts to discover adminer.php"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 24, "seconds": 55}, "line": " Going to adminer and trying to login"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 27, "seconds": 10}, "line": " Bypassing adminer authentication by creating a MySQL Database"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 31, "seconds": 45}, "line": " Failing to drop a file in adminer"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 34, "seconds": 30}, "line": " Using LOAD DATA LOCAL to insert a file into our database"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 38, "seconds": 5}, "line": " Uploading the servers index.php to our database and discovering the password"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 39, "seconds": 0}, "line": " SSH into the server with the password found before"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 41, "seconds": 50}, "line": " Sudo allows us to set environment variables, using PYTHONPATH to hijack a python library... Failing to get a rev shell"}, {"machine": "HackTheBox - Admirer", "videoId": "_zMg0fHwwfw", "timestamp": {"minutes": 49, "seconds": 0}, "line": " Switching to nc for a revshell and getting a root shell!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin of nmap, going over what videos show KRB/LDAP/SMB enumeration"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Checking out the web page, finding an API that allows us to search employees"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 8, "seconds": 45}, "line": " Extracting usernames from the database using the above API"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 11, "seconds": 45}, "line": " Using wfuzz to fuzz this endpoing and discover there's a WAF that blocks us on BruteFoce and special characters"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 18, "seconds": 15}, "line": " Sending wfuzz to burpsuite so we can see why the page is giving us an HTTP 415 (hint: Its content-type!)"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 21, "seconds": 0}, "line": " Using unicode to bypass the bad character list, then launching a super slow SQLMap that never finishes"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 25, "seconds": 30}, "line": " While SQLMap runs, lets manually exploit this"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 28, "seconds": 15}, "line": " Found a union injection! Start of creating a Python Script, tons of issues around getting Request to send unicode"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 35, "seconds": 30}, "line": " Basic script is done, we can now send unicode data via python - Then convert to use the Cmd Module"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 41, "seconds": 0}, "line": " CmdLoop done, we can now send raw queries to the database. Lets make an option to do union injection"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 44, "seconds": 10}, "line": " Script now makes it easy to run UNION Commands and get the output, running through some basic MSSQL Injection to get data from the server"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 47, "seconds": 15}, "line": " Extracting database information (Table Names)"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 51, "seconds": 30}, "line": " Extracting Usernames and hashes from the Logins table, then cracking the passwords"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 61, "seconds": 15}, "line": " Performing a RID BruteForce via MS-SQL, getting and explaining the SID of Administrator. Then adding BruteForcing to our script"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 78, "seconds": 25}, "line": " Bruteforcing RID's to discover more usernames"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 83, "seconds": 8}, "line": " Using Evil-WinRM to get a shell as Tushikikatomo, then running WinPEAS and BloodHound"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 99, "seconds": 0}, "line": " Resetting the Neo4j Password Bloodhound uses by deleting auth dbms file"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 105, "seconds": 45}, "line": " Discovering a VS Code is running, and some random ports keep opening up. Debug ports? Downloading CEFDebug then running"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 113, "seconds": 34}, "line": " Testing CEF exploit with ping, then create a powershell cradle. Edit Nishang to bypass AMSI"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 118, "seconds": 10}, "line": " Shell returned as CYORK"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 121, "seconds": 0}, "line": " Discover a DLL in the web directory, run strings against it and discover a new password"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 123, "seconds": 30}, "line": " Updating bloodhound to see if we gained any new paths with the new compromised user (SBAUER) and we have GenericWrite to user"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 126, "seconds": 30}, "line": " Using SBAUER to enable DoesNotRequirePreAuth, so we can obtain a password hash (asrep 23) and crack it"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 132, "seconds": 30}, "line": " Shell as Jorden and we can edit services! Use SC to replace the binpath with a reverse shell and get root!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 138, "seconds": 25}, "line": " ALTERNATE METHOD: Using ZeroLogon/ZeroLogin CVE-2020-1472... Failing to use impacket correctly "}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 143, "seconds": 15}, "line": " Reverting my box, doing impacket the correct way (Installing in an Virtual Environment)"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 146, "seconds": 30}, "line": " Running the Zero Logon exploit to discover it worked! Running SecretsDump performs a DCSync and we can login as administrator... Rest of video is reverting what the exploit did to not leave a vulnerability!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 150, "seconds": 50}, "line": " SecretsDump with the -history flag shows the previous passwords... Now how to set a machine account, and how to \"pass the hash\" when setting a password."}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 157, "seconds": 10}, "line": " Running mimikatz to see Defender deleted it, using MpCmdRunto delete all defender definitions."}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 158, "seconds": 45}, "line": " Defender bypassed mimikatz runs!"}, {"machine": "HackTheBox - Multimaster", "videoId": "iwR746pfTEc", "timestamp": {"minutes": 160, "seconds": 15}, "line": " Running mimikatz with lsadump::setntlm to restore the password"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 0, "seconds": 58}, "line": " Start of recon, discovering a bunch of hostnames in a cert"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 4, "seconds": 24}, "line": " Running wpscan against blog.travel.htb"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 6, "seconds": 10}, "line": " Running the raft-large-files.txt against blog-dev.travel.htb to discover the git repo"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 7, "seconds": 45}, "line": " Using git-dumper to download the git repo"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 10, "seconds": 28}, "line": " Examining the git project to discover what it is and where its installed on the webserver"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 14, "seconds": 20}, "line": " Discovering a debug file"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Hunting for where web app accepts user input"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 19, "seconds": 10}, "line": " Getting the server to make a request back to us"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 21, "seconds": 0}, "line": " Examining what debug.php is telling us (memcache)"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 26, "seconds": 15}, "line": " Hunting around wordpress/simplepie to see how it is using memcache"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 33, "seconds": 0}, "line": " Begin of trying to poison the memcache object, talking about bypass the ip filter via hex encoding the ip"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 36, "seconds": 0}, "line": " Bypassing the file:// filter by using gopher to smuggle in a request to memcache. Using gopherus"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 39, "seconds": 15}, "line": " Explaining what gopherus is doing"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 41, "seconds": 48}, "line": " Creating a php serialized object to drop a file to the webserver"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 44, "seconds": 24}, "line": " Having gopherus generate a malicious payload then dropping a web shell to the server"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 47, "seconds": 0}, "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 50, "seconds": 50}, "line": " Examining the MySQL database"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 53, "seconds": 45}, "line": " Discovering the wordpress backup file with additional users"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 56, "seconds": 40}, "line": " Logging in with lynik-admin and cracked password from WP backup. Finding ldaprc and viminfo"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 58, "seconds": 45}, "line": " Downloading Apache Directory Studio so we have a gui to LDAP"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 59, "seconds": 45}, "line": " Using SSH to forwarding port 389 to our box, so our LDAP Gui can access the service"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 64, "seconds": 0}, "line": " Using Apache Directory Studio to modify a users password"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 66, "seconds": 0}, "line": " Using Apache Directory Studio to add an SSH Key"}, {"machine": "HackTheBox - Travel", "videoId": "VofMBg2VLnw", "timestamp": {"minutes": 69, "seconds": 10}, "line": " Using Apache Directory Studio to modify the user group to sudo, then we can sudo su to root"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin of nmap, enumerate ftp, and smb"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 5, "seconds": 32}, "line": " Taking a look at the website to discover umbraco"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 10, "seconds": 50}, "line": " Examining NFS with showmount"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Discovering umbraco.sdf on NFS is a database and contains the admin password"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 21, "seconds": 15}, "line": " Logging into umbraco and discovering the unauthenticated RCE"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 23, "seconds": 35}, "line": " Editing the umbraco exploit to ping our box"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 26, "seconds": 30}, "line": " Getting a reverse shell using Invoke-WebRequest instead of (New-Object Net.WebClient)"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 30, "seconds": 30}, "line": " Running WinPEAS to discover UsoSvc service is editable"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Editing the UsoSvc binpath to execute our reverse shell"}, {"machine": "HackTheBox - Remote", "videoId": "iyYqgseKUPM", "timestamp": {"minutes": 40, "seconds": 15}, "line": " Alternate Path: Using Rogue Potato to get a shell"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 0, "seconds": 48}, "line": " Begin of Nmap, examining the page and running gobuster"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Identifying some extra care"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Adding portal.quick.htb to the host file so we can resolve hostname"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Trying to identify if the web application will tell us if an account is valid"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 7, "seconds": 20}, "line": " Building an email list based upon clients and then running wfuzz to try and identify valid emails"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Searching for the latest HTTP and seeing HTTP3 utilizes UDP instead of TCP"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Installing Quiche so we can navigate to the http3 site"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 19, "seconds": 40}, "line": " Having Quiche download files, discoving an initial password then revisiting the bruteforce to gain access to a ticket system"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 30, "seconds": 30}, "line": " Using wfuzz to search the helpdesk for all tickets "}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 35, "seconds": 50}, "line": " Finding ESIGATE is vulnerable to xml entity injection"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 40, "seconds": 20}, "line": " Testing the XXE Attack to see if it connects to our webserver"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 41, "seconds": 50}, "line": " The server keeps putting the full URL in its GET Request, which messes with pythons webserver. Switching to PHP's built in will fix this."}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 45, "seconds": 20}, "line": " Failing to get a reverse shell to execute via XSLT, switching to download a file and execute it"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 56, "seconds": 45}, "line": " Reverse Shell Returned as SAM"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 58, "seconds": 30}, "line": " Finding printerv2.quick.htb and a little apache confusion its only listening on port 80. Esigate listens on 9001 then redirects to 80"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 64, "seconds": 20}, "line": " Dumping password hashes from MySQL to discover the server does some mangling of the password before md5sum, so we cant use hashcat"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 67, "seconds": 45}, "line": " Creating a cracking script in PHP"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 73, "seconds": 15}, "line": " Logging into the application and seeing we can print jobs, then looking at source code to see how its doing it"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 76, "seconds": 40}, "line": " Creating a script to abuse the race condition of printing a document. To replace documents with a symlink to sensitive files prior to printing."}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 85, "seconds": 20}, "line": " Printing out the SRVADM SSH Key"}, {"machine": "HackTheBox - Quick", "videoId": "BFSdJYS1gFs", "timestamp": {"minutes": 87, "seconds": 30}, "line": " Finding a password in the cups configuration file, which is the root password"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 0, "seconds": 50}, "line": " Nmap"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 2, "seconds": 40}, "line": " Starting GoBuster on the root and images"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Finding Auth Bypass via SQL Injection on login then throwing it to SQLMap"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 9, "seconds": 0}, "line": " Creating a basic PHP Shell, then attempting to upload it"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 12, "seconds": 30}, "line": " Grabbing the magic bytes off a JPG, then prepending it to our shell"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 16, "seconds": 0}, "line": " File uploaded, hunting for an LFI and doing more SQLMap"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 18, "seconds": 20}, "line": " Turns out we don't need the PHP Extension (.htaccess allows anything)"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 26, "seconds": 20}, "line": " Reverse Shell returned"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 27, "seconds": 50}, "line": " Grabbing the username and password out of Website Configuration"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 36, "seconds": 10}, "line": " Using VirusTotal to identify when a file was created"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 37, "seconds": 20}, "line": " Examining the .htaccess to see why we could execute code (should have a $ at the end)"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 39, "seconds": 30}, "line": " Using MsqlDump to dump the database and get a password out of it, su to the theseus user"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Found a SetUID Binary (sysinfo) then using strace to see what it does"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 48, "seconds": 0}, "line": " Using the -f argument with strace to follow forks and see the exec() calls"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 51, "seconds": 0}, "line": " Using Path Injection since absolute paths were not used in exec() and getting a root shell"}, {"machine": "HackTheBox - Magic", "videoId": "bLIcew9Iot8", "timestamp": {"minutes": 55, "seconds": 0}, "line": " Showing SQLMap did complete with the increased level/risk"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Checking the web page, then running a SecList wordlist for CommonBackdoors"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 3, "seconds": 30}, "line": " GoBuster returned smevk.php"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 4, "seconds": 15}, "line": " Attempting to guess the password, get in with admin:admin"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 5, "seconds": 55}, "line": " Running script prior to my reverse shell to log the output... I forget to check this again but it did work!"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 7, "seconds": 30}, "line": " Reading note.txt which hints at finding a LUA File, using find to hunt for files"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 9, "seconds": 5}, "line": " The reverse shell is misbehaving, lets fix it by setting the the rows/columns"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 12, "seconds": 10}, "line": " Running LinPEAS, discover sudo with luvit; then looking up how to write files with a lua script"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 16, "seconds": 10}, "line": " SSH'ing in with SysAdmin after our key was written"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 18, "seconds": 50}, "line": " Using find some more to hunt for interesting files"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 23, "seconds": 11}, "line": " Using find to search between dates of interest shows an interesting backup directory"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 25, "seconds": 40}, "line": " Running pSpy to search for running processes"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Puzzled... Probably should have ran find commands to look for files edited within the last day!"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 32, "seconds": 40}, "line": " Changing up our tactic and using find commands to search for writable files "}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 34, "seconds": 10}, "line": " Editing MOTD with a reverse shell then SSH'ing in"}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 35, "seconds": 50}, "line": " Extra: Running linPeas to see if it would have seen this privesc."}, {"machine": "HackTheBox - Traceback", "videoId": "OI7PbBT589E", "timestamp": {"minutes": 37, "seconds": 40}, "line": " Looking at the script.log output"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 2, "seconds": 10}, "line": " Using wget to recursively download files off an annonymous FTP Server"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Attempting to execute the Java Thick Client, then switching to Java version 8 and trying again"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 8, "seconds": 0}, "line": " Seeing the Thick Client makes some DNS Requests, make the DNS Request resolve and attempt to intercept with Burp"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 11, "seconds": 0}, "line": " BurpSuite failed us, using SOCAT to forward the traffic and exploring the Thick Client features"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 15, "seconds": 20}, "line": " Using CFR to decompile a Java JAR File then VS Studio Code to analyze the source"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 20, "seconds": 40}, "line": " Downloading Eclipse and then configuring it to utilize Java 8 and creating a Hello World Java Application"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 25, "seconds": 30}, "line": " Importing a Java JAR File into our Java Project then calling Login"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 33, "seconds": 40}, "line": " Replicating the functionality to identify what Role we are, then other functions"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 37, "seconds": 45}, "line": " Calling the Invoker Class to execute methods on the server"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 42, "seconds": 50}, "line": " Attempting to call methods that the GUI prohibited us from"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 45, "seconds": 30}, "line": " Using ShowFiles to see we can list files in our parent directory, then using Open to download files"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 53, "seconds": 40}, "line": " Failing to download the fatty-server.jar file due to encoding issues"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 58, "seconds": 40}, "line": " Unsealing the JAR File so we can edit the Invoker Class Object to fix our encoding issue by creating a binaryOpen function"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 70, "seconds": 0}, "line": " Utilizing our new binaryOpen function to write to a file"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 74, "seconds": 45}, "line": " Debugging a null pointer error, our binaryOpen function returned nothing!"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 81, "seconds": 0}, "line": " Decompiling the downloaded fatty server and analyzing it to discover a SQL Injection and Deserialization vector"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 88, "seconds": 50}, "line": " Playing with SQL Injections in the username to get an admin session"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 100, "seconds": 0}, "line": " Modifying the ChangePW Function to allow us to send malicious payloads, then using ysoserial to generate a payload"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 108, "seconds": 30}, "line": " Using CommonsCollections5 to generate a malicious payload to send and getting a reverse shell"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 117, "seconds": 17}, "line": " Getting PsSpy on the box and discovering SCP is pulling files"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 119, "seconds": 50}, "line": " Explaining what our exploit path is, having a tar overwrite itself and point to authorized_keys then the next time it is copied to it overwrites auth_key"}, {"machine": "HackTheBox - Fatty", "videoId": "3bvKLj0akMM", "timestamp": {"minutes": 124, "seconds": 50}, "line": " Reverse shell returned, attempting to explain the exploit vector again"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 1, "seconds": 24}, "line": " Start the box checking out nmap, seeing an FTP Server with a file hinting at OAUTH"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Poking at the login for the flask application (Port 5000)"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 11, "seconds": 15}, "line": " Playing with the Change Password fied, made a mistake which puts me down a rabbit hole"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 17, "seconds": 40}, "line": " Checking the Contact page, seeing we get banned with a XSS Attempt but someone will click URL's if we send them"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 24, "seconds": 30}, "line": " Creating an account on Authorization.oouch.htb"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 27, "seconds": 40}, "line": " Enumerating the /token/ an endpoint through error messages"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 30, "seconds": 20}, "line": " Using the webapp to give our authorization account access to our consumer account"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 38, "seconds": 45}, "line": " Going through the same workflow to give authorization access to consumer account, but tricking a different user into going to the last piece of the workflow"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 42, "seconds": 10}, "line": " We are now the QTC User! Going into the Documents shows some hints like a develop credential"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 45, "seconds": 50}, "line": " Reading the Django Docs to see how the oauth endpoints are setup, finding the application register endpoint and the develop creds to again access"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 51, "seconds": 0}, "line": " Looking at the oauth authorization workflow again in order to build a authorization link for our new application!"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 56, "seconds": 30}, "line": " Thanks to our application's redirect url we stole QTC's token which will eventually let us develop endpoints"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 60, "seconds": 20}, "line": " Used the token to authenticate and get our Bearer token, then playing with API endpoints and noticing get_user and get_userjaskldfj both go to the same route. Helpful when brute forcing"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 64, "seconds": 25}, "line": " TIL, I don't know how to use FFU eventually i switch to wfuzz to bruteforce the endpoint"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 68, "seconds": 46}, "line": " Got shell on the box, discover note.txt and it hints at DBUS"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 73, "seconds": 30}, "line": " Creating a bash script to ping/port scan in order to enumerate other containers"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 80, "seconds": 30}, "line": " Digging through the code in order to discover UWSGI and how the webapp sends, attempting to send the dbus message but getting access denied."}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 88, "seconds": 30}, "line": " Searching for a UWSGI Code execution route so we can switch to www-data, finding a script "}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 98, "seconds": 30}, "line": " Reverse shell as www-data returned, doing the DBUS Message again via python to get code execution"}, {"machine": "HackTheBox - Oouch", "videoId": "EUtqjK27MxQ", "timestamp": {"minutes": 104, "seconds": 40}, "line": " ALTERNATE DBUS Method - Using the dbus commands (busctl/dbus-send) send the message without touching python"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 0, "seconds": 50}, "line": " Begin of nmap"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 2, "seconds": 45}, "line": " Enumerating RPC to identify usernames"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 4, "seconds": 45}, "line": " Setting up a bruteforce and creating a custom wordlist with hashcat"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 8, "seconds": 45}, "line": " Enumerating LDAP with LDAPSEARCH"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 10, "seconds": 55}, "line": " Discovering the cascadeLegacyPwd LDAP Attribute which has a password"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 12, "seconds": 45}, "line": " Using CrackMapExec to test the credential found in LDAP "}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 14, "seconds": 30}, "line": " Installing the latest CrackMapExec to gain access to the Spider_Plus Module"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 17, "seconds": 30}, "line": " Using the spider_plus module of CME (CrackMapExec) to crawl the SMB Share as R.Thompson"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 20, "seconds": 10}, "line": " Mounting the SMB Share as R.Thompson in order to view the files in Data share"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 26, "seconds": 10}, "line": " Discovering the VNC Install.reg file which contains an encrypted password"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 30, "seconds": 10}, "line": " Using Metasploit IRB to decrypt TightVNC's password"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 32, "seconds": 30}, "line": " Using the VNC Password to gain a WinRM Session to Cascade as s.smith discovering he is in the Audit Group"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 37, "seconds": 20}, "line": " Using DNSPY to decompile the CascAudit DotNet application "}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 39, "seconds": 50}, "line": " Setting a breakpoint in DNSPY where the password is decrypted and viewing the variable after it decrypts the pw"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 42, "seconds": 10}, "line": " Gaining e remote shell as ArkSvc to discover this user is in the AD Recycle Bin Group"}, {"machine": "HackTheBox - Cascade", "videoId": "mr-fsVLoQGw", "timestamp": {"minutes": 43, "seconds": 10}, "line": " Viewing deleted Active Directory items to see the TempAdmin has the CascadeLegacyPwd field and discovering this is the PW for administrator"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Running Nmap"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 2, "seconds": 7}, "line": " Poking at SMB with CrackMapExec, SMBMap, and RPCClient to get nothing"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 4, "seconds": 15}, "line": " Checking out the web page"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Playing with user input in the website and getting an error \"HTTP VERB used is not allowed\""}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Copying names from the website"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 10, "seconds": 50}, "line": " Using some VIM/VI Magic (macro) to convert names into potential usernames"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 12, "seconds": 40}, "line": " Identifying valid usernames by using KerBrute which can enumerate valid usernames"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Running some Impacket scripts and performing an ASREP Roast to extract password hash"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 18, "seconds": 20}, "line": " Running GetNPUsers to get the hash for a user and then using hashcat to crack ASREP$23"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 20, "seconds": 50}, "line": " Seeing a RICOH printer share, pulling EXIF data off website to get an idea if it may be exploitable"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 23, "seconds": 10}, "line": " Using Evil-WinRM to log into the box with FSMITH and run WinPEAS to get saved credentials"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 29, "seconds": 0}, "line": " Running BloodHound"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 34, "seconds": 25}, "line": " Identifying that svc_loanmgr can perform a DCSYNC"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 35, "seconds": 40}, "line": " Running SecretsDump with svc_loanmgr to perform a DCSYNC"}, {"machine": "HackTheBox - Sauna", "videoId": "uLNpR3AnE-Y", "timestamp": {"minutes": 37, "seconds": 45}, "line": " Performing a Pass The Hash with the administrator user using PSExec"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 0, "seconds": 34}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 1, "seconds": 45}, "line": " Enumerating the login page"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 3, "seconds": 5}, "line": " Creating an account, identifying what fields are unique"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Logged into the page, examining functionality starting with the download.php file"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 7, "seconds": 30}, "line": " Playing with the search field"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 8, "seconds": 0}, "line": " Playing with XSS by using img src"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 13, "seconds": 0}, "line": " Examining the user signup more closely"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 15, "seconds": 25}, "line": " Viewing javascript on the page to show there is a maximum number of characters in username/email"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 17, "seconds": 20}, "line": " Start of attempting SQL Truncation attack"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 22, "seconds": 25}, "line": " Attempting to login to /admin/ with our account to see we get in, then redoing everything to explain it."}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 23, "seconds": 20}, "line": " Explaining the SQL Truncation Attack"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 35, "seconds": 40}, "line": " Noticing the PDF Generation processes HTML and probably JavaScript"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 39, "seconds": 0}, "line": " Using a Javascript payload that reads a local file on the box"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 45, "seconds": 20}, "line": " Getting rid of the Base64 Encoding in the payload and reading /etc/passwd"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 46, "seconds": 18}, "line": " Trying (and failing) to grab /proc/self/environ "}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 54, "seconds": 10}, "line": " Attempting to grab an SSH Key for the Reader User"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 56, "seconds": 0}, "line": " SSH Key is poorly formatted. Using pdf2text to see if formatting is better"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 57, "seconds": 30}, "line": " PDF2Text didn't work, lets try PDF2HTML which does a great job"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 59, "seconds": 45}, "line": " Revisiting the Base64 Payload to see if PDF2HTML grabs all the Base64 (it does)"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 62, "seconds": 15}, "line": " Running LINPEAS to see we may be able to exploit log rotate"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 66, "seconds": 10}, "line": " Poorly explaining how logrotten works"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 72, "seconds": 30}, "line": " Performing the Logrotten exploit to get a reverse shell"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 78, "seconds": 15}, "line": " Finally keeping the reverse shell alive"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 80, "seconds": 25}, "line": " Examining how the SQL Truncation vulnerability came to be by looking at the PHP Source Code and then SQL Table Schema"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 87, "seconds": 30}, "line": " Showing how it determines the admin user and uses trim() which is why our attack works"}, {"machine": "HackTheBox - Book", "videoId": "RBtN5939m3g", "timestamp": {"minutes": 89, "seconds": 40}, "line": " Examining the PHP Sessions"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 0, "seconds": 52}, "line": " Begin of Nmap"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 2, "seconds": 50}, "line": " Running Gobuster to Bruteforce the pages and subdomains to find backup.forwardslash.htb"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 8, "seconds": 10}, "line": " Registering an account and examining the functions to signed in users"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Playing with the ProfilePicture.php to discover we can do file inclusion"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 12, "seconds": 50}, "line": " Testing for RFI"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 14, "seconds": 25}, "line": " Using the PHP Filter Wrapper to convert php files to base64 and extract source code"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 16, "seconds": 50}, "line": " Start of creating a script to automate this"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 19, "seconds": 40}, "line": " Terminal portion of the script completed, now to add HTTP Requests"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 23, "seconds": 30}, "line": " Script cannot access the page due to requiring a login session, hard code the login cookie"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 26, "seconds": 50}, "line": " Script now is able to extract files off the server, now to add a save_file function"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 34, "seconds": 0}, "line": " Using the script we created as a library and building a brute forcer!"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 37, "seconds": 50}, "line": " Manually looking at source code while our script runs in the background"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Going back to gobuster seeing the \"/dev\" directory, extracting source to get credentials to SSH into the box"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 45, "seconds": 0}, "line": " Examining the Backup SetUID File with strace, explaining Path Injection (but it doesn't work here)."}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 48, "seconds": 0}, "line": " Opening up the backup file in Ghidra"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 51, "seconds": 0}, "line": " Using find to search for files owned by Pain to discover config.php.bak, then abusing the backup program to read this file"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 53, "seconds": 40}, "line": " Abusing the sudo rules to skip the crypto challenge. Upload a luks container with a SetUID Binary"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 55, "seconds": 45}, "line": " Creating a Luks Container"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 58, "seconds": 0}, "line": " Adding a SetUID Binary in the luks container then uploading it, and executing it to get root"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 62, "seconds": 40}, "line": " Going back to look over the Crypto Challenge"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 66, "seconds": 30}, "line": " Using the program to encrypt text we know the key to, so we can build a bruteforcer"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 74, "seconds": 0}, "line": " Found a weird bug, we only need to know the first character of the key and length... Build a cracker based upon that"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 83, "seconds": 40}, "line": " Key found, decrypt the container"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 88, "seconds": 55}, "line": " Going back to the ProfilePicture, and finding the SSRF + XXE Chain"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 93, "seconds": 50}, "line": " Showing the importance of double URL Encoding"}, {"machine": "HackTheBox - ForwardSlash", "videoId": "alJa51XylDE", "timestamp": {"minutes": 102, "seconds": 55}, "line": " Creating another module for our LFI Script to add some crawl functionality to automatically download a bunch of source code!"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 0, "seconds": 51}, "line": " Begin of NMAP"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 2, "seconds": 0}, "line": " Identifying the Virtual Host (VHOST) player2.htb and doing recon on the webserver"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Testing basic SQL Injection on product.player2.htb"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 8, "seconds": 10}, "line": " Running gobuster against the product domain to find potential pages"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 13, "seconds": 0}, "line": " Running gobuster to try to enumerate sub domains."}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 17, "seconds": 50}, "line": " Checking the full port scan of the box to see 8545"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 19, "seconds": 45}, "line": " Gobuster had an issue enumerating subdomains, switched to wfuzz"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 22, "seconds": 45}, "line": " Investigation TWIRP because port 8545 had that in an error mesage"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 24, "seconds": 40}, "line": " Running gobuster to hunt for protobuf files and api endpoints"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 28, "seconds": 50}, "line": " Exploring the generated.proto file"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 32, "seconds": 0}, "line": " Seeing how TWIRP uses Protobuf files, then making the HTTP Request to pull credentials"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 43, "seconds": 50}, "line": " Using Hydra to bruteforce an http login form"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 47, "seconds": 50}, "line": " Exploring login logic to see how SESSIONS are handled after invalid logins"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Testing /api/totp now that we have a session and finding ways to generate backup codes"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 54, "seconds": 0}, "line": " Looking at the authenticated product page"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 56, "seconds": 0}, "line": " Playing with the upload form of the protobs interface"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 59, "seconds": 20}, "line": " (unintended) Hunting for the uploads/ directory and testing for potential race condition"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 63, "seconds": 0}, "line": " Winning the race to get a reverse shell"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 65, "seconds": 15}, "line": " Doing the firmware upload the intended way."}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 67, "seconds": 20}, "line": " Using DD to extract data out of binwalk"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 69, "seconds": 50}, "line": " Exploring the firmware in Ghidra"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 71, "seconds": 50}, "line": " Testing the firmware signing by opening the ELF in a hex editor and changing a byte near the beginning of the file, then the end of the binary"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 75, "seconds": 10}, "line": " Editing the string in the system() call test for RRCE"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 79, "seconds": 30}, "line": " Changing our ping command to be a reverse shell"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 87, "seconds": 0}, "line": " Reverse shell returned but wanted to see how much of this ELF we messed up by overflowing the string."}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 95, "seconds": 0}, "line": " Checking the MySQL Database for creds"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 101, "seconds": 50}, "line": " Running pspy to see some hidden crons"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 104, "seconds": 40}, "line": " Running chisel to forward the MQTT Port back to our box"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 111, "seconds": 10}, "line": " Using mosquitto_sub to subscribe to a topic and get messages"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 113, "seconds": 40}, "line": " Subscribing to $SYS/# and seeing an SSH Key broadcast to it"}, {"machine": "HackTheBox - Player2", "videoId": "ehoh6g5dSWk", "timestamp": {"minutes": 114, "seconds": 40}, "line": " Changing the SSH Key on the box, which root reads and broadcasts. Use this to get shadow and root.txt"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 0, "seconds": 50}, "line": " Start of NMAP"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 3, "seconds": 45}, "line": " Using SMBClient to search for open shares (None)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Checking out the web page, some light fuzzing on login and examining how the language selection works"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 7, "seconds": 55}, "line": " Taking a Screenshot on Parrot and pasting it into Cherry Tree (Shift+PrintScreen)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 14, "seconds": 30}, "line": " Checking out FTP and downloading the two txt files"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Viewing port 8443, and realizing this page really hates firefox. Switch to Chromium"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 19, "seconds": 5}, "line": " Using searchsploit to find there's a directory traversal exploit in NVMS"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 20, "seconds": 5}, "line": " Grabbing Passwords.txt off Nathan's Desktop (filename was an FTP Note)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 22, "seconds": 50}, "line": " Using CrackMapExec to bruteforce logins for SMB and SSH (SSH alread bug fixed in DEV Branch)"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 26, "seconds": 0}, "line": " Logging in with SSH, then looking for WebServer directories"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 30, "seconds": 20}, "line": " Examining the NSClient directory to view the config"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 33, "seconds": 40}, "line": " Using SSH to setup a port forward"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 35, "seconds": 50}, "line": " Lots of flailing around trying to get code execution"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 44, "seconds": 0}, "line": " Enough flailing, box reverted and do a clean run of this exploit"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 49, "seconds": 0}, "line": " Flailing around trying to get Nishang to run... Defender is giving me issues."}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 59, "seconds": 30}, "line": " Giving up with Defender Evasion, switching to nc.exe to get a reverse shell"}, {"machine": "HackTheBox - ServMon", "videoId": "4tCD0GemXYg", "timestamp": {"minutes": 61, "seconds": 20}, "line": " Reverse shell returned as System grabbing root.txt"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Into"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 0, "seconds": 54}, "line": " Begin of recon"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 3, "seconds": 36}, "line": " Using rpcclient with null authentication and dumping active directory users"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 6, "seconds": 26}, "line": " Building a password list with hashcat --stdout (Forest Video does it better)"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 8, "seconds": 41}, "line": " CrackMapExec shows SABatchJobs:SABatchJobs are valid credentials"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 12, "seconds": 6}, "line": " Using SMBMap to list contents of directories"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 16, "seconds": 20}, "line": " Using SMBMap to download azure.xml which has a hardcoded credential in it then testing with WinRM to see if we can get a shell"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 19, "seconds": 50}, "line": " Downloading and running Seatbelt on the server"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 25, "seconds": 20}, "line": " Running WinPEAS for a second opinion"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 27, "seconds": 45}, "line": " Talking about the Azure Admins group"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 28, "seconds": 55}, "line": " Playing with SQLCMD to view the MSSQL Database"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 30, "seconds": 45}, "line": " Downloading and running PowerUpSQL to see if there's any obvious escalation paths"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Using XP_DIRTREE to connect to our Responder Instance and leak an NetNTLMv2 hash (I should of noticed its the machine account due to username ending with a $, these are pretty much never crackable)"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 39, "seconds": 45}, "line": " Searching google to find XPNSec's post on \"Azure AD Connect for Red Teamers\""}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 43, "seconds": 0}, "line": " Running through the commands with SQLCMD to understand what is going on"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 48, "seconds": 20}, "line": " Executing the Azure AD Connectdecryption script and having Evil-WinRM Crash on us"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 49, "seconds": 10}, "line": " Stepping through the script to see where it is failing"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 51, "seconds": 25}, "line": " Updating the SQL Connection script to work with our MSSQL Configuration, then fixing the script"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 55, "seconds": 40}, "line": " Running the updated script, and getting the administrator password then using PSExec to get a system shell on the box"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 58, "seconds": 30}, "line": " Using DNSPY to decompile the MCRYPT.DLL binary to just explore what is going on"}, {"machine": "HackTheBox - Monteverde", "videoId": "HTJjPZvOtJ4", "timestamp": {"minutes": 63, "seconds": 50}, "line": " Dumping the DNS Zone for MEGABANK.LOCAL via powershell"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Showing why we should run NMAP as root or sudo."}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 4, "seconds": 40}, "line": " Running nmap to see only SMB is open, start a full port scan and move on"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 5, "seconds": 45}, "line": " Enumerating SMB (Port 445) with CrackMapExec, SMBClient, and SMBMap to explore how each program works"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Running SMBClient to mount the share"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 9, "seconds": 20}, "line": " Installing CIFS-Utils so we can mount SMB and run commands like find against the share"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 11, "seconds": 30}, "line": " Discovering a password, doing a credential spray and getting some odd results"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 17, "seconds": 20}, "line": " Mounting the shares with as TempUser to discover we have access to more files"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Using iconv to cat a windows text file because it showed a bunch of bad characters"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 25, "seconds": 0}, "line": " Viewing the NotepadPlusPlus files to see the path of a file in the Secure$ Directory, we can get into this folder"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Downloading the source-code to RUScanner in the User share"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 29, "seconds": 30}, "line": " Switching to Windows so we can use Visual Studio to compile the RUScanner application and decrypt the password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 32, "seconds": 20}, "line": " Dropping the config in bin/debug and setting a breakpoint on the line of code which decrypts the password to view the output"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 35, "seconds": 55}, "line": " Using CrackMapExec to validate these are valid credentials, then exploring the fileshares again"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 39, "seconds": 50}, "line": " Exploring the application on port 4386 and showing why we need to use TELNET and not NC or NETCAT"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 42, "seconds": 30}, "line": " Playing with the various options on port 4386"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 44, "seconds": 58}, "line": " Using SMBClient to mount the Users directory as C.SMITH so we can use \"allinfo\" to see an ADS (Alternate Data Stream) Exists, then downloading the hidden password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Using the custom program on port 4386 and using the DEBUG Options to download the configuration file with an encrypted LDAP Password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 52, "seconds": 30}, "line": " Using DNSPY to decompile HqkLdap.exe"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 56, "seconds": 0}, "line": " Editing the application to print the password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 58, "seconds": 20}, "line": " Running HqkLdap to get the decrypted password, which is the administrator password"}, {"machine": "HackTheBox - Nest", "videoId": "tDbVw6uGx8g", "timestamp": {"minutes": 59, "seconds": 20}, "line": " Using psexec to get a shell on the box as the SYSTEM user"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 1, "seconds": 8}, "line": " Talking about my switch to Parrot"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 2, "seconds": 0}, "line": " Begin of nmap, discovering it is likely a Windows Domain Controller"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Checking if there are any open file shares "}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 6, "seconds": 11}, "line": " Using RPCClient to enumerate domain users (enumdomusers)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 7, "seconds": 55}, "line": " Using CrackMapExec to dump the PasswordPolicy"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 8, "seconds": 45}, "line": " Using RPCClient to dump Active Directory information (querydispinfo)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 10, "seconds": 45}, "line": " Bruteforcing accounts via CrackMapExec with password of Welcome123!"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 14, "seconds": 30}, "line": " Using Evil-WinRM to remote into the server as Melanie"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 15, "seconds": 40}, "line": " Building the latest version of Seatbelt on CommandoVM (The DotNet version is incompatible)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 17, "seconds": 40}, "line": " Explaining some cool bash one line tricks, then linking Egypt's \"One liners to rule them all\" talk"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 24, "seconds": 40}, "line": " Changing Seatbelt to compile to Version 4.0 then trying again."}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 26, "seconds": 30}, "line": " Finally examining the Seatbelt output, see the PSTranscript Directory and a Custom group in DNSAdmins"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 29, "seconds": 50}, "line": " Using RPCClient to Enumerate members of the Contractors group (enumdomgroups/querygroupmem)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 35, "seconds": 30}, "line": " Running WinPEAS to compare the differences"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 38, "seconds": 30}, "line": " Exploring hidden directories to see PSTranscripts, then finding credentials in a powershell log"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 44, "seconds": 20}, "line": " Using Evil-WinRM with the password from a PSTranscript File to get shell as Ryan"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 45, "seconds": 40}, "line": " Quickly going over how to execute code on a Domain Controller as a DNS Admin"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 46, "seconds": 10}, "line": " Using MSFVenom to create a Reverse Shell DLL (we'll do this better at end of the video)"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 49, "seconds": 10}, "line": " Using DNSCMD to have the DNS Server execute our MSFVenom created DLL from a SMB Network Path... Works but hangs the DNS Server"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 52, "seconds": 50}, "line": " Using the DNS-EXE-Persistance to help us create a better to do the Reverse Shell"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 53, "seconds": 3}, "line": " Explaining the DNSCMD Exploit path on how it can be used both foor lateral movement and privesc"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 54, "seconds": 50}, "line": " Start of creating the DLL to use with this DNS Exploit"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 56, "seconds": 45}, "line": " Grabbing a C++ Reverse Shell program from github to add to our DNS Exploit Project, then modify it to execute as a thread"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 62, "seconds": 20}, "line": " Showing that we get a Reverse shell and DNS Keeps running"}, {"machine": "HackTheBox - Resolute", "videoId": "8KJebvmd1Fk", "timestamp": {"minutes": 63, "seconds": 52}, "line": " Removing the \"CreateThread\" portion of our code to show that was needed, without CreateThread the DNS Server hangs because it stops on the RevShell code"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 1, "seconds": 10}, "line": " Nmap the box, then play with the WebServer. 404 msg are interesting"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 5, "seconds": 15}, "line": " Discovering Directory Traversal and then grabbing the webserver by going to /proc/self/cwd/"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 9, "seconds": 25}, "line": " Opening the binary up in Ghidra and exploring the binary to understand what it does"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 18, "seconds": 35}, "line": " Discovering we have control over the first argument in log_access/printf"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 20, "seconds": 5}, "line": " Showing one of my most hated things about debugging forks. Be sure to always kill the process!"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 21, "seconds": 5}, "line": " Using GDB to help us analyze the log_access call, by breaking and examining the stack"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 24, "seconds": 0}, "line": " Begin of PrintF Exploitation, leak a bunch of memory addresses, then identify a spot in memory where we control"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 28, "seconds": 40}, "line": " Starting to write an exploit script"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 30, "seconds": 50}, "line": " Grabbing /proc/self/maps to obtain a memory map which helps bypass ASLR. Analyze the binary again and see it supports the \"RANGE\" HTTP Header which is required to grab these special files"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 34, "seconds": 30}, "line": " Back to Coding the exploit script, now that we can grab the process map"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 41, "seconds": 25}, "line": " Testing our leaking/rebasing code to verify we are leaking correctly then using fmtstr_payload to automate the exploit"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 47, "seconds": 0}, "line": " Running the exploit, seeing the output of \"GET\" on the Server's STDOUT... Lots of fighting with a debugger to show exactly what happened (explain it later, may want to skip to the next part)"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 61, "seconds": 30}, "line": " Replacing GET in our request with commands, to see it is running them. Placing a reverse shell here using IFS as space."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 63, "seconds": 50}, "line": " Changing the exploit to use the target... For some reason we have the wrong libc version, once we figure that out it works."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 68, "seconds": 25}, "line": " Going to /proc/self/maps again to leak the path of libc, redownloading it and then we instantly get a shell. Drop SSH Keys and SSH in"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 71, "seconds": 30}, "line": " Going back.. the issues with debugging the printf exploit, to explain it. The issues had was system() calls fork and we followed it"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 77, "seconds": 0}, "line": " John can sudo the readlogs binary, analyze it with ghidra/ldd to see it calls a printlog() option in a custom library that is chmod'd to 777"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 81, "seconds": 10}, "line": " Creating a custom library that replaces printlog() with a system(\"/bin/bash\") call, uploading and getting our shell. Drop an SSH Key and go in via ssh"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 86, "seconds": 0}, "line": " Examining the contact bin in Ghidra, this one is stripped so it will be a bit more pain to navigate"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 91, "seconds": 20}, "line": " Explaining the buffer overflow in the recv() call -- Then lots of fighting with gdb to get to a part of the code to explain overwriting the canary"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 106, "seconds": 49}, "line": " Partially overwriting the canary and showing it in GDB, then explaining how its like a padding oracle attack due to it not changing. "}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 110, "seconds": 10}, "line": " Begin the exploit script, start off with creating our threaded bruteforcer() class."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 122, "seconds": 45}, "line": " Explaining what our code will do, then running it and fixing errors"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 131, "seconds": 30}, "line": " Testing our program to see we can leak the canary. Then leaking RBP and RIP"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 134, "seconds": 50}, "line": " Using VMMAP to aid us in rebase the binary to bypass ASLR."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 138, "seconds": 22}, "line": " Using pwntools to create a write() gadget to leak a libc address, then rebase libc"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 143, "seconds": 35}, "line": " Since Canary/RBP/RIP are always the same, lets just hard code those variables for now to save time"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 145, "seconds": 30}, "line": " Going over the ROP Gadget, then verifying the libc address is correct and doing dup2,dup2,execve for code execution"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 155, "seconds": 40}, "line": " Found why the ExecVE wasn't working, didn't update the rop variable name, so ran libc leak twice"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 156, "seconds": 30}, "line": " Updating the code to work remotely. Use Chisel to forward port 1337 to our box"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 165, "seconds": 30}, "line": " Printing a few more debug things so we know the code is working, downgrading the # of workers, then running it remotely, to get a shell"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 168, "seconds": 50}, "line": " Showing we don't need the Pop RDI because RDI is already set as the FD"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 174, "seconds": 19}, "line": " Removing the first 16 bytes of our libc leak, to skip over RDI"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 176, "seconds": 40}, "line": " Removing the RDI's from our Dup2 calls"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 180, "seconds": 35}, "line": " Removing all the PwnTools magic from our binary, manually rebasing"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 182, "seconds": 30}, "line": " Manually specifying the addresses for everything, gadgets (ropper), objdump (PLT), ReadElf (GOT), Strings (binsh)"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 194, "seconds": 0}, "line": " Leaking libc gadget works. Repeating everything we did here with LibC and building the execve gadget"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 203, "seconds": 30}, "line": " Begin of manual PrintF, showing the liveoverflow videos I recommend watching."}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 215, "seconds": 15}, "line": " Creating the printf payload (have a typo, should be %4x)"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 218, "seconds": 35}, "line": " Going to the pritnf call in GDB, examining the GOT PUTS address before/after to see we screwed up"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 222, "seconds": 30}, "line": " Had the wrong address for PUTS in our printf payload, put the correct one in and examine the call in GDB to see PUTS@GOT is now 0xc"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 224, "seconds": 17}, "line": " Explaining why we want to break the SYSTEM() address into two 2 byte pieces instead of one 4 byte... Modifying our PrintF Payload to allow this. This piece should really show what the \"n\" variable does in printf"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 227, "seconds": 9}, "line": " Our memory address is close to what we want for SYSTEM, modifying the number slightly"}, {"machine": "HackTheBox - Rope", "videoId": "GTQxZlr5yvE", "timestamp": {"minutes": 229, "seconds": 20}, "line": " Address matches! Running the exploit with our reverse shell and hand crafted printf payload to show it works."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin of nmap, there's a weird 8888 port."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 3, "seconds": 55}, "line": " Looking at the website, downloading a docx"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Finally running GoBuster, doing the raft wordlist because it has \"UpdateDetails\""}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 15, "seconds": 15}, "line": " Running GoBuster against the \"release\" directory to get release notes and researching XML and DocX"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Adding an XXE Payload into our Word Document: customXml/item1.xml"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 26, "seconds": 15}, "line": " Making an XXE Chain to extract files using HTTP and PHP's Encoder"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 33, "seconds": 20}, "line": " Extracting the Apache Config to see DocRoot, then extracting config.php"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 37, "seconds": 40}, "line": " Exploring LFI Injection into getPatent_alphav1.0.php, explaining what happens with bad regex to remove things."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 42, "seconds": 10}, "line": " Exploring Log File Poisoning"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 54, "seconds": 0}, "line": " Shell returned on the box, fixing up the TTY and searching for files by creation time"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 58, "seconds": 30}, "line": " There's a file in /opt/, that hints at a cronjob running a task every minute. Running PSPY to see the process creation"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 61, "seconds": 40}, "line": " Password is exposed in the command, this is the root password to the docker. Exploring the Cron and /opt/lfm directory"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 71, "seconds": 25}, "line": " Exploring the lfm directory and examining old git commit's to get the binary of lfmserver and some old source code."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 75, "seconds": 0}, "line": " Opening up on Ghidra, defining main"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 77, "seconds": 20}, "line": " Going into the first piece of the program which looks like an argument check. Looking at the source to verify we are correct."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 80, "seconds": 30}, "line": " Searching for the password in the binary to see where it is used. Use GDB to help us understand what is happening"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 84, "seconds": 30}, "line": " Start of creating an exploit script"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 89, "seconds": 50}, "line": " Changing the password to ippsec, and looking at it in GDB to confirm a variable... Bunch more playing around learning the binary"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 104, "seconds": 10}, "line": " Discover the applicaiton is expecting files to be in /files/, behaves like DOC_ROOT"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 105, "seconds": 10}, "line": " Explaining where I think the Buffer Overflow Happens (URLDecode)"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 110, "seconds": 0}, "line": " Crashed the applicaiton, discovering the correct spot to overwrite with \"pattern create\""}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 114, "seconds": 0}, "line": " Using Ropper to find some pop gadgets to use, then creating a gadget to leak an address using write(). Then doing a bunch of troubleshooting around MD5Sum to get the code to a spot that triggers our overflow."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 139, "seconds": 0}, "line": " End of troubleshooting that MD5 issue. Viewing what the server is sending in wireshark"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 147, "seconds": 30}, "line": " Calculating Memory Offsets based upon the link"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 156, "seconds": 10}, "line": " Creating a gadget to map stdin/stdout then execute bash... Then lots of troubleshooting, some encoding issue."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 162, "seconds": 20}, "line": " Memory address looks weird, using GDB to confirm we grabbed the wrong address."}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 169, "seconds": 0}, "line": " Calculating where the BinSH String would be located and now our script works locally!"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 171, "seconds": 10}, "line": " When going against target, our script isn't even getting the memory leak... Incorrectly thinking there's some ACL based around IP Address. Using an SSH Tunnel to create a reverse tunnel and access the server through the docker"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 175, "seconds": 0}, "line": " Realizing the MD5 is wrong since convert.php on our target is different than our box!"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 177, "seconds": 15}, "line": " Address leaked! Using libc-database to hunt for the version of libc on the target machine"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 180, "seconds": 0}, "line": " Libc-database found the correct libc, modifying our exploit script to use this libc. Then getting a shell"}, {"machine": "HackTheBox - Patents", "videoId": "XqsURG_agvY", "timestamp": {"minutes": 185, "seconds": 30}, "line": " Running LinPEAS and noticing that /dev/sdb1 is mounted to /root, examining /dev/sda2 to see if there was a /root directory underneat to get root.txt."}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 1, "seconds": 3}, "line": " Quick rant about Security through Obscurity and why it can be good"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Begin of nmap'ing the box "}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Checking out the webpage, GoBuster giving weird errors, try WFUZZ"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 12, "seconds": 5}, "line": " Taking a deeper look at the website while we have some recon running"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 17, "seconds": 45}, "line": " Wfuzz found nothing hunting for /$directory/SuperSecureServer.py"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 18, "seconds": 0}, "line": " Doing some Directory Traversal attempts against the webserver, and seeing it looks like its vulnerable"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 20, "seconds": 50}, "line": " Extracting the source code to the webserver by specifying /../SuperSecureServer.py"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 23, "seconds": 30}, "line": " Installing VS Code so we can run this webserver and insert breakpoints"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 28, "seconds": 20}, "line": " Creating main.py then running the code in VSCode"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 36, "seconds": 0}, "line": " Exploiting the exec() statement in the WebServer"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 39, "seconds": 0}, "line": " Explaining that we can't use + for spaces in the url, have to do %20, then testing a reverse shell"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 45, "seconds": 0}, "line": " Reverse shell returned"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 46, "seconds": 50}, "line": " Turns out the intended way is to find the /develop/ directory. Looking into why wfuzz missed it"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 53, "seconds": 30}, "line": " Copying the SuperSecureCrypt files back to our local box, then reading the source"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 56, "seconds": 0}, "line": " Explaining modulus "}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 59, "seconds": 45}, "line": " Explaining Known Plaintext Attack"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 63, "seconds": 35}, "line": " Having trouble deciphering arguments, typing out the arguments on decrypting the key"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 67, "seconds": 0}, "line": " Decrypting the PasswordReminder.txt"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 70, "seconds": 39}, "line": " Explaining Block Ciphers and how to protect against Known-PlainText"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 71, "seconds": 25}, "line": " Rant about Initialization Vectors (IV) and why repeating them is bad (WEP)"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 74, "seconds": 30}, "line": " Looking at the BetterSSH Source Code"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 77, "seconds": 10}, "line": " Explaining why we can overload the -u parameter of Sudo"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 80, "seconds": 30}, "line": " Setting up a watch command to copy all files in /tmp/SSH to /dev/shm so we can crack them later"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 81, "seconds": 10}, "line": " Root #1: Exploiting BetterSSH via overloading parameters"}, {"machine": "HackTheBox - Obscurity", "videoId": "veq3w_j0WZQ", "timestamp": {"minutes": 85, "seconds": 20}, "line": " Root #2: Cracking the password"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 2, "seconds": 35}, "line": " Running GoBuster to discover /music/, checking the page to try to find out what it is."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Going to login reveals this is OpenNetAdmin version 18.1.1, searchsploit isn't updated and fails to find the correct exploit"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Showing what to do when an web exploit script gives HTML"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 10, "seconds": 30}, "line": " Finding the correct exploit script, setting it to go through burpsuite"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 15, "seconds": 30}, "line": " Failing to get a reverse shell for a bit because of bad characters (explained at end, we needed to URL Encode it)."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 23, "seconds": 30}, "line": " Reverse shell worked when doing the python one."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 25, "seconds": 30}, "line": " Running LinPEAS"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 31, "seconds": 30}, "line": " Looking for a config file with database connection info"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 33, "seconds": 0}, "line": " Exploring the MySQL Database to get additional creds"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 37, "seconds": 40}, "line": " Running Medusa to test the passwords against users on the box to discover we can login as jimmy"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 38, "seconds": 40}, "line": " Showing of \"sucrack\" to brute force with \"su\" incase SSH Was not open"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 44, "seconds": 0}, "line": " Running find to see what files are owned by Jimmy to see some new php scripts"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 45, "seconds": 0}, "line": " Discovering a second webserver, accessing main.php lets us read an SSH Key... Digging into why, because it looks like it wants us to login (forgot the die; command)"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 48, "seconds": 10}, "line": " Lets try it the \"correct\" way with an SSH Tunnel and using firefox to login, going down a \"magic hash (===)\" rabbit hole. When we could just crack the pw."}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 61, "seconds": 20}, "line": " Running John to crack the SSH Key"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 68, "seconds": 35}, "line": " Linpeas shows Joanna can run nano with sudo"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 74, "seconds": 30}, "line": " GTFOBins shows a way to have nano execute commands"}, {"machine": "HackTheBox - OpenAdmin", "videoId": "fdD-JTlkd3k", "timestamp": {"minutes": 79, "seconds": 0}, "line": " GOING BACK: URL Encoding the the original RCE to see a standard bash revshell would work"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Start"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 1, "seconds": 2}, "line": " Begin of nmap"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Checking out the webpage, notice an IP in the comments and run GoBuster to discover /uploads/. Run GoBuster on /uploads/ looking for PHP files"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 7, "seconds": 50}, "line": " Begin fuzzing Proxy Headers with wfuzz to access admin.php"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 12, "seconds": 30}, "line": " Using Python's netaddr to generate an IP List based upon subnet, discovering X-Forwarded-For: 192.168.4.28 allows access to admin.php"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 15, "seconds": 30}, "line": " Having BurpSuite automatically add the x-forwarded-for header to our requests"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 16, "seconds": 45}, "line": " Explaining a reason why this header exists in the first palce"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 19, "seconds": 25}, "line": " Discovering Union injection on the admin page"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 22, "seconds": 45}, "line": " Telling SQLMap to run in the background, while we manually enumerate this ourselves."}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 24, "seconds": 0}, "line": " Using Group_Concat to return multiple rows in a union injection and enumerate the INFORMATION_SCHEMA Database"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 33, "seconds": 30}, "line": " Using LOAD_FILE and TO_BASE64 in our SQL Injection to extract source code from the webserver"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 39, "seconds": 30}, "line": " Enumerating who has the FILE privilege in the database, showing SQLMAP gives us some bad info"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 48, "seconds": 50}, "line": " Grabbing user hashes out of the database with our injection then cracking them to discover hector's password"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 51, "seconds": 30}, "line": " Using OUTFILE in our injection to drop a php webshell to the server"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 58, "seconds": 5}, "line": " Having trouble getting a reverse shell back, assuming it is defender so changing the name of some functions to bypass it"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 64, "seconds": 2}, "line": " Using powershell to run a command as hector with the password we cracked from the database"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 68, "seconds": 15}, "line": " Running WinPEAS and going over what it finds, looks like it misses some permissions around editing services"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 74, "seconds": 30}, "line": " Looking at the PSReadLine directory to get some powershell history and a hint at enumerating permissions in the registry"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 75, "seconds": 40}, "line": " Running ConvertFrom-SddlString to make sense of the registry permissions"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 81, "seconds": 20}, "line": " Listing services on the box, then shrinking the number by only showing ones that run as LocalSystem with a Manual startup type"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 86, "seconds": 0}, "line": " Shrink the list some more by only showing the services that our user has permission to startup"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 95, "seconds": 30}, "line": " Showing the \"SC\" command cannot set the BinPath of services, need to do this via registry"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 98, "seconds": 0}, "line": " Changing the ImagePath of the wuauserv service in the registry via PowerShell"}, {"machine": "HackTheBox - Control", "videoId": "kFfYHmLmwVc", "timestamp": {"minutes": 101, "seconds": 15}, "line": " Setting the ImagePath to be a reverse shell via netcat, then starting the service to get a shell as LocalSystem"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Start of nmap and examining the HTTPS Certificate to get a potential hostname"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Doing light testing on the HTTPS Site for SQL Injection, then sending to SQLMap. Using --force-ssl to make SQLMAP do HTTPS instead of HTTP"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 6, "seconds": 26}, "line": " Playing with analytics.php and some light testing to see if we could do SSRF. Put it on the backburner and move on."}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 7, "seconds": 42}, "line": " Testing the logon prompt on the HTTP Site, playing with SQL Injection and starting another SQLMap"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 8, "seconds": 51}, "line": " Going over NoSQL Injection"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 9, "seconds": 44}, "line": " Attempting to explain NoSQL Injection"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 11, "seconds": 35}, "line": " Performing a NoSQL Injection test via x-www-form-encoded data"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 12, "seconds": 44}, "line": " Doing Regular Expressions with NoSQL Injection to extract the password length"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 14, "seconds": 0}, "line": " Explaining how you would have done NoSQL Injection on NodeJS (Sending objects in JSON)"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Logging into the webserver via NoSQL Injection, running GoBuster with our cookie that is logged in"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 18, "seconds": 50}, "line": " Going back to NoSQL Injection with RegularExpression and Boolean injection to extract the password"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 19, "seconds": 20}, "line": " Going over doing Burp Intruder to extract data"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 21, "seconds": 45}, "line": " Creating a Python Script to do this NoSQL Injection since Burp cost $$ and is slow."}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 37, "seconds": 11}, "line": " Script mostly done extracting admin's password"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 40, "seconds": 47}, "line": " Trying to extract Mango's password but there's a tricky character, troubleshooting"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 44, "seconds": 0}, "line": " Screwed up a loop and didn't go through all the character space. Getting Mango's password using SSH to login to the box."}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Running LinPEAS and seeing JJS is a SetUID Bin"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 48, "seconds": 0}, "line": " Turns out we can't execute JJS as mango, only admin. Use \"su\" to switch to admin and run JJS"}, {"machine": "HackTheBox - Mango", "videoId": "NO_lsfhQK_s", "timestamp": {"minutes": 50, "seconds": 11}, "line": " Using JJS to write a file and drop an SSH Key"}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Unofficial Time Schedule."}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - First 30 minutes - Using ansible to build a Windows Domain"}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - Next 30-45 minutes - Searching Exploit-DB and taking apart exploits to understand them"}, {"machine": "Sunday Night Learning", "videoId": "ArxZJX7bayE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - The remainder of time - VulnHub or something."}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Running nmap against the box, port 80 is running a unique webserver (nostromo)"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Lets check out the website before we throw any exploits"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 6, "seconds": 37}, "line": " Launching metasploit then exploting Nostromo but sending the exploit through burpsuite to see what it is doing"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 10, "seconds": 34}, "line": " Code Execution worked, for some reason the proxies command didn't work the first time"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 11, "seconds": 18}, "line": " Explaining why the script does a GET request before throughing an exploit (Exploit Verification)"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 13, "seconds": 40}, "line": " Editing the payload to send a Bash Reverse Shell"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 15, "seconds": 40}, "line": " Running LinPEAS"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 17, "seconds": 20}, "line": " Running LinEnum in Thorough mode"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 19, "seconds": 22}, "line": " Going over LinPEAS Output"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 22, "seconds": 16}, "line": " Going over LinEnum Output"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Discovering a HTPASSWD Password, then using hashcat to crack it"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 26, "seconds": 45}, "line": " Looking at the HTTP Configuration file to discover public_www directory in home directories"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Explaining Linux Permissions on Directories and why we can do a ls in /home/david/public_www but not /home/david/ "}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 29, "seconds": 50}, "line": " Discovering an encrypting SSH Key for David in public_www, downloading the file via netcat then cracking the key with sshng2john.py John"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 34, "seconds": 50}, "line": " SSH into the box as David"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 35, "seconds": 20}, "line": " Discovering David can sudo journalctl,"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 37, "seconds": 10}, "line": " Demonstrating that the pipe operator doesn't run as an elevated user when doing sudo"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 38, "seconds": 0}, "line": " Privesc by removing the pipe and then running !bash. Explaining why this works by tracing parent processes to see journalctl is just executing pager which is symlink'd to less"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 40, "seconds": 50}, "line": " Comparing the Directory traversal exploits (MSF and non-MSF) to see a weird bug adding %0d bypassed the /../ whitelist check"}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 49, "seconds": 30}, "line": " Downloading the source code to nostromo (patched and unpatched versions) and analyzing the patch to see why %0d worked."}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 50, "seconds": 27}, "line": " Using find and grep to md5sum all the files to figure out what has changed."}, {"machine": "HackTheBox - Traverxec", "videoId": "6_C9ShH9v2w", "timestamp": {"minutes": 53, "seconds": 26}, "line": " Using diff to compare two files"}, {"machine": "Creating a VM to learn Linux PrivEsc", "videoId": "B_7NIkSlYuQ", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Support the stream: https://streamlabs.com/ippsec"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 0, "seconds": 50}, "line": " Begin of Recon, discovering hostname in SSL Certificate"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 5, "seconds": 10}, "line": " Running GoBuster against Registry.htb and Docker.Registry.htb to discover CA Certificate in /install/"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 9, "seconds": 0}, "line": " /v2/ on Docker.Registry.HTB requires login, guessing admin:admin and then looking into the Docker Registry API"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 12, "seconds": 30}, "line": " Manually downloading a Blob off the Registry and extracting it to reveal files "}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 15, "seconds": 50}, "line": " A bit more elegant way to do this, configure Docker to use this registry by adding the CA to our Docker SSL Cert Store. Then downloading the Bolt-Image Container"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 20, "seconds": 40}, "line": " Discovering an Encrypted SSH Key on the container"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Explaining SSH Config Files"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 24, "seconds": 0}, "line": " Using find to show files modified between two dates to discover a file with the SSH Key Password"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 28, "seconds": 15}, "line": " Using more forensic artifacts (viminfo) to dicover the file with SSH Key Password"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 32, "seconds": 40}, "line": " Checking /var/www/html to discover the Web User can probably use sudo with restic. Try to get a shell as www-data"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 36, "seconds": 30}, "line": " Checking out Bolt CMS Exploits to discover an authenticated RCE"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 40, "seconds": 20}, "line": " Downloading the bolt SQLite database then viewing the contents and cracking the admin password"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 42, "seconds": 45}, "line": " Identifying the algorithm bolt uses to hash passwords"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Exploiting Bolt by editing the config to allow PHP Files and then uploading a webshell"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Could not get a reverse shell, checking iptable rules to see iptables blocks packets initiating a connection on OUTBOUND. Switching to localhost for reverse shell"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 55, "seconds": 0}, "line": " Setting up a Reverse SSH Tunnel to forward 127.0.0.1:8000 to our box, so Restic can talk to us"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 57, "seconds": 30}, "line": " Setting up a Restic Server on our box"}, {"machine": "HackTheBox - Registry", "videoId": "w0h0QYswFNA", "timestamp": {"minutes": 62, "seconds": 0}, "line": " Using Restic to download /root and get the Root SSH Key to login to the box"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 0, "seconds": 34}, "line": " Explaining how networking is setup, then nmap"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Examining why nmap says a port is filtered in Wireshark"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 7, "seconds": 30}, "line": " Exploring the webpage and doing basic SQL Injections in the search functionality"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 8, "seconds": 10}, "line": " Starting GoBuster in the background, #AlwaysHaveReconRunning"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 10, "seconds": 10}, "line": " Explaining SQL Injection"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 13, "seconds": 55}, "line": " Explaining SQL Union Injection"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 15, "seconds": 15}, "line": " Testing Union Injection by doing \u201cUNION SELECT\u201d, then testing it by doing \u201cORDER BY\u201d. "}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Explaining how to get data out of INFORMATION_SCHEMA"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 20, "seconds": 55}, "line": " Doing GROUP_CONCAT to extract multiple lines from a UNION Statement"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Using SED to replace \u201c,\u201d with line breaks and extracting a bunch of information out of the database"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 33, "seconds": 0}, "line": " Cracking the hash to see admin\u2019s password is transorbital1"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 34, "seconds": 41}, "line": " Using wfuzz to brute force a login prompt with two FUZZ Variables (some troubleshooting)"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 43, "seconds": 30}, "line": " Fuzzing the MANAGE.PHP script for a filename parameter with wfuzz"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 48, "seconds": 50}, "line": " Exploring the LFI"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 60, "seconds": 0}, "line": " Using LFI with /proc/sched_debug to get processes running and discovering KnockD"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 64, "seconds": 30}, "line": " The Opening up the SSH Port with port knocking"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 70, "seconds": 0}, "line": " Using medusa combo list to test SSH Credentials, then logging chandlerb and running linpeas"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 76, "seconds": 0}, "line": " Exploring the MySQL Database, discovering Janitor was created at a different time. Explore his directory to discover new credentials"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 82, "seconds": 0}, "line": " Using find to output a list of readable files for other users then finding files that can only be read by single users"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 88, "seconds": 50}, "line": " FredF can execute the \u201ctest\u201d binary as root. Looking at source, it allows appending lines to a file."}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 90, "seconds": 15}, "line": " File Write Method 1: Appending a line to allow joeyt to sudo"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 93, "seconds": 30}, "line": " File Write Method 2: Appending line to passwd to create a new user"}, {"machine": "VulnHub - DC-9", "videoId": "_Aa8125CQ0g", "timestamp": {"minutes": 96, "seconds": 50}, "line": " Extra content, going over the Source Code to view the LFI Exploit and a pretty funny login bypass bug"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Begin of Nmap scans"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Checking out the website and running a few GoBuster dir searches"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 4, "seconds": 50}, "line": " Examining Links on the blog page and discover a LFI Vulnerability in the LANG Parameter"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Discovering .. is a bad character, working around it by starting the path with a slash"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 10, "seconds": 28}, "line": " Testing RFI via SMB, then failing to steal a hash and use impackets SMBServer"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 12, "seconds": 50}, "line": " Configuring SMBd to host a share that is accessible by anonymous users"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 15, "seconds": 0}, "line": " Testing the SMB Share locally, then testing the RFI with just text, and finally putting a PHP Script for code execution. "}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 19, "seconds": 10}, "line": " Powershell Reverse Shells fail, find out we are in constrained language mode, switch to netcat for reverse shell"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 24, "seconds": 30}, "line": " Reverse Shell Returned!"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 29, "seconds": 0}, "line": " Discovering Chris's password then using Powershell to run a command as him to upgrade the shell."}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 40, "seconds": 10}, "line": " Going over to Windows to create a malicious CHM file with Nishang's out-chm (via NC on a SMB Share)"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 46, "seconds": 55}, "line": " Copying the malicious CHM File to c:\\Docs and not getting any shell. Simplify the exploit to run ping instead."}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 51, "seconds": 30}, "line": " Using Out-CHM to have it execute NC out of c:\\users\\chris\\downloads\\ instead of a SMB Share and getting shell as administrator"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 53, "seconds": 25}, "line": " Start of doing the box the second way. "}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 54, "seconds": 15}, "line": " Explaining the LFI + PHP Session Exploit Chain"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 56, "seconds": 30}, "line": " Identify bad characters by creating a in python to to create accounts and test logins"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 67, "seconds": 0}, "line": " Testing minimal php code for code execution"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 68, "seconds": 30}, "line": " Testing Code exeuction with Powershell Encoded commands"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 78, "seconds": 26}, "line": " Downloading Netcat to the box then executing it for a reverse shell"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 83, "seconds": 0}, "line": " Uploading Chisel to the box then forwarding ports 3306 and 5985 to us"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 91, "seconds": 40}, "line": " Using Evil-WinRM to get a shell on the box as chris through our chisel tunnel"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 92, "seconds": 20}, "line": " Creating a CHM File that includes a file off a SMB Server so we can use Responder to steal the hash"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 100, "seconds": 0}, "line": " Uploading the CHM and stealing the hash with Responder"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 91, "seconds": 20}, "line": " Using Hashcat to crack a NetNTLMv2 hash from Hashcat (5600)"}, {"machine": "HackTheBox - Sniper", "videoId": "k7gD4ufex9Q", "timestamp": {"minutes": 102, "seconds": 40}, "line": " Using PSexec to remote into the boxh"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 1, "seconds": 15}, "line": " Running NMAP and queuing a second nmap to do all ports"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 5, "seconds": 40}, "line": " Using LDAPSEARCH to extract information out of Active Directory"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 8, "seconds": 30}, "line": " Dumping user information from AD via LDAP then creating a wordlist of users"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 12, "seconds": 10}, "line": " Creating a custom wordlist for password spraying with some bashfu and hashcat"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 18, "seconds": 30}, "line": " Using CrackMapExec to dump the password policy of Active Directory using a null authentication, then doing a Password Spray"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Enumerating information out of AD using rpcclient and null authentication"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 28, "seconds": 10}, "line": " Now that our PWSpray is running in the background, lets go through Impacket Scripts to see what works."}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 29, "seconds": 30}, "line": " Using GetNPUsers to perform an ASREP Roast (Kerberos PreAuth) with Null Authentication to extract SVC-ALFRESCO's hash. Then Cracking it."}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 36, "seconds": 20}, "line": " Using Evil-WinRM to get a shell on the box with SVC-ALFRESCO's credentials"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 37, "seconds": 30}, "line": " Setting up a SMBShare, using New-PSDRive to mount the share, then running WinPEAS"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 42, "seconds": 20}, "line": " Going over WinPEAS Output"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 44, "seconds": 20}, "line": " Downloading Bloodhound and the SharpHound Ingestor"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 48, "seconds": 50}, "line": " Importing the Bloodhound Results and finding an AD Attack Path"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 52, "seconds": 10}, "line": " Going over the Account Operators Group (will allow us to create an account)"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 53, "seconds": 30}, "line": " Using Net User to create a new user, then adding it to the Exchange Group"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 58, "seconds": 40}, "line": " Downloading the PowerSploit Dev Branch to utilize the function \"Add-DomainObjectAcl\""}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 61, "seconds": 40}, "line": " Some basic troubleshooting when the command goes wrong, then giving ippsec the DCSync Rights"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 62, "seconds": 30}, "line": " Performing SecretsDump to perform a DCSync and extract hashes, then PSEXEC with Administrator to gain access"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 67, "seconds": 10}, "line": " Going over the \"--users\" option in hashcat so you can easily identify whos hash was cracked"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 70, "seconds": 43}, "line": " Using the KRBTGT Hash to perform the GoldenTicket attack from Linux"}, {"machine": "HackTheBox - Forest", "videoId": "H9FcE_FMZio", "timestamp": {"minutes": 95, "seconds": 11}, "line": " Showing it worked, Issues were we could not use IP Addresses anywhere in the command and need FQDN for the domain. Create entries in Host file if DNS is not there."}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin of nnmap scan"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 1, "seconds": 45}, "line": " Checking out the website, trying to identify what technology runs the site"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 3, "seconds": 20}, "line": " Nmap scan finished, start more recon (GoBuster and full nmap port scan)"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Trying to find out when the website was stood up with exiftool"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 9, "seconds": 0}, "line": " Full nmap showed the REDIS port, initial poking"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 10, "seconds": 55}, "line": " Searching the internet for things you can do with a REDIS Server"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 14, "seconds": 50}, "line": " Dropping a webshell didn't work, lets try dropping an SSH Key"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Discovering the location of a .ssh directory by guessing the default (/var/lib/redis/.ssh)"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 19, "seconds": 30}, "line": " Got a shell on the box!"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Running LinPEAS"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 29, "seconds": 45}, "line": " Running LinEnum twice (once with throrough mode enabled). To make sure we have good recon."}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 33, "seconds": 10}, "line": " Discovering Matt logged in at a time we did not previously have"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 36, "seconds": 7}, "line": " Discovering an encrypted SSH key, cracking the SSH Key with John"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 40, "seconds": 0}, "line": " SSH failing to work, decide to just use \"su\" to switch to the Matt User"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Discovering we can login to WebMin with Matt"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 42, "seconds": 48}, "line": " Running searchsploit, then using Metasploit to exploit Webmin"}, {"machine": "HackTheBox - Postman", "videoId": "jJnHET1o8ZQ", "timestamp": {"minutes": 45, "seconds": 30}, "line": " Root shell returned, set Metasploit to go through burp and play with it until we get the exploit working."}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 0, "seconds": 59}, "line": " Begin of nmap, discover XAMPP"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 5, "seconds": 51}, "line": " Running GoBuster while we poke at the website"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Registering an account then seeing what new functions are avaialble"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 8, "seconds": 10}, "line": " Attempting to transfer money and discovering XSS "}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Basic Cross Site Scripting worked, check cookies to see HttpOnly is false then do a basic XSS to steal cookies"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 15, "seconds": 33}, "line": " Doing the OnError payload to steal administrative cookie"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 17, "seconds": 38}, "line": " Logging in as the administrative user, checking out the new pages. Search which is SQL Injectable and BackDoorChecker which can execute code from localhost"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 19, "seconds": 10}, "line": " Playing with the SQL Injection in Search, confirming it is union then sending it to SQLMap to dump the database"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 25, "seconds": 30}, "line": " Using SQL Injection to read the source code via LOAD_FILE in a Union Injection."}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 31, "seconds": 30}, "line": " Creating a XSS Payload that can send a Post Request (XMLHttpRequest)"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 40, "seconds": 45}, "line": " Reverse shell returned"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 46, "seconds": 20}, "line": " Manually poking around the box, discover port 910 is open but our nmap didn't show it"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 48, "seconds": 10}, "line": " Using Chisel to forward the port back to our box, and discover it's a telnet interace to perform transfers"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 52, "seconds": 20}, "line": " Using PwnTools to bruteforce the PIN Code on port 910"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 56, "seconds": 10}, "line": " Send it 100 A's to see if the program crashes, instead it executesa payload after 32 bytes"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 61, "seconds": 0}, "line": " Failing to run netcat froma UNC Path"}, {"machine": "HackTheBox - BankRobber", "videoId": "zYmA9ECuCio", "timestamp": {"minutes": 68, "seconds": 26}, "line": " Running netcat from C:\\ to get a reverse shell"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 5, "seconds": 50}, "line": " Discovering an SQL Injection inside of the WhoIs Service"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 7, "seconds": 20}, "line": " Identifying we can perform DNS Zone Transfers with dig axfr (aquatone is the application i mention to take screenshots)"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 12, "seconds": 10}, "line": " Explaining the SQL Union Injection"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Dumping information out of Information_Schema via the SQL Union Injection"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 23, "seconds": 5}, "line": " Dumping hostnames out of the whois database via the SQL Union Injection"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 28, "seconds": 45}, "line": " Discovering the pwned website, discovering shell.php with GoBuster"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 31, "seconds": 45}, "line": " Using wget to get the date the webserver was defaced"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 33, "seconds": 0}, "line": " Using wfuzz to find the parameter (hidden) the attackers shell used, then we have code execution on the machine."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 39, "seconds": 15}, "line": " Using find with newermt to identify what happened around the time the attacker pwned the box"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Discovering mail file that has some credentials for an FTP User"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 49, "seconds": 17}, "line": " Using grep/awk to find the hacker in an apache access logs"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 51, "seconds": 44}, "line": " Searching wireshark to pull the attackers post request to pull more credentials and the files the attacker uploaded to the server."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 55, "seconds": 5}, "line": " Analyzing root.c kernel module "}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 56, "seconds": 0}, "line": " Testing the kernel rootkit didn't work over HTTP, lets get a forward shell and try it there."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 62, "seconds": 22}, "line": " Testing passwords to gain access to ib01c01, which has the compiled kernel root kit (root.ko)"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 65, "seconds": 20}, "line": " Analyzing root.ko in Ghidra to discover some slight changes to the root.c source code."}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 69, "seconds": 20}, "line": " Sending g3tPr1v to /dev/ttyR0 to activate the rootkit and switch to root"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 70, "seconds": 2}, "line": " Testing nc with a source port of 20 to verify our assumption only root can do this is true"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 71, "seconds": 50}, "line": " Creating a PHP Script to act as middleware between SQLMap and the WhoIs port and allow us to use SQLMap to dump the database"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 82, "seconds": 20}, "line": " Manually installing Zeek (formerly known as Bro) to analyze the pcap. "}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 85, "seconds": 50}, "line": " Zeek has been installed, running it against the pcap with Cr to ignore checksum errors"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 86, "seconds": 42}, "line": " Showing how to manually analyze zeek logs with less -S and zeek-cut"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 91, "seconds": 50}, "line": " Installing zkg which is the zeek package manager then installing ja3 and http-post modules to extract SSL Signatures and HTTP Post Data"}, {"machine": "HackTheBox - Scavenger", "videoId": "rlUTZiqTKgc", "timestamp": {"minutes": 96, "seconds": 20}, "line": " Running Zeek again with the modules, identify the HTTP Attack used (Google: \"prestashop mail proxycommand exploit\" to find the exploit the attacker used)"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 0, "seconds": 57}, "line": " Begin of NMAP, then examining FTP to see the banner leak time and IPv6 compatibility."}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 5, "seconds": 10}, "line": " Running GoBuster so we always have recon running in the background"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 5, "seconds": 38}, "line": " Examining the Web Page to see it has some usernames and FTP Creds"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 7, "seconds": 40}, "line": " Logging into FTP and testing basic things like downloading/uploading files"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 8, "seconds": 45}, "line": " Ran out of things to test. Run NMAP on all ports, then look into things we don't know."}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 9, "seconds": 20}, "line": " Explaining what FXP is and what an FTP Bounce Attack is"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 13, "seconds": 0}, "line": " Performing the FTP Bounce Attack to get the IPv6 Address, then doing a nmap on the ipv6 address "}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 16, "seconds": 20}, "line": " Identifying what port 8730 is (RSYNC) using both NMAP and NETCAT"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 18, "seconds": 45}, "line": " Downloading /etc via rsync, then explaining a bunch of configurations on the box"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Identifying there is an RSYNCD.SECRETS via the RSYNCD.CONF file. Cannot download but can identify filesize which will tell us the number of characters the password is."}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 26, "seconds": 50}, "line": " Extracting all 8/9 character words out of RockYou.txt then using bash to script a rsync bruteforce (end of video we code a better brute force)"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 32, "seconds": 0}, "line": " Got Roy's password (computer),then downloading his directory to get user.txt. After that upload an SSH Key"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 39, "seconds": 48}, "line": " SSH into the box as roy with the key, then failing to run lynis before running LinPEAS"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 48, "seconds": 8}, "line": " Using find to list files edited around the time User.txt was created (newermt) to identify git repo's under RSYSLOG and FTP"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 52, "seconds": 5}, "line": " Examining git repo in RSYSLOG to identify it sends syslog to POSTGRES and is SQL Injectable"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 57, "seconds": 10}, "line": " Performing the SQL Injection with logger, but before that tailing the postgres log for some output"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 59, "seconds": 50}, "line": " Running commands on Postgres 9.3 via PROGRAM command. Get into trouble with quotes, find postgres has a third quote option which is $$"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 73, "seconds": 57}, "line": " EXTRA CONTENT: Building a threaded RSYNC Bruteforcer"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 74, "seconds": 20}, "line": " Script 1: Figuring out how RSYNC Authentication works, its a Challenge/Response. "}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 82, "seconds": 44}, "line": " Script 1: Downloading the RSYNC Source and searching how it creates the hash"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 92, "seconds": 40}, "line": " Script 1: Adding SOCKET Support so we can connect to the RSYNC Server"}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 105, "seconds": 40}, "line": " Script 2: Python3 Threading example "}, {"machine": "HackTheBox - Zetta", "videoId": "8XmTz3A5rUo", "timestamp": {"minutes": 110, "seconds": 45}, "line": " Script 3: Combining the Threaded example with our RSYNC Auth to get a good bruteforcer!"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 0, "seconds": 52}, "line": " Start of recon, NMAP"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 4, "seconds": 35}, "line": " Using SMBClient to look for OpenShares"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 4, "seconds": 50}, "line": " Examining the HTTP Redirect on the page"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 6, "seconds": 56}, "line": " Attemping default credentials"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 8, "seconds": 25}, "line": " Running GoBuster with PHP Extensions"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 12, "seconds": 45}, "line": " Examining the /api/ Requests made in BurpSuite"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 13, "seconds": 35}, "line": " Comparing Requests to notice one has a \"BEARER\" Header. Researching exactly what it is."}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 14, "seconds": 45}, "line": " Examining the contents of BEARER/OAUTH2 by base64 decoding it."}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 15, "seconds": 50}, "line": " Inducing an error message by placing invalid base64, then trying to get a different error message by putting valid but unexpected bas64"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 16, "seconds": 50}, "line": " See a serialization error, pointing towards JSON.NET, then switching to Windows to install ysoSerial"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 22, "seconds": 54}, "line": " Creating a .net Deserialization exploit that will ping us"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 27, "seconds": 50}, "line": " Base64 encoding the exploit, starting tcpdump, and checking for code execution. Then editing our exploit use a PowerShell webcradle with Nishang to get a reverse shell"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 32, "seconds": 51}, "line": " Reverse Shell Returned, Running WinPEAS from my SMBShare so we don't touch disk"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Going over WinPEAS.bat, which doesn't have color (we will do EXE later in the video to get colors!)"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 42, "seconds": 0}, "line": " PrivEsc #1: Reversing Sync2Ftp to decrypt a password"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 50, "seconds": 15}, "line": " Decompile SyncLocation.exe via DNSPY, then edit the executable to display the decrypted password."}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 56, "seconds": 15}, "line": " Couldn't use PSEXEC with the decrypted creds. Lets use Powershell Invoke-Command to switch users"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 65, "seconds": 25}, "line": " PrivEsc #2: FileZilla Server - This will require us to pop the box from Windows!"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 70, "seconds": 50}, "line": " Using Chisel to forward 127.0.0.1:14147 to us"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 75, "seconds": 15}, "line": " Running the FileZilla Server and connecting to the box through our tunnel to create new users"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 81, "seconds": 53}, "line": " PrivEsc #3: JuicyPotato"}, {"machine": "HackTheBox - JSON", "videoId": "FPgK_udcBig", "timestamp": {"minutes": 84, "seconds": 53}, "line": " Running JuicyPotato to get a system shell"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 0, "seconds": 30}, "line": " Begin of Recon"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 1, "seconds": 55}, "line": " Creating an entry in /etc/hosts for reblog.htb (found on webpage)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Reading each blog post and taking notes"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 7, "seconds": 50}, "line": " Poking at SMB to see MALWARE_DROPBOX"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 8, "seconds": 30}, "line": " Digging into why SMBMAP says READ_ONLY. Don't get anywhere but its an impacket thing?"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 12, "seconds": 45}, "line": " Installing LibreOffice, then creating a macro to ping us"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 16, "seconds": 45}, "line": " Obfuscating the macro by placing it over multiple lines (do LOLBINS at end of video)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 18, "seconds": 0}, "line": " Converting our obfuscated macro to a powershell cradle/one lienr (iconv to make it UTF-16LE)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 22, "seconds": 20}, "line": " Reverse Shell returned as LUKE, showing a way to get a logged in users hash and attempting to crack"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 26, "seconds": 25}, "line": " Running WinPEAS.bat (will do EXE at the end of the video)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 35, "seconds": 45}, "line": " Going over the process_sample.ps1 script to discover a potential WinRAR Vulnerability"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 38, "seconds": 9}, "line": " Using evilWinRAR to generate a ZipSlip like file, forget a trailing slash and do quite a bit of troubleshooting"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 49, "seconds": 0}, "line": " Switching up the ASPX Shell by using one from the TennC Repository"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 52, "seconds": 35}, "line": " Reverse shell as the IIS User"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 53, "seconds": 30}, "line": " Doing a Ghidra XXE Vulnerability to steal the users hash"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 57, "seconds": 0}, "line": " Copying the XXE Vulnerability in POC"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 64, "seconds": 45}, "line": " Lol. Found what out i was zipping the file incorrectly"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 67, "seconds": 30}, "line": " Cracking the new hash we just got"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 69, "seconds": 20}, "line": " Using Powershell to Invoke-Command with a different user"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 72, "seconds": 55}, "line": " Begin of unattended route (Changing macro to be RevSvr32 with an SCT File instead of CMD /c)"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 81, "seconds": 20}, "line": " Downloading SharpUp and WinPEAS to compile executables"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 87, "seconds": 30}, "line": " Using rlwrap for our reverse shell so we have a semi-proper TTY on Windows"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 88, "seconds": 45}, "line": " Running PowerUp to identify the bad service and playing with a few commands to show what is happening"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 93, "seconds": 10}, "line": " Running WinPEASEXE to show the output"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 95, "seconds": 30}, "line": " Enabling RDP so we can see the error message SharpUp threw"}, {"machine": "HackTheBox - RE", "videoId": "YXAakamjO_I", "timestamp": {"minutes": 97, "seconds": 50}, "line": " Changing DotNet version in the project properties to get SharpUp working on the box"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Begin of Recon"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 1, "seconds": 50}, "line": " Taking a look at the page, noticing the site is PHP, running GoBuster to find other PHP Files."}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 3, "seconds": 45}, "line": " Playing with the File Upload, failing to identify how uploaded files are stored"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 5, "seconds": 20}, "line": " Investigating PHP Files that GoBuster found, discovering intelligence.php"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Searching for Text to Speach programs (create WAV Files)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 8, "seconds": 50}, "line": " The first program didn't do a good job saving WAV Files, Downloading Festival"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 9, "seconds": 17}, "line": " Installing apt-file so we can use apt to search for what package contains a file (like yum whatprovides)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 11, "seconds": 5}, "line": " Using text2wave to create wav files and upload them, then discover a SQL Injection over voice"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 14, "seconds": 4}, "line": " Having trouble getting the voice recognition to recognize the word union. Using \"intelligence.php\" to discover alternative words."}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 19, "seconds": 10}, "line": " Extracting the username and password out of the database, then logging in via SSH"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 21, "seconds": 0}, "line": " Investigating how the file upload script works, turns out to be a dead end"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 23, "seconds": 40}, "line": " Running linPEAS to check other privesc paths (see JDWP)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 26, "seconds": 50}, "line": " Enumerating the local MySQL Database to get other credentials"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 28, "seconds": 0}, "line": " Starting to investigate the Tomcat ports (8000, 8009, and 8080)"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 29, "seconds": 0}, "line": " Doing SSH Tunnels via the SSH Binary to forward 8080/8009 to our box then looking at Tomcat"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 30, "seconds": 20}, "line": " Doing SSH Tunnels from within a SSH Session (~c) to forward port 8000 without reconnecting to SSH"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 32, "seconds": 10}, "line": " Manually using JDB to execute a command via java.lang.Runtime"}, {"machine": "HackTheBox - AI", "videoId": "7n7YRntu3bc", "timestamp": {"minutes": 42, "seconds": 30}, "line": " Manually debugging JDWP is a bad idea, doing it the better way with jdwp-shellifier"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 1, "seconds": 45}, "line": " Begin of recon, wireshark nmap to see how it identified the hostname. The way this box is configured apache is placing the hostname when the \"Host: \" HTTP Header is not present."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Starting a bunch of automated tools. Nmap all ports, and gobuster to discover VHOST (virtual hosts) and files."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 9, "seconds": 55}, "line": " Checking dev.player.htb and identify the framework (Codiad) is being leaked in some javascript"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 12, "seconds": 25}, "line": " Checking chat.player.htb, nothing really here just hints at source code disclosure on other domains"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 14, "seconds": 5}, "line": " Checking staging.player.htb, sending an email leaks some interesting files"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 18, "seconds": 0}, "line": " Checking player.htb/launcher, entering an email leaks some other PHP Files along with a JWT Token"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 21, "seconds": 0}, "line": " Discovering backup files, showing BurpSutie Pro can do it but I had added this feature in GoBuster"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 21, "seconds": 50}, "line": " Going over exactly what I did in GoBuster to add the DiscoverBackup feature"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 27, "seconds": 35}, "line": " Using GoBuster with the new feature to discover some PHP Source that leaks the JWT Secret"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 32, "seconds": 20}, "line": " Using JWT.IO to create our forged JWT and discover a new page that proccesses Video Files"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 37, "seconds": 25}, "line": " Looking into FFMPEG Vulnerabilities to discover an LFI, using \"Payload All The Things\" to exploit this. Grab files Apache Config, Config files in web directories, /proc/net to see listening ports"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Trying the telegen credentials we retrieved from /var/www/backup/service_config with various services. See we can login to 6686 but are in a locked down shell"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 51, "seconds": 45}, "line": " Running searchsploit to see an XAUTH command injection that allows for reading/writing files. Failing to writefiles, but can now read .php files grab more source code to get another credential (Peter)"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 55, "seconds": 45}, "line": " Peter's creds work at dev.player.htb which allows for uploading files. Uploading a php reverse shell"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 60, "seconds": 40}, "line": " Reverse shell returned. Running su -s /bin/bash telegen to bypass the restricted shell"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 61, "seconds": 30}, "line": " Noticing the XAUTH command actually wrote a file! Going back to see why we failed to write to web directories. Trying it again but turns out quotes/spaces are bad chars which would make dropping a webshell tough."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 64, "seconds": 50}, "line": " Giving up with XAUTH, running pspy64 with our SSH Shell to see a PHP File is running every minute, checking it out to see it includes a file WWW-DATA can write to and that there is a unserialize vulnerability"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 67, "seconds": 40}, "line": " Exploiting the unserialize() vulnerability to write an SSH Key to /root/.ssh/authorized_keys"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 73, "seconds": 53}, "line": " UNINTENDED METHOD: Exploiting Codiad by using the installation scripts left behind to install it to chat.player.htb"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 76, "seconds": 45}, "line": " Stepping through the installation script to understand the vulnerability. Upon install it writes unsanitized user input to the config.php directory"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 89, "seconds": 30}, "line": " Reverse shell returned as www-data! "}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 90, "seconds": 45}, "line": " UNINTENDED METHOD 2: Performing the Authenticated Codiad RCE, stepping through it in BurpSuite to understand what the exploit does. At the very end of the video we will examine codiad source to understand the vuln."}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 96, "seconds": 0}, "line": " Privesc from www-data by placing a PHP Rev Shell in the file the cron script included"}, {"machine": "HackTheBox - Player", "videoId": "JpzREo7XLOY", "timestamp": {"minutes": 98, "seconds": 35}, "line": " Analyzing the Source of Codiad to see why the CRLF Exploit worked."}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Begin of recon"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 1, "seconds": 58}, "line": " Taking a loot at the webserver and seeing a GitLab signin page"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 2, "seconds": 53}, "line": " Using wget and exiftool to check metadata on files on the server to see when stuff was uploaded"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Running gobuster, explaining why we need the Wildcard flag on this box for this tool to work"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 5, "seconds": 50}, "line": " Finding the /help directory which has some javascript that contains the password to GitLab"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 10, "seconds": 28}, "line": " Logging into Gitlab with creds from the bookmark.html"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 11, "seconds": 11}, "line": " Showing how to do GoBuster with a cookie (gets past the wildcard issue earlier in the video)"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 13, "seconds": 20}, "line": " Looking at snippets to see a Postgresql password"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 14, "seconds": 10}, "line": " Looking at Git Commit History of various files to see there's a post hook to upload merges to a webserver"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 16, "seconds": 10}, "line": " Creating a New Branch on Profile, adding a webshell, then merging it to trigger it to be uploaded to the server"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 19, "seconds": 10}, "line": " CMD PHP Shell is on the server, lets get a reverse shell."}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 20, "seconds": 5}, "line": " Reverse shell returned, setting up a proper pty with rows and cols"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ** BEGIN OF UNINTENDED WAY **"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 21, "seconds": 20}, "line": " Checking sudo to see we can do a git pull as root, and explaining git hooks"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 22, "seconds": 50}, "line": " Copying the git repo to a different directory so we take ownership of every file"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 23, "seconds": 20}, "line": " Creating a Post-Merge script that gives us a shell, the running sudo git pull to execute it as root"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 25, "seconds": 40}, "line": " Explaining why the copied directory still pulled new version from the website"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 0, "seconds": 1}, "line": " **END OF UNINTENDED WAY**"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 26, "seconds": 50}, "line": " Getting PostGres Creds"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Creating a PHP Script to dump the PostGres database"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 31, "seconds": 7}, "line": " Clave's password was in the database, logging in as that user"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 32, "seconds": 0}, "line": " Initial analysis of the RemoteConnection.exe file (strings)"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 35, "seconds": 10}, "line": " Looking at the file in Ghidra"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 39, "seconds": 30}, "line": " Lets just do some dynamic analysis with x32debug, switching over to windows"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 41, "seconds": 0}, "line": " Setting breakpoints around interesting strings and running the program"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 43, "seconds": 0}, "line": " Stepping through the program and seeing a password on the stack"}, {"machine": "HackTheBox - Bitlab", "videoId": "Fxq6oZ-H-xI", "timestamp": {"minutes": 48, "seconds": 20}, "line": " Using this credential to SSH into the box"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 1, "seconds": 20}, "line": " Begin of recon"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 3, "seconds": 18}, "line": " Checking out the HTTPS Certificate for potential hostnames"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 5, "seconds": 10}, "line": " Looking at api.craft.htb, appears to be some type of Documentation for the REST API"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 6, "seconds": 40}, "line": " Looking at gogs.craft.htb, no known exploits but there is some source code!"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 9, "seconds": 20}, "line": " Checking out the Git Issues, seeing Dinesh put a JWT Token in a comment. Checking the token out"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 11, "seconds": 25}, "line": " Attempting to crack the JWT (fails)"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 13, "seconds": 30}, "line": " Going back to the issues to see there is an eval() on user input"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 16, "seconds": 25}, "line": " Installing Go and Pip3 on Kali 2019.4, so we can install GitLeaks and TruffleHog"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 18, "seconds": 57}, "line": " Running GitLeaks and TruffleHog (find nothing) then manually analyzing the git commits"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 21, "seconds": 20}, "line": " Discovering Dinesh's credentials in an old git commit"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 25, "seconds": 5}, "line": " Logging into GOGS with Dinesh, then showing adding an SSH Key for potential port forwarding"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 28, "seconds": 28}, "line": " Testing Code Execution from the previous git issue, use the test.py script as a skeleton."}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 31, "seconds": 30}, "line": " Getting a reverse shell with this exploit using exec(base64)"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 35, "seconds": 10}, "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 36, "seconds": 15}, "line": " Grabbing settings.py on the server to get a bunch of credentials"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 37, "seconds": 30}, "line": " Fixing our terminal to have the correct rows/columns so we can use vi"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 40, "seconds": 18}, "line": " Editing dbtest.py to dump all users from the database"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Adding the JWT SECRET from settings.py to our hashcat wordlist to prove cracking would have worked if there was a weak secret"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 45, "seconds": 25}, "line": " Manually crafting a JWT in Python to show what to do if you are successful at cracking... Then trying to create a JWT that is not signed"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 49, "seconds": 10}, "line": " Logging into GOGS with the credentials we got from dumping the database"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 50, "seconds": 20}, "line": " Gilfoyle as a private repo, lets download it"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 53, "seconds": 30}, "line": " Running truffleHog and GitLeaks against Gilfoyle's craft-infra repo"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 58, "seconds": 0}, "line": " An SSH Key was found on Gilfoyle's repo, SSH in and run LinPEAS"}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 60, "seconds": 0}, "line": " Bunch of references to Vault in LinPEAS, looking into what this is."}, {"machine": "HackTheBox - Craft", "videoId": "3znkLWakuUA", "timestamp": {"minutes": 62, "seconds": 20}, "line": " The .vaulttoken file is saved creds, lets just use vault ssh to login to the box"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 0, "seconds": 58}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Using Wireshark to see why Nmap said HTTP 403"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 6, "seconds": 15}, "line": " Running GoBuster to identify /backup"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 7, "seconds": 5}, "line": " Performing a DNZ Zone Transfer with dig axfr"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 8, "seconds": 50}, "line": " Manually playing with the login form to hunt for SQL Injection"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 10, "seconds": 50}, "line": " Downloading files out of /backup, opening auth.py with vim and ses.so with ghidra"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 16, "seconds": 42}, "line": " Examining /auth endpoint"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 18, "seconds": 10}, "line": " Examining ses.so in Ghidra"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 20, "seconds": 31}, "line": " Renaming variables from Ghidra's decompiler to try to make sense of the code"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Examining get_internal_usr and pwd to discover the bug"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 33, "seconds": 20}, "line": " Using GDB to debug python and step through ses.so, which makes analyzing decompiled code easier"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 36, "seconds": 50}, "line": " First time attaching the debugger - Seg faults for some reason."}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 38, "seconds": 30}, "line": " Attaching the debugger again, this time it works. Explaining important registers"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 39, "seconds": 0}, "line": " Stepping through the code trying to make sense of registers. This part may not make sense."}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ### The RDI Value in the STRCMP was from my python script calling ses.so -- RSI is what the program thinks the password is. So if in the Python Script I used ippsec:ippsec, then it would be STRCMP('ippsec','ippsec')."}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 51, "seconds": 50}, "line": " Logging in with Administrator:Administrator and then looking at auth.py to see how the /api works"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 54, "seconds": 25}, "line": " Getting command execution"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 55, "seconds": 50}, "line": " Trying to get a Reverse Shell, discovering a WAF, identifying the bad characters"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 56, "seconds": 50}, "line": " Configuring burp to have a hotkey to \"Issue Repeater Request\" so we don't have to click send"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 57, "seconds": 18}, "line": " Tips to avoid a web filter/WAF ex: {echo,test}|{ba''se64,-''-d}"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 61, "seconds": 0}, "line": " Getting a reverse shell, then upgrading to a SSH Terminal by dropping SSH Key"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 65, "seconds": 5}, "line": " Running LinPEAS to identify paths to privesc"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 69, "seconds": 10}, "line": " Downloading the custom Linux Kernel Module: DHID then examine in Ghidra"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 72, "seconds": 0}, "line": " Looking at Snowscans blog to test the dev_read function"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 74, "seconds": 15}, "line": " Looking at the dev_mmap call"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 75, "seconds": 20}, "line": " Looking at MWR LAbs paper on insecure MMAP use in kernel modules"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 76, "seconds": 30}, "line": " Explaining what we are going to do - Rewrite credentials in memory"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 79, "seconds": 20}, "line": " Going over the first MMAP Call to map memory"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 81, "seconds": 5}, "line": " Setting a SSH CONFIG to make it easier to ssh and SCP into Smasher2"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 86, "seconds": 0}, "line": " Searching for a credential structure in memory"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 91, "seconds": 20}, "line": " Running GetUID to see if the cred structure we modified is ours, if not set it back"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 94, "seconds": 0}, "line": " Setting capabilities and running bash upon getting root"}, {"machine": "HackTheBox - Smasher2", "videoId": "ELiicja60jI", "timestamp": {"minutes": 96, "seconds": 10}, "line": " Showing what would of happened if we did not revert credentials back to original."}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Previous Video: Intro to PHP Deserialization - https://youtu.be/HaW15aMzBUM"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 0, "seconds": 27}, "line": " Little bit of history about PHP Serialization"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 2, "seconds": 13}, "line": " Why is uploading Phar Files different than normal file upload vulns?"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 2, "seconds": 42}, "line": " What are Phar Files?"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 3, "seconds": 38}, "line": " Prevention by disabling the phar stream wrapper"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Going over the PHP Upload script created for this video"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 6, "seconds": 15}, "line": " Reviewing a PHP Script to generate malicious PHAR Files"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 7, "seconds": 20}, "line": " Setting our PHP Config to allow PHAR to operate in Read/Write mode"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 8, "seconds": 0}, "line": " Showing we can control the beginning bytes of the PHAR File to trick magic byte checks"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 8, "seconds": 40}, "line": " Copying the logging class from the intro to deserialization video into our upload script"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 9, "seconds": 35}, "line": " Adding the PHP Object/POP Chain to our PHAR Generation Script"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 11, "seconds": 30}, "line": " Starting a PHP Webserver so we can upload our image"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 12, "seconds": 20}, "line": " Explaining why the existing image upload script, isn't vulnerable."}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 13, "seconds": 0}, "line": " Creating a seperate script which performs the file operation unlink() against user input"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 14, "seconds": 45}, "line": " Trying to trigger this vulnerability via Curl (doesn't work yet, forgot to include our PHP Class)"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Adding the PHP Object to our script"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 17, "seconds": 17}, "line": " Begin of adding a phar file to a legitimate image"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Modifying our PHAR File to also be a valid image"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 20, "seconds": 12}, "line": " Triggering the PHAR Unserialize with our image, but this time with a different file operation (md5_file)"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 21, "seconds": 50}, "line": " Mentioning PHPGGC which is handy to utilize with this exploit"}, {"machine": "Advanced PHP Deserialization - Phar Files", "videoId": "fHZKSCMWqF4", "timestamp": {"minutes": 22, "seconds": 13}, "line": " Showing how to unregister PHP Stream wrappers to prevent this attack"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 0, "seconds": 50}, "line": " Background information, showing variables are point in time"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 3, "seconds": 40}, "line": " Creating a PHP Class and Object"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 5, "seconds": 40}, "line": " Serializing the Object and going over the format"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 7, "seconds": 40}, "line": " Converting the script to accept a PHP Object via WebRequest"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 9, "seconds": 20}, "line": " Explaining PHP Desesrialization Gadgets"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 10, "seconds": 5}, "line": " Creating Attack.php in order to quickly generate PHP Objects"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 11, "seconds": 30}, "line": " Creating exploit.sh which will just send our malicious object to the webserver"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 12, "seconds": 45}, "line": " Going over PHP Magic Methods"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 13, "seconds": 15}, "line": " Adding the __toString class that we can create a gadget to get to in order to read files"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 15, "seconds": 0}, "line": " Adding the new class to our attack script and reading /etc/passwd"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 17, "seconds": 40}, "line": " Demonstrating \"Class Path\" by creating an __destruct() method in another php file and including it"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Adding the LogFile to our class path and using it to drop a file"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 20, "seconds": 0}, "line": " Didn't work! Our script errored and PHP never destroyed our object so code didn't run"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 21, "seconds": 0}, "line": " Moving the LogFile gadget to our isAdmin check, which works"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 21, "seconds": 35}, "line": " Demonstrating a way to do Fast Destruct, to immediately destroy the object... I hope I'm right, this may be wrong read PHPGGC Source to see how it works"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 25, "seconds": 14}, "line": " Showing if an function is called from another functions magic method, we can craft a gadget to get to it"}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 25, "seconds": 41}, "line": " Adding pwned function to attack. This is prior to us having a magic method call pwned, just to demonstrate you can't call any function."}, {"machine": "Intro to PHP Deserialization / Object Injection", "videoId": "HaW15aMzBUM", "timestamp": {"minutes": 27, "seconds": 20}, "line": " Making ReadFile() call pwn when destroyed"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 0, "seconds": 55}, "line": " Start of recon"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Running GoBuster to discover the /monitoring directory"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 3, "seconds": 50}, "line": " Running hydra to try to brute force the HTTP Authentication (Does not work due to it being a secure password)"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 5, "seconds": 20}, "line": " Bypassing the AUTH Request by changing to a POST \u2014 Explain why this works later"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Looking at the Centreon Changelog to look for any exploits"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 8, "seconds": 10}, "line": " There aren\u2019t any unauthenticated exploited, lets brute force a login. The main way uses a CSRF Token."}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 8, "seconds": 50}, "line": " Bypassing the CSRF by using the Centreon API"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Using wfuzz to brute force the API Login and get admin:Password1"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 14, "seconds": 15}, "line": " Changing the Monitoring Engine Binary under Configure Pollers to get code execution"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 16, "seconds": 15}, "line": " Trying to ping ourselves, find out we can\u2019t use space"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 17, "seconds": 10}, "line": " Using IFS to instead of space"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 20, "seconds": 11}, "line": " Ping worked, trying to do a Reverse Shell"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 23, "seconds": 50}, "line": " The reverse shell didn\u2019t work lets do some debugging"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 25, "seconds": 55}, "line": " Adding a semicolon at the end of the script and getting a reverse shell"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 26, "seconds": 20}, "line": " Reverse shell returned, lets build a proper TTY with ROWS and COLUMNS so we can do things like vi"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 30, "seconds": 20}, "line": " Searching for files between two dates"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 33, "seconds": 0}, "line": " Discovering backup which is a PYC File, using uncompyle to decompile it"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 34, "seconds": 55}, "line": " Getting Shelby\u2019s password out of the backup script"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 35, "seconds": 45}, "line": " Using LinPEAS instead of LinEnum to look for privescs"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 43, "seconds": 10}, "line": " Exploiting Screen-4.5.0 to get root"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ## Extra"}, {"machine": "HackTheBox - Wall", "videoId": "SyWUsN0yHKI", "timestamp": {"minutes": 46, "seconds": 30}, "line": " Static Code Analysis tip, looking for dangerous functions"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Begin of recon\r"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 4, "seconds": 25}, "line": " Logging into the webpage as guest and viewing attachments"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 4, "seconds": 45}, "line": " Examining the cisco type 7 passwords, using ciscot7"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Decrypting the MD5Crypt password using Hashcat"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 10, "seconds": 20}, "line": " Using CrackMapExec to perform a SMB password spray with users/credentials we have"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 11, "seconds": 30}, "line": " Using Metasploit to do the same thing (smb_login), to show it keeps tracks of creds. Then doing a WinRM Login"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 14, "seconds": 10}, "line": " WinRM Login was unsuccessful. Lets see if we can enumerate users with Impacket's lookupsid"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 15, "seconds": 15}, "line": " Using RPCClient to replicate how LookupSID did the RID/SID Bruteforce, so we can understand it"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 19, "seconds": 25}, "line": " Doing the Winrm_Login again with new usernames and see Chase can login"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 20, "seconds": 25}, "line": " Using Evil WinRM to login to the box"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Low Priv shell returned"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 24, "seconds": 0}, "line": " Examining wwwroot, and sourcecode to see if we can get a shell as the IIS User (cannot)"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 26, "seconds": 45}, "line": " See firefox running with Get-Process"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 29, "seconds": 0}, "line": " Upload procdump64.exe to dump firefox's memory"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 31, "seconds": 0}, "line": " Running strings against the binary and finding the administrator password"}, {"machine": "HackTheBox - Heist", "videoId": "fmBb6BgLsC8", "timestamp": {"minutes": 34, "seconds": 35}, "line": " Testing logins with WinRM and CME, to see Administrator could PSEXEC or WinRM"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Begin of recon"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 2, "seconds": 45}, "line": " Downloading and analyzing the files off the anonymous FTP Directory"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Looking into solidity to see what these files are about"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 6, "seconds": 30}, "line": " The full portscan finished, trying to find out what port 9810"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 7, "seconds": 5}, "line": " Recommended reading to understand blockchain fundamentals"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 8, "seconds": 30}, "line": " Begin writing the script to interact with the smart contract"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 12, "seconds": 50}, "line": " Calling the getDomain function, then setting the domain to our IP and seeing the ping"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 15, "seconds": 30}, "line": " Command injection found, getting a reverse shell via bash"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 17, "seconds": 10}, "line": " Checking the source code to see why this worked"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 19, "seconds": 50}, "line": " Looking into what IPFS is (found in administrators home directory)"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 21, "seconds": 33}, "line": " Running ipfs refs local to list all files"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 21, "seconds": 50}, "line": " Dropping a SSH Key so we can get off this reverse shell"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 23, "seconds": 15}, "line": " Writing a loop around ipfs refs local to list all the files, then cat the emails."}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 26, "seconds": 45}, "line": " Cracking the SSH Key with sshng2john and john"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 29, "seconds": 27}, "line": " Exploiting the ChainsawClub via path injection and the program executing sudo via a non-absolute path"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 32, "seconds": 40}, "line": " Explaining the package managers place things in */local/* directories."}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 33, "seconds": 30}, "line": " Writing a loop around dpkg --search to find binaries in the path that the systems package manager doesn't know about"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 36, "seconds": 11}, "line": " Explaining file blocks and slack space"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 37, "seconds": 25}, "line": " Using bmap to extract data out of slack space"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 39, "seconds": 50}, "line": " Exploiting ChainsawClub the intended way by playing with the smart contract"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 47, "seconds": 0}, "line": " Calling setUsername to create ippsec, then setPassword to create a password"}, {"machine": "HackTheBox - Chainsaw", "videoId": "vESegBSrm_U", "timestamp": {"minutes": 51, "seconds": 20}, "line": " Running setApprove and transfer to satisfy the other things, then logging into the ChainsawClub"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Begin of recon"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 1, "seconds": 45}, "line": " Looking at the website, checking source, robots.txt, etc"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Using GoBuster with PHP Extensions as HTTP Header said it had PHP Enabled"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 3, "seconds": 50}, "line": " Writing a simple PHP Code Execution script and trying to upload it"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Discovery of backup.tar, examining timestamps between downloading with wget/firefox"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 7, "seconds": 40}, "line": " Searching php scripts for superglobals as that will show user-input"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 11, "seconds": 10}, "line": " Explaining what magic bytes are"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 14, "seconds": 30}, "line": " Using PHP interactive mode to demonstrate what is happening"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 16, "seconds": 15}, "line": " Showing error codes are different based upon where image validation failed"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 17, "seconds": 30}, "line": " Uploading a malicious PHP Shell"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 18, "seconds": 40}, "line": " Navigating to our php shell and getting a reverse shell"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 21, "seconds": 40}, "line": " Reverse shell returned"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 23, "seconds": 40}, "line": " Examining check_attack.php to discover vulnerability when doing exec() to escalate to guly"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Explaining the code execution vulnerability of creating a malicious file"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 28, "seconds": 30}, "line": " Creating the malicious file"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 31, "seconds": 57}, "line": " Shell returned as Guly, checking sudo list"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 33, "seconds": 9}, "line": " Examining the changename.sh script (guly can run it as root)"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Exploiting the script by inserting a command into a network configuration file"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 38, "seconds": 40}, "line": " Explaining why Apache executed PHP when files did not have the PHP Extension"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 39, "seconds": 8}, "line": " Checking php.conf to see it was user created"}, {"machine": "HackTheBox - Networked", "videoId": "H3t3G70bakM", "timestamp": {"minutes": 41, "seconds": 15}, "line": " Modifying php.conf to include \"FilesMatch .php$\", so it only executes php when the name ends in .php"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Running Gobuster and examining the web page"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 5, "seconds": 10}, "line": " Room.php is the only page that accepts user input, basic testing for SQL Injection"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 5, "seconds": 40}, "line": " Using wfuzz to fuzz for special characters then getting our IP Banned :("}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Unbanned, running wfuzz again and examining unique responses"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 13, "seconds": 0}, "line": " Showing several ways to test for SQL Injection (subtraction and hex())"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Examining the MySQL Query Structure"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 17, "seconds": 30}, "line": " Explaining Union Injection"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 21, "seconds": 15}, "line": " Nested queries with union statements"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 23, "seconds": 20}, "line": " Extracting information out of Information_Schema to databases, tables, columns"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 24, "seconds": 8}, "line": " Using LIMIT to ensure only one row is returned"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 25, "seconds": 25}, "line": " Using GROUP_CONCAT to allow us to return multiple rows within union"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 32, "seconds": 20}, "line": " Extracting Mysql users/passwords then cracking MySQL (mode 300)"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 35, "seconds": 10}, "line": " Another way to get the password, LOAD_FILE() to view PHP Source Code"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 42, "seconds": 30}, "line": " PHPMyAdmin 4.8.0 RCE (LFI + Tainted PHP Cookie)"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 57, "seconds": 40}, "line": " Dropping a shell via the PHPMyAdmin exploit"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 59, "seconds": 30}, "line": " ALTERNATE Way to get Shell:Dropping a file from the SQL Injection"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 63, "seconds": 52}, "line": " Examining the PHP Cookie to see what happened with the PHPMyAdmin stuff"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 65, "seconds": 45}, "line": " Examing the Python Script we can execute as pepper with sudo"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 70, "seconds": 40}, "line": " We can execute code with $() but theres bad characters, so drop a bash script to disk"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 75, "seconds": 0}, "line": " Running find to look for setuid binaries, discover systemctl then check GTFO Bins"}, {"machine": "HackTheBox - Jarvis", "videoId": "YHHWvXBfwQ8", "timestamp": {"minutes": 81, "seconds": 15}, "line": " Copying our Sysmctl Scripts out of /tmp then creating our malicious service"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 0, "seconds": 54}, "line": " Begin of Recon find Elastic Search on 9200"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 2, "seconds": 0}, "line": " Checking the exif data in the image, nothing interesting, but showing FF changes some metadata when downloading (foresnic tip)"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 3, "seconds": 55}, "line": " Navigating to port 9200 and seeing the Elastic Search JSON Response"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 4, "seconds": 48}, "line": " Searching Elastic Search Documentation to see how to make queries"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Using /_cat/indices to see the \"tables\" withing ES"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 7, "seconds": 37}, "line": " Using /quotes/_search to dump the Quotes indicy, then using jq to extract desired data"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 13, "seconds": 20}, "line": " Lets switch over to Python to extract this data so we can translate this into English"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 17, "seconds": 0}, "line": " Installing googletrans, so our script can translate this. Using python3 cli to test this out"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 20, "seconds": 10}, "line": " Adding googletrans to our script"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 21, "seconds": 10}, "line": " Running our script to translate everything and then using grep to \"find the needle\""}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 22, "seconds": 50}, "line": " SSH'ing to the box with the security user"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 24, "seconds": 0}, "line": " Running LinEnum, noticing kibana listening on 5601"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 28, "seconds": 15}, "line": " Creating a Local Port forward so we can access kibana from out box"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 29, "seconds": 50}, "line": " Checking Kibana's version to see there are known exploits for it"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 30, "seconds": 50}, "line": " Getting a reverse shell as the Kibana user"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 36, "seconds": 0}, "line": " Using find to see what files the kibana user can write to"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 37, "seconds": 10}, "line": " Going into the Logstash directory to see that it will execute code with a specific log message"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 38, "seconds": 45}, "line": " Explaining the logstash pipeline of how it gets data"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 39, "seconds": 33}, "line": " Getting a reverse shell as the LogStash user (root)"}, {"machine": "HackTheBox - Haystack", "videoId": "oGO9MEIz_tI", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Reverse shell returned, but we screwed up creating a file -- figuring out what we did wrong"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 0, "seconds": 40}, "line": " Begin of nmap"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 2, "seconds": 31}, "line": " Discovering MyApp in the HTML Source"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Examining MyApp on port 1337"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Opening myapp up in Ghidra"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 7, "seconds": 20}, "line": " Testing out the buffer overflow"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 8, "seconds": 40}, "line": " Using pattern search to see where we can overwrite RSP"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 10, "seconds": 15}, "line": " Create a PwnTool Skeleton and having it call main instead of crashing"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 12, "seconds": 30}, "line": " Testing calling main (error: need to do recvline to send text)"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 13, "seconds": 50}, "line": " Explaining hijacking the SYSTEM() call"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 17, "seconds": 11}, "line": " Finding a way to put user input into RDI "}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 17, "seconds": 30}, "line": " Examining the Test Function which places RSP to RDI"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 19, "seconds": 50}, "line": " Finding a pop r13 as the Test Function jumps to r13"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 23, "seconds": 30}, "line": " Putting the gadget togather for code execution"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Setting pwntools to exploit the remote host"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 28, "seconds": 30}, "line": " Shell on the box"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 29, "seconds": 15}, "line": " Dropping SSH Key to get a normal shell and copying keepass files"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 31, "seconds": 40}, "line": " Using keepass2john to create hashes to crack"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 35, "seconds": 0}, "line": " Cracking keepass hashes with hashcat"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 37, "seconds": 50}, "line": " Using kpcli to export the root password"}, {"machine": "HackTheBox - Safe", "videoId": "CO_g3wtC7rk", "timestamp": {"minutes": 39, "seconds": 20}, "line": " Using the root password to su to the root user"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 1, "seconds": 12}, "line": " Begin of recon, examining website seeing the \"Hackers\" Theme"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Demoing how this is fixed now, with Werkzeug requiring a pin code"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Testing if we can connect back to our host with ping or curl (cannot)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 8, "seconds": 0}, "line": " Dropping a SSH Key via python since we cannot reverse shell"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 13, "seconds": 0}, "line": " SSH into the box as the HAL User and clean up the authorized_key file"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 13, "seconds": 50}, "line": " Using xclip to copy and run LinEnum due to a firewall preventing us from curling it"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 21, "seconds": 0}, "line": " Discovering why the WERKZEUG PIN Code was disabled (Environment Variable)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 22, "seconds": 27}, "line": " Checking out the Garbage SetUID Binary as HAL to discover he cannot run it"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 24, "seconds": 20}, "line": " Using Ghidra to verify we are not missing any functionality"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Using find to discover what files the adm group is an owner of"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 28, "seconds": 30}, "line": " Displaying exact modify times with ls using time-style argument, then checking logs to see what users changed their password after the shadow backup"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 31, "seconds": 30}, "line": " Cracking the Sha512Crypt (1800) hashes with Hashcat (Discovering Margo's password)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 35, "seconds": 30}, "line": " Using Ghidra to discover the hardcoded password in the garbage binary"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Exploring the binary, using Ghidra to see if there are any hidden menu options"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 41, "seconds": 30}, "line": " Installing GDB Enhanced Features (GEF) and pwntools for python3"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 44, "seconds": 20}, "line": " Poorly explaining leaking memory addresses by creating a ROP Chain with puts"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 48, "seconds": 50}, "line": " Begin of Buffer Overflow ROP Chain - leak libc address, call main, overflow password with system(/bin/sh)"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 49, "seconds": 20}, "line": " Using pattern create and offset/search within gef to RSP Overwrite Location"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 51, "seconds": 30}, "line": " Using ropper to discover a pop rdi gadget"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 53, "seconds": 40}, "line": " Beging creating the pwntools skelton exploit, using objdump to get PLT/GOT location of PUTS and performing the memory leak."}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 66, "seconds": 30}, "line": " Using Readelf to get important locations in libc and strings to get location of /bin/sh. Then performing all the calculations based upon memory leak"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 75, "seconds": 41}, "line": " Putting it all togather to create a gadget chain to get a shell"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 80, "seconds": 0}, "line": " Replacing libc memory locations with the ones installed on ellingson"}, {"machine": "HackTheBox - Ellingson", "videoId": "XVYgBetSvS8", "timestamp": {"minutes": 82, "seconds": 30}, "line": " Running the exploit, getting a root shell, then documenting the code"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 1, "seconds": 4}, "line": " Start of recon identifying a debian box based upon banners"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Taking a look at the website, has warnings about DOS type attacks."}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 3, "seconds": 17}, "line": " Discovering the /writeup/ directory in robots.txt"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 4, "seconds": 18}, "line": " Checking the HTML Source to see if there's any information about what generated this page. Discover CMS Made Simple"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 5, "seconds": 15}, "line": " CMS Made Simple is an opensource product. Search through the source code to discover a way to identify version information."}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 7, "seconds": 30}, "line": " Using SearchSploit to find an exploit"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 9, "seconds": 5}, "line": " Running the exploit script with a bad URL and triggering the servers anti-DOS protection"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 10, "seconds": 10}, "line": " Running the exploit script with correct URL and analyze the HTTP Requests it makes via Wireshark to see how the SQL Injection works"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 16, "seconds": 20}, "line": " Explaining how password salts work"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Using Hashcat to crack a salted md5sum"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 21, "seconds": 15}, "line": " Demonstrating the --username flag in hashcat, this allows you to associate cracked passwords to users"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 24, "seconds": 14}, "line": " Begin of low-priv shell, running LinEnum to discover we are a member of staff"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 27, "seconds": 58}, "line": " Using google to see what the Staff group can do (edit /usr/local/bin)"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 28, "seconds": 40}, "line": " Explaining path injection"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 29, "seconds": 40}, "line": " Using PSPY to display all the processes that start on linux, useful for finding crons or short-running processes"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 31, "seconds": 58}, "line": " Running PSPY to see run-parts is called without an absolute path upon user login"}, {"machine": "HackTheBox - Writeup", "videoId": "GKq4cwBfH24", "timestamp": {"minutes": 33, "seconds": 13}, "line": " Performing the relative path injection by creating the file /usr/local/bin/run-parts which will drop our SSH Key"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 1, "seconds": 29}, "line": " Begin of Recon, notice multiple SSH Host Keys"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 6, "seconds": 15}, "line": " Discovering the HTTPD Website has a PHP Script, Run SQLMap and update gobuster to find PHP"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 7, "seconds": 30}, "line": " Moving onto enumerating TOMCAT, default password (admin:admin) logs in and attempting to discover framework via google images"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 9, "seconds": 0}, "line": " Discovering that this TOMCAT page allows the ability to upload images and zips"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 10, "seconds": 45}, "line": " Explaining the ZipSlip Vulnerability"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 12, "seconds": 20}, "line": " Walking through how ZipSlip Works"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 14, "seconds": 30}, "line": " Start of using EvilArc with a PHP-Reverse-Shell to perform ZipSlip"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 18, "seconds": 30}, "line": " Reverse Shell Returned "}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 18, "seconds": 51}, "line": " Looking at Secret.php to get potential usernames and passwords"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 22, "seconds": 20}, "line": " Discovering tomcat listens on port 8080 then use that to drop SSH Key to get root (Unintended Path)"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 25, "seconds": 55}, "line": " Enumerating HTTPD PHP Scripts and TOMCAT Config to find some usernames and passwords"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 35, "seconds": 0}, "line": " Using find to list files modified between two dates"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 39, "seconds": 30}, "line": " Copying SSH Keys back to our box"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 42, "seconds": 30}, "line": " Logging into SSH over port 22 with Kaneki and SSH Key"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 44, "seconds": 0}, "line": " Creating a bash script to perform a ping scan to discover other hosts"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 49, "seconds": 55}, "line": " Extracting additional usernames from ~/.ssh/authorized_keys file and SSH Into the host"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 52, "seconds": 12}, "line": " Running the HostScan utility again to find another host, then modifying script to do a portscan"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 55, "seconds": 0}, "line": " Tunneling to the GOGS Box via SSH Tunnels"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 58, "seconds": 0}, "line": " Verifying the tunnel works by going to the GOGS HomePage and then searching for exploits"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 59, "seconds": 15}, "line": " SearchSploit turned up nothing, lets search for CVE's and hunt for a POC (CVE-2018-18925)"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 60, "seconds": 25}, "line": " Copying the GOGS Exploit, and logging in with a password we previously found. Note: There is a tool called gogsownz, but it automates so much you don't really learn anything."}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 62, "seconds": 30}, "line": " Creating a Repository in GOGS then dropping a file to the box"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 63, "seconds": 50}, "line": " Uploading the file to the repo, then modifying our i_like_gogs cookie to load it via an LFI and becoming admin"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 66, "seconds": 38}, "line": " As an Admin now we can create a Git Hook to execute code upon updating and get a shell "}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 71, "seconds": 50}, "line": " Searching for what the gosu binary does, finding out it lets us privesc to root"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 78, "seconds": 15}, "line": " Examining the git history (git reflog) of the aogiri-chatapp found in the root directory to find credentials"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 82, "seconds": 0}, "line": " Escalating to root on kaneki-pc (second docker box) via password found"}, {"machine": "HackTheBox - Ghoul", "videoId": "kE36IGAU5rg", "timestamp": {"minutes": 85, "seconds": 0}, "line": " Abusing SSH Agents to intercept the \"SSO Like Token\" and swim upstream to the Host OS"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Begin of recon"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 1, "seconds": 36}, "line": " Examining the web page to find Magento, noticing /index.php/ mod-rewrite misconfig and old copyright"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 4, "seconds": 50}, "line": " Whoops should of done apt search magescan, either way this package is not in Kali"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Running MageScan to scan the website"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Finding an open configuration file (app/etc/local.xml)"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 10, "seconds": 30}, "line": " Running searchsploit to identify public exploits"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 12, "seconds": 10}, "line": " Examining an exploit that will add an administrative user via SQL Injection"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 15, "seconds": 15}, "line": " Running the exploit out of the box didn't work, send it through burp in order to debug it"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 16, "seconds": 45}, "line": " Exploit needed to be modified to include index.php due to mod-rewrite misconfig"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 19, "seconds": 25}, "line": " Going back to SearchSploit and using the Authenticated RCE Exploit"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 21, "seconds": 30}, "line": " Making the obvious changes to fix the exploit script"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 24, "seconds": 17}, "line": " Debugging the exploit by running it through burpsuite, find out we need to use an login page"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 29, "seconds": 0}, "line": " Bit more in-depth debugging by setting a breakpoint with pdb"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 30, "seconds": 30}, "line": " The regex is failing due to page not returning anything, the URL has a time span lets increase that"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 33, "seconds": 15}, "line": " Finally fixed this exploit! Reverse Shell Returned"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 35, "seconds": 30}, "line": " Noticing we can exec vim with sudo, lets privesc"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 37, "seconds": 10}, "line": " Mentioning GTFOBins which helps find privesc paths from privileged programs"}, {"machine": "HackTheBox - Swagshop", "videoId": "qECG2_8xw_s", "timestamp": {"minutes": 38, "seconds": 15}, "line": " EXTRA: Examining the PHP Object Injection RCE Exploit"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 2, "seconds": 50}, "line": " Examining login request while GoBuster runs"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 5, "seconds": 35}, "line": " Noticing weird behavior by modifying db parameter in login request"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 7, "seconds": 30}, "line": " Finding what the Error numbers mean. (SQL Error Codes)"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 8, "seconds": 50}, "line": " Testing if we can trick the application into authentication against us"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 9, "seconds": 50}, "line": " Starting up metasploit to steal the login hash of a MYSQL Login"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 12, "seconds": 30}, "line": " Cracking the MySQL Hash with Hashcat"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 16, "seconds": 45}, "line": " Creating a databse locally for the application to authenticate to"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Examining what MySQL Does after authentication in Wireshark"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 24, "seconds": 30}, "line": " Creating the database structure so the application will authenticate against our database"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Begin of the File Encryptor PHP App"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Performing a Known Plaintext attack against the RC4 Encryption"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 28, "seconds": 50}, "line": " Explaining the Known Plaintext"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Creating a Python Script to perform a SSRF attack and decrypt content"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 54, "seconds": 25}, "line": " Script done, discovering a LFI Exploit in /dev/"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 57, "seconds": 30}, "line": " Using PHP Filters to convert LFI to source code disclosure"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 59, "seconds": 50}, "line": " Extracting sqlite_test_page.php source code"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 61, "seconds": 0}, "line": " Manually analyzing the source code to discover a way to write files"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 63, "seconds": 0}, "line": " Checking PayloadAllTheThings to get a payload for dropping files"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 75, "seconds": 38}, "line": " Testing dropping a php script for code execution"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 78, "seconds": 0}, "line": " Using Chankro to bypass PHP Disabled functions"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 80, "seconds": 45}, "line": " Creating a PHP Script to download Chankro Script to avoid bad characters in the RCE"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 84, "seconds": 50}, "line": " Reverse shell returned, finding a VIMCrypted file in Rijndael Home"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 85, "seconds": 35}, "line": " Decrypting Creds.txt with a known plaintext attack in VimCrypt 02 (Blowfish)"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 88, "seconds": 20}, "line": " Downloading the files to our local box and explaining the attack"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 90, "seconds": 30}, "line": " Copying our Python Script from earlier and modify it to work with our VIM File"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 98, "seconds": 20}, "line": " Decrypted the creds and use them to SSH"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 99, "seconds": 10}, "line": " Analyzing the kryptos.py file"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 101, "seconds": 0}, "line": " Testing how random the random is"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 106, "seconds": 0}, "line": " Creating a python script to bruteforce the key as we know the randomness is broken"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 117, "seconds": 0}, "line": " Script to brute force signing key done"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 118, "seconds": 45}, "line": " Getting code execution within the eval statement"}, {"machine": "HackTheBox - Kryptos", "videoId": "4uCoI5YzOwk", "timestamp": {"minutes": 124, "seconds": 30}, "line": " Extra content, showing by using the encrypt method twice early on \u2014 you can decrypt pages"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 0, "seconds": 40}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 2, "seconds": 45}, "line": " Checking FTP to get a note"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 3, "seconds": 38}, "line": " Going to each of the three websites"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Running Gobuster on port 80/3000"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Taking notes of all the login pages (forgot Ajenti)"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 7, "seconds": 55}, "line": " config.php found which has a password"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 10, "seconds": 15}, "line": " Discovering /login on port 3000 accepts username=&password= "}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 11, "seconds": 25}, "line": " Successful login! JWT Token returned"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 14, "seconds": 0}, "line": " Using curl to add the JWT Token in the header to access other api endpoints"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 15, "seconds": 10}, "line": " Using BurpSuite to add headers"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 18, "seconds": 30}, "line": " Navigating the Rest API to dump the usernames and passwords"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 20, "seconds": 30}, "line": " Attempting logins on other services"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 21, "seconds": 30}, "line": " Derry can login to /management"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 22, "seconds": 50}, "line": " Ajenti Password! Lets try logging in"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Ajenti has a virtual terminal that is running as root!"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 26, "seconds": 20}, "line": " Extra Content - Getting a reverse shell"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 28, "seconds": 30}, "line": " Grabbing the JWT Secret, so we can forge our own tokens!"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 29, "seconds": 10}, "line": " Creating a python script to generate JWT Tokens"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 30, "seconds": 20}, "line": " This token has no expiration time, and is assigned at 0. Should never expire!"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 31, "seconds": 30}, "line": " Adding Requests to our script, so the script can make web requests"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 33, "seconds": 15}, "line": " Lets try removing all signing algorithms from the token and see if server accepts it"}, {"machine": "HackTheBox - Luke", "videoId": "gaBdfD4BGBo", "timestamp": {"minutes": 34, "seconds": 40}, "line": " Cracking the JWT Token Signing key with Hashcat"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 1, "seconds": 33}, "line": " Begin of recon"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Using SMBClient to view open shares, discover /Backups"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Mount the SMB Share "}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 3, "seconds": 40}, "line": " Playing with SMBMap which is a bit more automated but write files!"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 5, "seconds": 22}, "line": " Checking out files in the /Backups share"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Using 7zip to view files in a VHD file"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 7, "seconds": 50}, "line": " Installing libguestfs-tools in order to use guestmount"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 9, "seconds": 25}, "line": " Mounting the VHD with guestmount"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 11, "seconds": 0}, "line": " Extracting local passwords from SAM and SYSTEM with secretsdump"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 13, "seconds": 30}, "line": " Cracking the hash and then using SSH to login to the box"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 14, "seconds": 30}, "line": " Viewing local adminstrators and seeing administrators is not actually disabled (backup indicated it was)"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Running JAWS"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 19, "seconds": 30}, "line": " Discovering mRemoteNG installed"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 20, "seconds": 30}, "line": " Looks like there is a way to decrypt passwords stored in mRemoteNG"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 21, "seconds": 40}, "line": " Installing mRemoteNG-Decrypt then decrypting the passwords in the config"}, {"machine": "HackTheBox - Bastion", "videoId": "2j3FNp5pjQ4", "timestamp": {"minutes": 24, "seconds": 30}, "line": " Using PSEXEC or SSH to remote in as administrator"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 0, "seconds": 42}, "line": " Begin of recon"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 1, "seconds": 8}, "line": " Examining the webpage "}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 4, "seconds": 28}, "line": " Discoving SFTP Credentials on the web page"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Playing with the SFTP Server"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 8, "seconds": 40}, "line": " Discoving the SymLink command to break out of home directory"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 9, "seconds": 40}, "line": " Symlinking the root directory to find the source of login.php through VIM SWP Files."}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 13, "seconds": 0}, "line": " Second way to get source code, symlink with a file naming ending in not PHP"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 15, "seconds": 30}, "line": " Examining the source code to login.php and getting a hard coded username"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 18, "seconds": 10}, "line": " Examining index.php to see how to access a login portal (admin)"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 19, "seconds": 20}, "line": " Using SSH to do port forwarding (Reddish)"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 21, "seconds": 20}, "line": " Examinig the admin web page"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 24, "seconds": 13}, "line": " Examing the Apache Rewrite Engine Rules"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 25, "seconds": 10}, "line": " Checking the source code to addon-manager to identify how upload/download features work"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 26, "seconds": 15}, "line": " Explaining the Rewrite attack"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 30, "seconds": 40}, "line": " Uploading a reverse shell, then executing"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 33, "seconds": 30}, "line": " Reverse shell returned"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 34, "seconds": 30}, "line": " Can sudo with apt, checking GTFO Bins"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 36, "seconds": 0}, "line": " Looks like we can MITM Apt due to passing a proxy through sudo"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Configuring Burp to act as an HTTP Proxy and pass it to Python"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 40, "seconds": 50}, "line": " Creating the Malicious APT Repo"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 45, "seconds": 30}, "line": " Creating the Malicious Deb File"}, {"machine": "HackTheBox - OneTwoSeven", "videoId": "EXuEDHFjS9E", "timestamp": {"minutes": 51, "seconds": 30}, "line": " Getting the Root Shell"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin of recon"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Running GoBuster to discover /dev and index.php"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 6, "seconds": 50}, "line": " Checking out the web application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 7, "seconds": 55}, "line": " Discovering SQL Injection in ID and playing with it"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 11, "seconds": 45}, "line": " Running SQLMap to dump pieces of the database"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 14, "seconds": 55}, "line": " Nginx Misconfiguration, missing trailing slash"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 19, "seconds": 10}, "line": " Downloading source code of the application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 21, "seconds": 20}, "line": " Exploring the source of the application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 25, "seconds": 47}, "line": " Specifying an error string in SQLMap to have it do boolean logic versus time-based"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Installing a Docker LAMP Server to run the web application"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 45, "seconds": 40}, "line": " Finally got the application running locally (Missed a comma which created a lot more work)"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 46, "seconds": 15}, "line": " Analyzing the SQL Injection with Debug turned on to see how it works"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Explanation of gaining code execution through an LFI + PHP Cookies"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 53, "seconds": 0}, "line": " Exploring the cookie"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 55, "seconds": 40}, "line": " Have code execution on our docker, lets exploit the server"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 60, "seconds": 0}, "line": " Reverse Shell returned"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 62, "seconds": 35}, "line": " Exploring MySQL database and escalating to GULY"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 68, "seconds": 30}, "line": " Running LinEnum as Guly and going through the results"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 72, "seconds": 0}, "line": " Exploring files Guly can access due to Grub Group, downloading initrd"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 74, "seconds": 10}, "line": " Decompressing initrd.img and looking for the file GULY modified"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 81, "seconds": 20}, "line": " Running STRACE to see what uinitrd does"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 84, "seconds": 20}, "line": " Running uinitrd after modifying /etc/hosts and /boot/guid"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 86, "seconds": 20}, "line": " Extra Content: If you had trouble with TTY, SSH is accessible via IPv6"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 90, "seconds": 50}, "line": " Extra Content: Runing GIXY to analyze the NGINX Configuration"}, {"machine": "HackTheBox - Unattended", "videoId": "2SATzCQY0Zw", "timestamp": {"minutes": 95, "seconds": 20}, "line": " Extra Content: Looking at uinitrd in Ghidra"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 0, "seconds": 35}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 1, "seconds": 42}, "line": " Checking the ManageEngine Page"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 2, "seconds": 23}, "line": " Running Searchsploit to see potential exploits"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 3, "seconds": 40}, "line": " Enumerating valid usernames via AjaxDomainServlet"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 5, "seconds": 40}, "line": " Logging in with guest:guest"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 7, "seconds": 10}, "line": " Running the privilege escalation script to get Administrator access"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 8, "seconds": 0}, "line": " Searching for information on this exploit"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Blog post missing... Searching Archive.org and Google Cache for a mirror"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Making curl go through burp to step through the exploit in BurpSuite"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 18, "seconds": 0}, "line": " Copying the admin cookies into FireFox "}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 19, "seconds": 25}, "line": " Going to Admin then Custom Triggers to execute code on the server"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 21, "seconds": 50}, "line": " Getting a reverse shell via Nishang"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Using iconv to create UTF-16LE encoded Base64 for use with \"-EncodedCommand\" option"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 25, "seconds": 45}, "line": " Reverse Shell as System returned, but EFS Protects the flags"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 26, "seconds": 45}, "line": " Finding interesting files with get-childitem -recurse . | select FullName"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 28, "seconds": 50}, "line": " Copying mimikatz over to the box to steal NTLM Hashes"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 31, "seconds": 0}, "line": " Defender blocked us. Disable defender with Set-MpPreference -DisableRealtimeMonitoring $true"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 32, "seconds": 50}, "line": " Using hashes.org to view password of Zachary, checking his groups to see he can view event logs"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 33, "seconds": 30}, "line": " Doing some powershell goodness to search event logs!"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 40, "seconds": 50}, "line": " Extracting ProcessCommandLine from the logs (Tolu Password), its a shame Nishang screws with how some commands output to stdout. This could of been a lot cleaner."}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 43, "seconds": 0}, "line": " Using Mimikatz to decrypt the EFS Protected file with Tolu's password"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 57, "seconds": 25}, "line": " Need to read Leo's admin-pass.xml, load meterpreter and migrate into his namespace"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 60, "seconds": 20}, "line": " admin-pass is the output of SecureString, lets decrypt it to get the admin password"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 62, "seconds": 20}, "line": " Using Invoke-Command with the credential object created to execute commands as administrator"}, {"machine": "HackTheBox - Helpline", "videoId": "Vs3oSDlzxwA", "timestamp": {"minutes": 63, "seconds": 50}, "line": " Cannot read root.txt because of \"Double Hop Problem\" (how PowerShell Authenticates), using CredSSP Authentication to fix this."}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 0, "seconds": 55}, "line": " Begin of Recon "}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 2, "seconds": 20}, "line": " Checking the WebPages"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 3, "seconds": 50}, "line": " Examining /userSubscribe.faces, to discover potential deserialization"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Exploring javax.faces.ViewState"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 5, "seconds": 50}, "line": " Googling around to see what an unencrypted serialized object should look like"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 7, "seconds": 15}, "line": " Checking out SMB to discover an openshare"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 9, "seconds": 0}, "line": " Downloading appserver.zip from batshare via smbclient"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 11, "seconds": 0}, "line": " Cracking a luks encrypted file with dd and hashcat"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 14, "seconds": 0}, "line": " Luks cracked, mounting the disk with luksOpen"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 16, "seconds": 20}, "line": " Discovery of the secret used to encrypt the java object"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 18, "seconds": 10}, "line": " Creating a python script to decrypt the ViewState to verify we have correct crypto settings"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 23, "seconds": 10}, "line": " Script completed, lets test the decryption!"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 24, "seconds": 15}, "line": " Downloading ysoserial to create a deserialization CommonCollections gadget"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 26, "seconds": 0}, "line": " Creating a python script to exploit the deserialization vuln"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 31, "seconds": 0}, "line": " Script complete! We got a ping, testing the MyFaces serialization objects (did not work)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 33, "seconds": 0}, "line": " Modifying the script to run commands other than what ySoSerial provided"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 41, "seconds": 10}, "line": " Script updates finished, trying to get a reverse shell via nishang (did not work)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 42, "seconds": 40}, "line": " Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for constrained mode)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 45, "seconds": 0}, "line": " Downloading netcat to upload to the box"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Netcat returned a powershell reverse shell "}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 47, "seconds": 20}, "line": " Discovering Backup.zip, downloading, using readpst to convert it to a plaintext mbox file"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Using evolution to view mbox file and find Batman's password"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 52, "seconds": 45}, "line": " Using Powershell's Invoke-Command to execute commands as Batman (like runas)"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 55, "seconds": 40}, "line": " Reverse shell as batman returned! Running a few commands to find out he is localadmin but needs to break out of UAC"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 58, "seconds": 10}, "line": " Unintended: Using net use to mount c$ and view the flag"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 59, "seconds": 30}, "line": " Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HTB Member"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 62, "seconds": 10}, "line": " Using GreatSCT/MSBuild to launch Meterpreter"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 62, "seconds": 45}, "line": " While GreatSCT installs, create a DLL to return a reverse shell"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 66, "seconds": 0}, "line": " copying the DLL into c:\\users\\batman\\appdata\\local\\microsoft\\windowsapps"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 68, "seconds": 30}, "line": " Using GreatSCT to generate payloads"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 71, "seconds": 50}, "line": " Getting a Meterpreter Session then migrating into an interactive process"}, {"machine": "HackTheBox - Arkham", "videoId": "krC5j1Ab44I", "timestamp": {"minutes": 77, "seconds": 45}, "line": " Running SystemPropertiesAdvanced.exe, which elevates and executes our dll"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 1, "seconds": 4}, "line": " Begin of recon"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 4, "seconds": 41}, "line": " Exploring the web page on port 80"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 6, "seconds": 2}, "line": " Using wfuzz to do a special character fuzz to identify odd behavior and discover command injection"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 11, "seconds": 6}, "line": " Creating a hotkey in Burpsuite to send requests in repeater pane"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 11, "seconds": 50}, "line": " Start of creating a python program to automate this"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 17, "seconds": 30}, "line": " Script finished"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 18, "seconds": 30}, "line": " Exploring /var/appsrv "}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 21, "seconds": 15}, "line": " Exploring authpf"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Hunting for the signing key for the CA to view HTTPS"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 24, "seconds": 40}, "line": " Copying the certificates to our box"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 26, "seconds": 0}, "line": " Creating and signing a Client Certificate"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 28, "seconds": 50}, "line": " Importing the certificate into FireFox"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 30, "seconds": 49}, "line": " Discovering the reason our certificate isn't working (time of server is behind)"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 31, "seconds": 50}, "line": " Accessing the HTTPS Website to get a SSH key for NFSUSER"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 33, "seconds": 40}, "line": " Discovering additional ports are open after using SSH with NFSUSER"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 34, "seconds": 45}, "line": " Installing the NFS-COMMON package to get the showmount binary"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 35, "seconds": 10}, "line": " Mounting a NFS Share with Version 2"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 36, "seconds": 0}, "line": " Editing our User ID on our box to gain access to the NFS Directories"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Reading mail to discover that the root password is set to the Postgres databases root pw"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 37, "seconds": 30}, "line": " Testing if we could setup a SetUID Binary with this NFS (Check Jail Video for this being successful)"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 40, "seconds": 20}, "line": " SSH into the box as Charlie and dumping the database"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 43, "seconds": 40}, "line": " Exploring the source code to the web application"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 47, "seconds": 0}, "line": " Copying the crypto python script to our box, which will let us decrypt it"}, {"machine": "HackTheBox - Fortune", "videoId": "_BLd046r-co", "timestamp": {"minutes": 47, "seconds": 40}, "line": " Copying the secrets into the crypto python script and decrypting the password"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Start of nmap"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 2, "seconds": 50}, "line": " Attempting to execute an VSFTPD Backdoor via MSF"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 3, "seconds": 40}, "line": " Discovering the backdoor opened 6200, discovering a weird shell"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 4, "seconds": 50}, "line": " Lets figure out what just happened"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 6, "seconds": 50}, "line": " Triggering the backdoor without Metasploit"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 9, "seconds": 5}, "line": " Exploring the Psy PHP Shell opened up by the backdoor"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 10, "seconds": 20}, "line": " Several functions for executing bash aren't working, checking disable_functions"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 11, "seconds": 40}, "line": " Attempting to bypass disabled_functions (does not work)"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 12, "seconds": 50}, "line": " Using ScanDir() and File_Get_Contents(), to explore the filesystem"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 14, "seconds": 50}, "line": " Identifying we are probably running as the Dali User (Unintended Path)"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 17, "seconds": 0}, "line": " Downloading CA.KEY, which is a private key to a webserver"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 21, "seconds": 40}, "line": " Using the CA.KEY to generate client certificates to access the HTTPS Page"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 30, "seconds": 25}, "line": " Weird it didn't work, lets just verify all our certificates are good"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 32, "seconds": 28}, "line": " This time it worked! We connected to the server"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 33, "seconds": 20}, "line": " Failing to add the certificate to BurpSuite"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 33, "seconds": 50}, "line": " Discovering File Traversal by editing the PATH variable"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 36, "seconds": 38}, "line": " Discovering the LFI just puts the path as Base64 Encoded"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 37, "seconds": 15}, "line": " Using the LFI to download the SSH Private Key"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 38, "seconds": 45}, "line": " Testing SSH Key against users on the box to gain access!"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 39, "seconds": 13}, "line": " UNINTENDED: Skipping the HTTPS Certificate - Generating SSH Keys to upload via PHP Shell"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 40, "seconds": 30}, "line": " UNINTENDED: Using file_put_contents() to append our public key to authorized_keys"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 41, "seconds": 30}, "line": " UNINTENDED: Using SSH to tunnel through Dali (SOCKS Proxy)"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 42, "seconds": 30}, "line": " UNINTENDED: Scanning ports on Dali that are listening on LocalHost"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 43, "seconds": 8}, "line": " UNINTENDED: Port 8000 is open, and its one step after the Reverse_Proxy that performs SSL Authentication!"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 45, "seconds": 35}, "line": " Running PSPY and LinEnum"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 50, "seconds": 20}, "line": " Using PSPY to view FileSystem Events which will show the cron"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 52, "seconds": 30}, "line": " Taking control of ~/memcached.ini because we own the folder!"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 54, "seconds": 45}, "line": " Exploiting the cron that utilizes memcached.ini to get a root shell"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 0, "seconds": 1}, "line": " -- Bonus"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 55, "seconds": 55}, "line": " Exploring how the SSL Authentication is working"}, {"machine": "HackTheBox - LaCasaDePapel", "videoId": "OSRCEOQQJ4E", "timestamp": {"minutes": 60, "seconds": 0}, "line": " Exploring how the VSFTPD Backdoor was modified."}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Support me on Patreon! https://patreon.com/ippsec"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 0, "seconds": 52}, "line": " Start of Recon, discovering CentOS Version via HTTPD Version"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 2, "seconds": 15}, "line": " Checking out the HTTP Page"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 3, "seconds": 32}, "line": " Checking out login.php"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 5, "seconds": 15}, "line": " Identifying a Secure Token is used, most likely STOKEN"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 7, "seconds": 5}, "line": " Failing to enumerate usernames through BruteForce"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 9, "seconds": 45}, "line": " Fuzzing the login form with special characters to identify a blacklist"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 11, "seconds": 45}, "line": " Trying Double URL Encoding to bypass the BlackList"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 12, "seconds": 55}, "line": " Explaining Double URL Encoding"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 14, "seconds": 45}, "line": " Discovering this is most likely a LDAP Injection"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 16, "seconds": 50}, "line": " Explaining how a LDAP Query Works"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 19, "seconds": 15}, "line": " Identifying the LDAP Query Structure with a Null Byte"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 20, "seconds": 40}, "line": " Injecting the WildCard (*) to enumerate usernames"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 24, "seconds": 0}, "line": " Using Wfuzz to extract the username"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 26, "seconds": 0}, "line": " Enumerating LDAP Attributes that are utilized"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 30, "seconds": 26}, "line": " Creating a python script to extract the Pager Attribute"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 41, "seconds": 38}, "line": " Script complete, lets extract the token"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 43, "seconds": 45}, "line": " Using STOKEN to generate the OTP and logging in"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Disabling NTP so we can math the server time"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 46, "seconds": 44}, "line": " Discovery of that second half of the original LDAP Query at 16 minutes."}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 47, "seconds": 33}, "line": " Using a Null Byte to remove the GROUP Check."}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 50, "seconds": 33}, "line": " Running Commands"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 50, "seconds": 25}, "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 53, "seconds": 17}, "line": " Checking for the LDAP Bind password, then SSHing into the box"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 55, "seconds": 0}, "line": " Going over the /backup directory"}, {"machine": "HackTheBox - CTF", "videoId": "51JQg202csw", "timestamp": {"minutes": 58, "seconds": 20}, "line": " Using ListFiles to have 7za print our the contents of root.txt"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Begin of Recon"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 4, "seconds": 10}, "line": " Running SMBMap to identify and crawl file shares"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Downloading creds.txt from an smb share and checking FTP/SMB"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 6, "seconds": 50}, "line": " Checking the webpage and grabbing potential DNS Names for the box"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 10, "seconds": 40}, "line": " Using dig to perform a DNS Zone Transfer to obtain additional host names"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Adding all hostnames to /etc/hosts"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 12, "seconds": 55}, "line": " Running Aquatone to take screenshots of all the pages for quick examination"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 15, "seconds": 15}, "line": " Testing Uploads.Friendzone.red"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Testing admin.friendzone.red"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 17, "seconds": 0}, "line": " Testing administrator1.friendzone.red, logging in with creds found from SMB"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 18, "seconds": 35}, "line": " Found an LFI in the Dashboard.PHP script (PageName Variable)"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 20, "seconds": 15}, "line": " Using PHP Wrappers with the LFI To obtain PHP Script Source"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Revisiting recon to find ways to upload files, end up using SMBClient"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 25, "seconds": 10}, "line": " Gaining code execution through the LFI Exploit and SMB File Share"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 28, "seconds": 50}, "line": " Exploring /var/www/html to see if any troll directories had useful files in them, find creds to Friend user"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 31, "seconds": 20}, "line": " Running PSPY to identify cron jobs we don't have permission to see"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 33, "seconds": 15}, "line": " Running LinEnum.sh to enumerate the box and discover the Python OS Library is writeable"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 38, "seconds": 20}, "line": " Fixing our reverse shell by setting ROWS and COLUMNS of our terminal so we can use Vi"}, {"machine": "HackTheBox - FriendZone", "videoId": "Zf8p49IzEEA", "timestamp": {"minutes": 40, "seconds": 45}, "line": " Placing a reverse shell in the Python OS library"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Begin of Recon, discovery of an HTTP API that has a few commands"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Using JQ to parse json output, use NetStat/Proc to find GoPhish"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 15, "seconds": 0}, "line": " Logging into GoPhish with default creds admin:gophish, finding DNS Names"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 21, "seconds": 15}, "line": " Discovery of Obfuscated JavaScript Deobfuscating it to find a hidden section"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 33, "seconds": 20}, "line": " Using wfuzz to bruteforce the password for webadmin.php"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 37, "seconds": 10}, "line": " Finding Code Execution in WebAdmin.php"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 44, "seconds": 0}, "line": " Creating a Python Script to give a pseudo shell to cat, ls, and upload"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 70, "seconds": 45}, "line": " Script finished, uploading reGeorg to create a proxy onto the box to bypass FW"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 76, "seconds": 20}, "line": " Using WinRM to access low privilege shell as Simple User"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 85, "seconds": 8}, "line": " Exploring /Util/Scripts to find a way to privesc to Hacker"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 90, "seconds": 29}, "line": " Exploring GetSystem functionality of meterpreter"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 97, "seconds": 20}, "line": " Starting to create program to steal a token from NamedPipe Clients"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 101, "seconds": 0}, "line": " Creating XOR Encrypter for payloads in C (There is a bug used & instead of %)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 108, "seconds": 20}, "line": " Using MSFVenom to generate raw payload to XOR then generate in C Format"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 111, "seconds": 38}, "line": " Creating the Stager to execute meterpreter, with some fun old AV Evasion tactics"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (Testing/Bug Hunting)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 123, "seconds": 45}, "line": " Found the issue, AND'd the payload instead of XOR'd in encrypt.c"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 128, "seconds": 30}, "line": " Creating the NamedPipe portion of code"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 148, "seconds": 30}, "line": " Creating the Pipe Impersonation part of the code"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 163, "seconds": 16}, "line": " Had some weird errors, adding the ability to enable token privileges"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (more troubleshooting....)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 181, "seconds": 0}, "line": " Editing the /util/scripts/clean.ini to execute our NamedPipe Creation File"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 186, "seconds": 10}, "line": " Meterpreter Session Loaded. Unfortunately it grab the impersonation token, more troubleshooting."}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 188, "seconds": 20}, "line": " Found the bug that caused us to not pass the token"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 189, "seconds": 45}, "line": " Re-Explaining all the code"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 194, "seconds": 57}, "line": " Meterpreter loaded, using incognito to grab our impersonation token for HACKER user"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 210, "seconds": 15}, "line": " Creating a bat file to run NetCat and upload into /util/scripts/spool which gets executed"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 215, "seconds": 50}, "line": " Start of looking at UserLogger Service, download it, un-UPX it"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 221, "seconds": 30}, "line": " Using ProcessMonitor to Dynamically Analyze the UserLogger binary (think of strace on windows)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 229, "seconds": 40}, "line": " UserLogger lets us write binaries as SYSTEM with 777 permissions! Lets chain Diagnostic Hub Exploit"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 232, "seconds": 0}, "line": " Changing CMDLine in FakeDLL and valid_dir in Diaghub_exploit.cpp"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (Tons of trouble shooting)"}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 258, "seconds": 5}, "line": " Changing from DEBUG mode to RELEASE mode for compiling. Which fixes it."}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 265, "seconds": 15}, "line": " Root.txt is hidden behind alternate data streams."}, {"machine": "HackTheBox - HackBack", "videoId": "B9nozi1PrhY", "timestamp": {"minutes": 267, "seconds": 39}, "line": " ALTERNATE PATH THAT LETS YOU SKIP NAMEDPIPE STUFF"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 3, "seconds": 50}, "line": " Searching for good files to view via FTP"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 9, "seconds": 0}, "line": " Nothing really found, searching for where PRTG creation file is"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 14, "seconds": 34}, "line": " Backup configuration found!"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 16, "seconds": 20}, "line": " Logging in by incrementing the password from 2018 to 2019"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 17, "seconds": 55}, "line": " Searching for CVE's"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 19, "seconds": 45}, "line": " Searching for where to send notification emails like CVE Said"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 20, "seconds": 30}, "line": " Testing for Command Injection via Cmd"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 22, "seconds": 20}, "line": " Testing for Command Injection via Powershell"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 26, "seconds": 55}, "line": " Encoding powershell in Base64 to eliminate potential bad characters"}, {"machine": "HackTheBox - Netmon", "videoId": "ZxvgniJXbOo", "timestamp": {"minutes": 29, "seconds": 10}, "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 0, "seconds": 50}, "line": " Begin of Reocn"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Using SMBMap to enumerate fileshares"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 5, "seconds": 45}, "line": " Discovering an Excel Macro File"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 9, "seconds": 25}, "line": " Using olevba to extract macro from the document to discover credentials"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 11, "seconds": 15}, "line": " Using MSSQLClient.py from Impacket to log into the SQL Server"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 12, "seconds": 15}, "line": " Doing the SQL CMD:XP_DIRTREE to read a file off a UNC Share to steal the hash with Responder"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 13, "seconds": 15}, "line": " Cracking the NetNTLMv2 Hash"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 14, "seconds": 11}, "line": " Explaining the Responder Database file to view previously captured hashes"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Logging into the SQL Server with the cracked account, then doing XP_CMDSHELL to run commands"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 17, "seconds": 50}, "line": " Getting a Nishang Reverse Shell"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Running PowerUp, doing Invoke-ServiceAbuse and discovering creds in an old Group Policy Object"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ** For some reason the user created with Invoke-ServiceAbuse cannot write to C$ so no psexec :("}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 26, "seconds": 30}, "line": " Going back to the password disclosed via Group Policy and discovering they are an administrator"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 28, "seconds": 0}, "line": " Explaining how the PowerUp module decrypted a password out of Group Policy"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 29, "seconds": 10}, "line": " Getting VIM to highlight the syntax of Powershell"}, {"machine": "HackTheBox - Querier", "videoId": "d7ACjty4m7U", "timestamp": {"minutes": 34, "seconds": 50}, "line": " Rooting the box with Invoke-ServiceAbuse"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 4, "seconds": 15}, "line": " Adding DNS Names to /etc/hosts"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 5, "seconds": 20}, "line": " Using Aquatone to take HTTP Screenshots of a bunch of pages"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 11, "seconds": 0}, "line": " Start of looking at FreeFlujab.htb"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 15, "seconds": 40}, "line": " Looking at HTTP Cookies we send"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 17, "seconds": 40}, "line": " Editing Cookies in Firefox"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 19, "seconds": 50}, "line": " Discovering SMTP_CONFIG, which lets us change where the mail server is"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 21, "seconds": 50}, "line": " Using FireFox to remove character restrictions on a page"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 24, "seconds": 15}, "line": " The WebPage kept resetting our cookie, using Burp to auto replace"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Standing up a SMTP Server in python to read mail"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 30, "seconds": 20}, "line": " Discovering SQL Injection"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 34, "seconds": 50}, "line": " SQL Injection confirmed, testing Union Injections"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 37, "seconds": 40}, "line": " Creating a Python Script to aid us in running SQL Injections"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 37, "seconds": 40}, "line": " Script: Running a SMTP Server in background thread"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 41, "seconds": 35}, "line": " Script: Adding ability to use arrow keys to go to previous command"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 46, "seconds": 42}, "line": " Script: Making our command prompt send HTTP Requests"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 52, "seconds": 40}, "line": " Dumping database structure from INFORMATION_SCHEMA"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 65, "seconds": 0}, "line": " Dumping information out of the VACCINATIONS Table"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 67, "seconds": 50}, "line": " User information dumped, cracking a sha256 hash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 71, "seconds": 0}, "line": " Accessing a new HOSTNAME from the database (sysadmin-console-01)"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 76, "seconds": 0}, "line": " Logging into Ajenti"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 77, "seconds": 0}, "line": " Discovering Notepad can read files from the server"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 84, "seconds": 10}, "line": " Looks like there was a SSH Key Compromise on the box from a README File"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 87, "seconds": 40}, "line": " Searching the compromised debian keys for one on the box"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 89, "seconds": 48}, "line": " Able to SSH Into the box with the Key! However we are in restricted bash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 90, "seconds": 30}, "line": " rBash escape 1: Using GTFOBins to find a way to escape restricted bash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 92, "seconds": 30}, "line": " rBash escape 2: Using -t bash argument in SSH to escape restricted bash"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 93, "seconds": 30}, "line": " Exploiting an old version of Screen to PrivEsc!"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " * Second way to get a shell on the box *"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 103, "seconds": 40}, "line": " Creating files in /home/sysadm"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 106, "seconds": 40}, "line": " SSH is configured to allow public keys to also be placed in ~/access "}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 108, "seconds": 0}, "line": " Reading Ajenti Documentation to see API lets us change file permissions"}, {"machine": "HackTheBox - Flujab", "videoId": "_f9Xygr-qHU", "timestamp": {"minutes": 110, "seconds": 0}, "line": " Ajenti wants the CHMOD Number to be in a weird format"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 0, "seconds": 49}, "line": " Begin of recon"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 1, "seconds": 45}, "line": " Running gobuster to find /support"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 2, "seconds": 50}, "line": " Searching for a way to find version of HelpdeskZ"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 3, "seconds": 35}, "line": " Reading over the File Upload exploit script to see it requires server time"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 5, "seconds": 10}, "line": " Uploading a PHP Reverse Shell Script"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 7, "seconds": 45}, "line": " Going back to GitHub to find where uploads are saved"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 9, "seconds": 10}, "line": " Begin of modifying the script to pull the server time out of HTTP Headers"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 10, "seconds": 30}, "line": " Figuring out the python to pull the \"Date\" HTTP Header"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 14, "seconds": 30}, "line": " Getting the Time Format right with STRFTIME.COM"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 19, "seconds": 40}, "line": " Testing out the exploit and getting a shell"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 23, "seconds": 20}, "line": " Discovery of an old kernel, looking for an exploit"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 24, "seconds": 30}, "line": " Copying the exploit, compiling, and privesc!"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 25, "seconds": 50}, "line": " Looking into port 3000"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 27, "seconds": 0}, "line": " /graphql discovered"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 27, "seconds": 42}, "line": " Dumping the schema to discover what data is inside"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 30, "seconds": 15}, "line": " Dumping username, password from the database"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 32, "seconds": 12}, "line": " Logging into HelpdeskZ"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 33, "seconds": 40}, "line": " Discovering the Boolean SQL Injection"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 34, "seconds": 50}, "line": " Running SQLMap"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 36, "seconds": 0}, "line": " Explaining the Injection"}, {"machine": "HackTheBox - Help", "videoId": "XB8CbhfOczU", "timestamp": {"minutes": 37, "seconds": 10}, "line": " Begin of creating a python script to exploit this"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 1, "seconds": 4}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 6, "seconds": 45}, "line": " Checking the web interfaces"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 7, "seconds": 20}, "line": " Discovering there is a Certificate Authority"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 8, "seconds": 50}, "line": " Taking a look at LDAP"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 10, "seconds": 55}, "line": " Examining SMB to find shares"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Searching the Operations and Department Shares"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 14, "seconds": 50}, "line": " Viewing permissions of a SMB Share with SMBCACLS"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 19, "seconds": 10}, "line": " Discovering a writeable share, dropping a SCF File to get a hash"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 22, "seconds": 4}, "line": " Using Hashcat to crack NetNTLMv2"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 24, "seconds": 40}, "line": " Using SMBMap to identify if this user has access to anything extra"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 25, "seconds": 40}, "line": " Discovering the CertSRV Directory "}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 28, "seconds": 0}, "line": " Discovering Powershell Remoting"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Error from WinRM (Need SSL)"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 31, "seconds": 0}, "line": " Using openSSL to generate a private key"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 31, "seconds": 52}, "line": " Going to /CertSRV to sign our certificate as Amanda"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 34, "seconds": 0}, "line": " Adding the SSL Authentication to WinrM"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 35, "seconds": 15}, "line": " Playing with LDAP Again (with the Amanda Creds)"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 37, "seconds": 50}, "line": " Shell on the box with WinRM as Amanda"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 38, "seconds": 15}, "line": " Running SharpHound"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 40, "seconds": 29}, "line": " Applocker is on the box, lets move it in the windows directory "}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Trying to get the bloodhound data off the box."}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 44, "seconds": 20}, "line": " Starting bloodhound "}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 45, "seconds": 27}, "line": " File didn't copy lets load up Covenant"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 49, "seconds": 30}, "line": " Covenant is up and running - Create a HTTP Listener"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 50, "seconds": 30}, "line": " Hosting a Launcher"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 52, "seconds": 30}, "line": " Getting a grunt"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 54, "seconds": 40}, "line": " Running SeatBelt"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 57, "seconds": 0}, "line": " Running SharpHound"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 60, "seconds": 0}, "line": " Finally uploading the bloodhound data"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 61, "seconds": 18}, "line": " Running Bloodhound with all Collection Methods"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 65, "seconds": 15}, "line": " Discovering the MRLKY can DCSYNC"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 67, "seconds": 25}, "line": " Cannot kerberoast because of the Double Hop Problem, create token with MakeToken"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 72, "seconds": 30}, "line": " Cracked the Kerberoasted Hash, doing maketoken with mrlky and running DCSYnc"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 74, "seconds": 40}, "line": " Running WMIExec to get Administrator"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 82, "seconds": 0}, "line": " UNINTENDED Method 1: Amanda can write to Clean.bat"}, {"machine": "HackTheBox - Sizzle", "videoId": "YVhlfUvsqYc", "timestamp": {"minutes": 84, "seconds": 30}, "line": " UNINTENDED Method 2: Forensic artifacts leave MRKLY Hash in C:\\windows\\system32\\file.txt"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Begin of recon"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 2, "seconds": 20}, "line": " Starting up GoBuster then editing /etc/hosts to add the hosts in nmap"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 3, "seconds": 20}, "line": " Going over the website"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Discovering a wordpress instance (/wp/ form goBuster)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 9, "seconds": 50}, "line": " Finding webmail credentials from a wordpress Protected Post"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 10, "seconds": 30}, "line": " Discovering webmail.chaos.htb (Method 1)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 12, "seconds": 50}, "line": " Testing IMAP, then configuring Evolution to login to the mail server (Method 2)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 16, "seconds": 40}, "line": " Decrypting the message that was in the draft."}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 22, "seconds": 55}, "line": " Message decrypted, new page discovered"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 23, "seconds": 11}, "line": " Discovering a webpage for creating pdfs"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 24, "seconds": 10}, "line": " Searching for a code injection path for LaTex"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 24, "seconds": 45}, "line": " Discovering the blacklist is on \"input\""}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 25, "seconds": 30}, "line": " Testing for blind command execution via ping"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 27, "seconds": 43}, "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 28, "seconds": 10}, "line": " Enumerating the web directory to find passwords"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 29, "seconds": 11}, "line": " Switching to the \"Ayush\" user with mail password, discover we are in rBash"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 29, "seconds": 45}, "line": " Escaping rBash by via tar (Method 1: GTFOBins)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 31, "seconds": 0}, "line": " Escaping rBash by editing path (Method 2)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 32, "seconds": 55}, "line": " Discovering a mozilla user configuration directory, copying it off to export passwords"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 36, "seconds": 30}, "line": " Using firefox_decrypt to export root password"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 37, "seconds": 30}, "line": " Logging into webmin with credentials from firefox"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 37, "seconds": 50}, "line": " Privesc via switching to root user with known password (Method 1)"}, {"machine": "HackTheBox - Chaos", "videoId": "no9UnySBQrU", "timestamp": {"minutes": 38, "seconds": 10}, "line": " Using webmin to execute commands as root (Method 2)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 1, "seconds": 15}, "line": " Begin of recon"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 2, "seconds": 54}, "line": " Checking SNMP with snmpwalk"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 3, "seconds": 29}, "line": " Discovering a Hashed PSK (MD5) in SNMPWalk, searching the internet for a decrypted value"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 4, "seconds": 18}, "line": " Getting more SNMP Information with snmp-check"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 7, "seconds": 35}, "line": " Going over UDP Ports discovered by snmp-check"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 10, "seconds": 55}, "line": " Running ike-scan"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 11, "seconds": 55}, "line": " Examining ike-scan results to build a IPSEC Config"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 13, "seconds": 50}, "line": " Installing Strongswan (IPSEC/VPN Program)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 14, "seconds": 19}, "line": " Adding the PSK Found earlier to /etc/ipsec.secrets"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 15, "seconds": 30}, "line": " Begin configuring /etc/ipsec.conf"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 20, "seconds": 8}, "line": " Starting and debugging ipsec"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 21, "seconds": 55}, "line": " Explaining why we add TCP to strongswan config"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 24, "seconds": 0}, "line": " Starting IPSEC, then using NMAP through IPSEC."}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (You may want to run WireShark here and see all traffic is encrypted thanks to ipsec)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 25, "seconds": 55}, "line": " Enumerating SMB Quickly (SMBMap/cme)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 26, "seconds": 50}, "line": " Enumerating FTP, discovering we can upload files"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 27, "seconds": 20}, "line": " Checking HTTP, hunting for our uploaded file. Then uploading files that may lead to code execution"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 29, "seconds": 44}, "line": " Grabbing an ASP Webshell from Github/tennc/webshell"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 32, "seconds": 8}, "line": " Webshell has been uploaded"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 32, "seconds": 30}, "line": " Explaining a weird MTU Issue you *may* run into due to the nested VPN's"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 35, "seconds": 40}, "line": " Back to playing with the web shell, getting a reverse shell with Nishang"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 38, "seconds": 3}, "line": " Explaining RLWRAP"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 38, "seconds": 40}, "line": " whoami /all shows SEImpersonation, so we run JuicyPotato to privesc"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 44, "seconds": 35}, "line": " JuicyPotato fails with the default CLSID, changing it up to get it working."}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 46, "seconds": 30}, "line": " Doing the box again with Windows"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 47, "seconds": 15}, "line": " Setting up the IPSEC Connection through Windows Firewall"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Installing a DotNet C2 (The Covenant)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 54, "seconds": 20}, "line": " Covenant/Elite open, starting a Listener then a Powershell Launcher"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 60, "seconds": 10}, "line": " Grunt activated. Running Seatbelt, then compiling Watson and reflectively running it"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 65, "seconds": 0}, "line": " Grabbing the Sandbox Escaper ALPC Privesc"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 68, "seconds": 3}, "line": " Being lazy and compiling a CPP Rev Shell in Linux because it wasn't installed on Windows"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (bunch of flailing, then reverting the machine)"}, {"machine": "HackTheBox - Conceal", "videoId": "1ae64CdwLHE", "timestamp": {"minutes": 85, "seconds": 35}, "line": " Box is reverted, trying the ALPC Exploit again"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Begin of recon, Nmap"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Taking the CentOS Apache Version to find major version"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 3, "seconds": 20}, "line": " Running GoBuster with a Common-PHP-Files wordlist."}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Enumerating Ldap with ldapsearch"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 7, "seconds": 30}, "line": " Discovery of Password Hashes within ldap information"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 10, "seconds": 55}, "line": " Attempting to crack the hashes. (does not crack)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 12, "seconds": 30}, "line": " Back to the web page"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 13, "seconds": 15}, "line": " Page says to login with ip@Lightweight with the password of your ip"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 15, "seconds": 35}, "line": " Running LinEnum"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 20, "seconds": 15}, "line": " Discovery of Extended Capabilities set on tcpdump"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 20, "seconds": 50}, "line": " Performing a packet capture over SSH without touching disk"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 23, "seconds": 45}, "line": " Examining the pcap created, don't see anything on ens33"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 24, "seconds": 20}, "line": " Performing a packet capture through SSH and piping live results to WireShark"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 26, "seconds": 0}, "line": " Discovery of LDAP Traffic, ldapuser2 password passed in clear-text"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 28, "seconds": 15}, "line": " Using bash to exfil a file over the network (backup.7z)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 29, "seconds": 25}, "line": " Using 7z2john and hashcat to crack a 7zip file"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 32, "seconds": 5}, "line": " Examining extracted files to discover a new credential (ldapuser1)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 33, "seconds": 30}, "line": " The openssl binary in ldapuser1 has an empty capability (which is all)"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 35, "seconds": 0}, "line": " Using GTFOBins to see what we can do with openssl"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 37, "seconds": 11}, "line": " Reading /etc/shadow with openssl"}, {"machine": "HackTheBox - LightWeight", "videoId": "yQgtDoCDAYk", "timestamp": {"minutes": 37, "seconds": 35}, "line": " Adding an entry into /etc/sudoers to allow us to escalate to root"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 1, "seconds": 10}, "line": " Begin of Nmap"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 4, "seconds": 45}, "line": " Pulling important information from the website"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Discovering DNS Names, adding stuff to /etc/hosts"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 18, "seconds": 30}, "line": " Odd behavior with code.bighead.htb, redirects us to 127.0.0.1; change that with Burp"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 23, "seconds": 50}, "line": " Using wfuzz to dirbust, with the ability to see HTTP Codes (hunting for 418)"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Found BigHead Web Server on Github, pulling Zips and cracking"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 36, "seconds": 40}, "line": " Before reversing the binary, keep hunting for information about the OS"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 43, "seconds": 40}, "line": " Discovering PHPInfo within the PhpMyAdmin directory, has OS."}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Installing Immunity and Mona"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 47, "seconds": 30}, "line": " Grabbing MinGW so we can run the Bighead Webserver"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 55, "seconds": 40}, "line": " Crashing the webserver, seeing we have"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 60, "seconds": 0}, "line": " Sending a pattern to the box and examining the stack to see where our overwrites are"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 66, "seconds": 15}, "line": " Validating we know where all our overwrites are (EAX,EBX,EIP,ESP)"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 70, "seconds": 6}, "line": " Explanation of EggHunters"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 76, "seconds": 5}, "line": " Grabbing the shellcode we want, then adding it to our exploit script"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 84, "seconds": 50}, "line": " Validating our exploit is working as we intended by setting a break point on JMP ESP"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 87, "seconds": 0}, "line": " Our box complains about DEP, lets disable that on our OS and hope its disabled on target"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 90, "seconds": 0}, "line": " Running the exploit against the target and getting a shell back!"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 95, "seconds": 0}, "line": " Searching the registry (HKLM) for \"password\""}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 97, "seconds": 0}, "line": " Dumping information about services on the box (HKLM\\System\\CurrentControlSet\\Services)"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 98, "seconds": 15}, "line": " Discovery of NGINX password, then looking at ports listening on localhost"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 101, "seconds": 8}, "line": " Found SSH Listening on 127.0.0.1:2020, Setting up a reverse tunnel with Chisel"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 105, "seconds": 10}, "line": " SSH into nginx@Bighead over port 2020, land in an extremely restricted shell"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 110, "seconds": 30}, "line": " Searching for vulnerable PHP Code, discovering testlink"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 122, "seconds": 55}, "line": " Exploiting an LFI Vulnerability"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 127, "seconds": 0}, "line": " Using Netcat to get a reverse shell"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 136, "seconds": 10}, "line": " Looking at the KeePass Configuration File to see where the KDBX and Key is"}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 138, "seconds": 55}, "line": " A bunch of pain trying to get data off the Alternate Data Stream."}, {"machine": "HackTheBox - Bighead", "videoId": "VBt-CmjMYiM", "timestamp": {"minutes": 151, "seconds": 30}, "line": " Finally got the KDBX back to my box, then crack the KeePass file"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Last video was missing about 2 minutes and cut off at 31:35. Sorry, was an extremely busy week and didn't get to verify everything was good."}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 0, "seconds": 39}, "line": " Begin on Recon"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 1, "seconds": 39}, "line": " Starting a full nmap scan "}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 4, "seconds": 15}, "line": " Discovery of IRC"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 4, "seconds": 35}, "line": " Manually looking at IRC"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Looking at the IRC to understand how to connect to an IRC Server"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Pulling the IRC Version and discovering the exploit"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 8, "seconds": 50}, "line": " Going into the history of the IRC Backdoor"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 9, "seconds": 45}, "line": " Manually exploiting the IRC Server"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 13, "seconds": 10}, "line": " Shell returned on the server"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 14, "seconds": 30}, "line": " Discovery of .backup which gives a steg password"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 16, "seconds": 45}, "line": " Logging in with djmardov"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 21, "seconds": 20}, "line": " Discovery of SetUID enabled custom binary, viewuser"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 23, "seconds": 25}, "line": " Using ltrace to see what the binary does, executes the file /tmp/listusers"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 23, "seconds": 50}, "line": " Getting a root shell"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 25, "seconds": 50}, "line": " Testing exploiting the binary with \"who\", fails due to no setuid"}, {"machine": "HackTheBox - Irked", "videoId": "OGFTM_qvtVI", "timestamp": {"minutes": 27, "seconds": 50}, "line": " Looking at the binary within Ghidra"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 0, "seconds": 40}, "line": " Begin of recon"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 2, "seconds": 0}, "line": " Poking around at the website to identify what techologies it utilizes"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Discovering something odd about images/5.png"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 3, "seconds": 25}, "line": " Downloading 5.png to discover it is a text file with a portion of a password"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Finding a place to login (/moodle), attempt to enumerate valid usernames"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 8, "seconds": 0}, "line": " Using wfuzz to bruteforce the password"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 11, "seconds": 20}, "line": " Looking for a way to enumerate Moodle Versions"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 13, "seconds": 20}, "line": " Searching for exploits for this version and finding \"Bad Teacher\""}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 14, "seconds": 40}, "line": " Start of manually exploiting this vulnerability"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Adding a \"Calculated Question\" which has the formula (vulnerable) parameter"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 20, "seconds": 16}, "line": " Finding artifacts of creating/testing the machine which spoils what we are supposed to do"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 24, "seconds": 21}, "line": " Fixing our forumla to allow for code execution"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 28, "seconds": 30}, "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Looking around the MySQL Database to discover hashes of other users"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 31, "seconds": 52}, "line": " The account Giovannibak stands out due to the hash being just MD5"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 32, "seconds": 30}, "line": " Attempting the password (expelled) of the MD5 hash above to login to \"Su\" to Giovannibak"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 36, "seconds": 20}, "line": " Grabbing and compiling pspy to find a cronjob"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 38, "seconds": 30}, "line": " Running PSPY to discover /usr/bin/backup.sh"}, {"machine": "HackTheBox - Teacher", "videoId": "u2-te8n2WbY", "timestamp": {"minutes": 40, "seconds": 0}, "line": " Abusing the backup cron to have it chmod 777 /etc/shadow (could do anything, sudoers is a bit less noisy)"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 0, "seconds": 1}, "line": " More detailed notes: https://gist.github.com/IppSec/137a9f8870bed2763048072f321073e5"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 0, "seconds": 50}, "line": " My Vulnerability Assessment methodology"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Starting a Nessus Scan to see what it thinks"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 4, "seconds": 20}, "line": " Running nmap and deciding what ports are needed"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 9, "seconds": 35}, "line": " Reviewing the Nessus Scan"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 12, "seconds": 2}, "line": " Examining what leaving KSQL/Kafka (8088) open can do"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 13, "seconds": 58}, "line": " Using iptables to block ports that don't need to be routable"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 15, "seconds": 53}, "line": " Preventing NMAP from detecting the port as filtered, doing REJECT --reject-with tcp-reset"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 18, "seconds": 30}, "line": " Using Draw.io to explain what we are doing with a Reverse Proxy"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 20, "seconds": 40}, "line": " Installing Apache2"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 21, "seconds": 33}, "line": " Creating the reverse proxy HTTPS Configuration, then enabling modules ssl, proxy, proxy_http"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 25, "seconds": 10}, "line": " Our Apache Server doesn't like self-signed certificate of remote server adding:"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 0, "seconds": 1}, "line": " -- SSLProxyVerify, SSLProxyCheckPeerCN, SSLProxyCheckPeerName, SSLProxyCheckPeerExpire"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 28, "seconds": 44}, "line": " Enabling Universe Repo then installing mod-security"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 29, "seconds": 50}, "line": " Briefly going over the mod-security configuration file"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 32, "seconds": 35}, "line": " Setting ModSecurity to blocking mode then modifying the rules to allow Kibana to work"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 36, "seconds": 25}, "line": " ModSecurity doesn't like \"application/x-ndjson\", adding this to the allowed content types"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 40, "seconds": 13}, "line": " Beginning of creating a Certificate Authority to handle Mutual SSL Authentication"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 42, "seconds": 20}, "line": " Creating the CA Private/Public Keys with OpenSSL"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 44, "seconds": 11}, "line": " Creating the WebServer's private key with OpenSSL, then signing"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Creating the users private key with OpenSSL, then signing"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 47, "seconds": 20}, "line": " Copying the Webserver's keys to the reverse proxy, then updating Apache2 to use the certs"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 49, "seconds": 50}, "line": " Showing the SSL is working by adding the CA to firefox and checking if cert warnings go away"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 51, "seconds": 10}, "line": " Configuring Apache to force SSL Client Authentication which requires user certificates"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 52, "seconds": 0}, "line": " Creating the PFX File in order to allow Firefox to import our user certificate"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 53, "seconds": 0}, "line": " Demonstrating SSL Mutual Authentication is working"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 53, "seconds": 30}, "line": " Modifying iptables on HELK to only allow HTTP/HTTPS Connections from the Reverse Proxy"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 56, "seconds": 0}, "line": " Making the iptable rules on HELK persistent"}, {"machine": "Securing Vendor Webapps - A Vulnerability Assessment on HELK", "videoId": "2OWtEymBQfA", "timestamp": {"minutes": 56, "seconds": 40}, "line": " Uh-oh we forgot to do rules on IPv6, which allows for a firewall bypass. Let's just disable IPv6."}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 20}, "line": " Flow chart of potential paths through this box"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 2, "seconds": 25}, "line": " Begin of recon, SSL Enumeration, examining PHP Behavior"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 6, "seconds": 23}, "line": " Using GoBuster to dicover directories, pdf's, and php scripts"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 8, "seconds": 10}, "line": " Using wfuzz to discover subdomains (virtual host routing)"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 12, "seconds": 15}, "line": " Guessing credential, logging in with guest:guest disover SQL Injection"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 16, "seconds": 45}, "line": " Manually doing an error-based SQL Injection with extractquery()"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ** Go watch the Enterprise Video if you want Double Query Based Errors **"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 31, "seconds": 50}, "line": " A good screenshot showing the SQL Inject Queries used, then cracking"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 35, "seconds": 0}, "line": " Doing the SQLInjection with SQLMap, needed the delay flag!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ** Going back to start of box"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 37, "seconds": 50}, "line": " Examining the account-signup.pdf to create a user"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 39, "seconds": 50}, "line": " Doing XSS (cross site scripting) to steal a cookie of the admin"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 43, "seconds": 15}, "line": " Going to admin.redcross.htb and showing that any way you got the PHPSESSID cookie would work"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 46, "seconds": 15}, "line": " Poking at admin.redcross.htb, creating a user that lands us in an SSH Jail"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 48, "seconds": 38}, "line": " Playing with the Firewall portion of the site, discover command injection in deleting rules!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 52, "seconds": 28}, "line": " Reverse shell as www-data"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 54, "seconds": 40}, "line": " Discover postgresql credentials in actions.php, this database lets you create users!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 60, "seconds": 21}, "line": " Inserting a user into the database, then logging in with SSH"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 62, "seconds": 40}, "line": " Examining /etc to discover a different postgresql account-signup"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 64, "seconds": 50}, "line": " Adding a root user with the new credentials, then sudo to root!"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " *** Going back to just adding our IP to the whitelist in firewall"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 66, "seconds": 29}, "line": " Discovering Haraka running"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 69, "seconds": 10}, "line": " Using Metasploit to exploit haraka, get shell as penelope"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 72, "seconds": 26}, "line": " Doing the PG thing again but this time specify sudo group, so we don't need to use the other PG account."}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " *** Going back, lets do the overflow! No postgres at all"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " * Go watch Bitterman if this is confusing"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 75, "seconds": 50}, "line": " Examining iptctl.c"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 79, "seconds": 56}, "line": " Using Pattern_Create to discover where the RSP (RIP) Overwrite occours."}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 81, "seconds": 15}, "line": " Start of python script"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 84, "seconds": 11}, "line": " Dumping PLT Functions to use with our rop chain (no aslr on binary)"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 88, "seconds": 0}, "line": " Getting pop gadgets with radare"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 89, "seconds": 40}, "line": " Building our ROP Chain"}, {"machine": "HackTheBox - Redcross", "videoId": "-GNyDEQ9UDU", "timestamp": {"minutes": 94, "seconds": 28}, "line": " Exploiting the binary! To get root."}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Explaining the HELK Architecture"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 2, "seconds": 50}, "line": " Showing my VM's Spec's/build"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 3, "seconds": 50}, "line": " Installing HELK "}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 5, "seconds": 40}, "line": " Poking around HELK's Logstash container to see how it works"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 8, "seconds": 40}, "line": " Examining HELK Elastalert to view sigma rules"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 9, "seconds": 8}, "line": " The magic behind catching APT! (sorry did it for the keywords)"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 11, "seconds": 58}, "line": " The SafetyKeyz Sigma rule, could easily be avoided"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 12, "seconds": 58}, "line": " Start of Windows"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 13, "seconds": 20}, "line": " Building a Sysmon Config with Sysmon-Modular"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - https://github.com/olafhartong/sysmon-modular"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 17, "seconds": 20}, "line": " Enabling Other Logging"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 18, "seconds": 0}, "line": " Enabling Command Line Logging with arguments"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - Computer/Windows/SecuritySettings/SecurityOptions/Audit: Force Audit policy"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - Computer/Windows/SecuritySettings/AdvancedAudit/DetailedTracking/AuditProcessCreate"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - Computer/AdminTemplates/System/AuditProcessCreation"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 20, "seconds": 0}, "line": " Enabling Powershell Module and Script Block Logging"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - Computer/AdminTemplates/WindowsComponents/WindowsPowershell/"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - Create Profile.ps1 in c:\\windows\\system32\\WindowsPowerShell\\v1.0"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "line": " -- Variables: $LogCommandHealth and $LogCommandLifeCycleEvent = $true"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Enabling Task Scheduler History/Logging"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 23, "seconds": 25}, "line": " Downloading and installing WinLogBeat"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (If you have issues, try version 6.7 of WinLogBeat, 7 is now out and HELK is not ingesting)"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 27, "seconds": 5}, "line": " Logging into HELK and start of searching the logs!"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 28, "seconds": 45}, "line": " Searching Process Create Events (4688) and finding the commands we ran earlier"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 29, "seconds": 53}, "line": " Testing the Powershell logging to detect downloading and executing a script"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Detecting mimikatz accessing LSASS"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 39, "seconds": 40}, "line": " Deep dive into Mimikatz to identify how it accesses LSASS.EXE to create a signature, what is 0x1010 process grant?"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 44, "seconds": 30}, "line": " Showing the Process Creation stuff in real time."}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 47, "seconds": 25}, "line": " Examining the SysMon Dashboard"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 48, "seconds": 0}, "line": " Viewing the SIGMA Rules and how to clean up noisy ones."}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ** Really good blog post: https://posts.specterops.io/what-the-helk-sigma-integration-via-elastalert-6edf1715b02 **"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Deep dive into the SIGMA Rule setup"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 0, "seconds": 1}, "line": " - python -m elastalert.elastalert --debug --rule"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 51, "seconds": 30}, "line": " Discovering the mistake in the SIGMA to Elastalert conversion (realert:0)"}, {"machine": "Advanced Windows Logging - Finding What AV Missed", "videoId": "C2cgvpN44is", "timestamp": {"minutes": 52, "seconds": 0}, "line": " Debugging Elastalert Rules"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 1, "seconds": 8}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 3, "seconds": 8}, "line": " Begin of GoBustering"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 7, "seconds": 15}, "line": " Discovery of an image upload script"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 8, "seconds": 39}, "line": " Attempting to bypass the upload filter"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 12, "seconds": 46}, "line": " Reverse Shell to ubuntu Returned. Examining Web Source"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 15, "seconds": 28}, "line": " ALTERNATIVE: Checking out the host name pollution, setting host header to localhost"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 19, "seconds": 27}, "line": " Resume of poking around the host, discover passwords and other hosts in /home"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 23, "seconds": 14}, "line": " Uploading a static-compiled nmap to the box (static-binaries is a github repo)"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 24, "seconds": 57}, "line": " SSH Local Port Forward and Dynamic, to let our Kali box communicate with the next hop."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 27, "seconds": 27}, "line": " Discovery of a page that lets us create ovpn (openvpn) configs and test the VPN"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 28, "seconds": 45}, "line": " Think i broke the box here, sent unicode to the box.... It stops responding on web."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 32, "seconds": 55}, "line": " Machine reverted, getting back to where I started."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 34, "seconds": 50}, "line": " Trying this again, and get a shell on ubuntu -- Lets do a Reverse Port Forward to get a shell on our kali box."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 36, "seconds": 12}, "line": " Shell returned to Kali Box, explaining how to use socat if SSH Forward cannot listen on all ports."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 38, "seconds": 58}, "line": " Exploring the DNS Server box."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 39, "seconds": 26}, "line": " Finding a password in /home/dave/ssh"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 40, "seconds": 15}, "line": " Discovering Vault's IP Address in /etc/hosts"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 41, "seconds": 20}, "line": " Perfoming a NMAP on the vault box, discover two ports closed"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 41, "seconds": 50}, "line": " Doing a NMAP with the source port of one of the above ports to test for a lazy firewall, discover SSH on port 987"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 43, "seconds": 20}, "line": " ALTERNATIVE: Bypassing the firewall by using IPv6"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 49, "seconds": 47}, "line": " How to set the source port with SSH via ncat"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 50, "seconds": 45}, "line": " Discovering root.txt.gpg on Vault, it is encrypted with RSA Key D1EB1F03"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 51, "seconds": 35}, "line": " Dave has the above RSA Key, use SCP to send the file back to Ubuntu"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 54, "seconds": 45}, "line": " The file has been copied, using gpg to decrypt the file."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 55, "seconds": 39}, "line": " MAJOR UNINTENDED WAY: Discovering SPICE ports are listening on localhost:5900-5903, this is like VNC"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 57, "seconds": 5}, "line": " Using Remote-Viewer to connect to the SPICE Port and getting physical access to the machine."}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 57, "seconds": 42}, "line": " Rebooting Vault by sending the Ctrl+Alt+delete key"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 58, "seconds": 0}, "line": " Editing grub to get a root shell without a password"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 58, "seconds": 56}, "line": " Changing the password to root, then rebooting again"}, {"machine": "HackTheBox - Vault", "videoId": "LfbwlPxToBc", "timestamp": {"minutes": 59, "seconds": 30}, "line": " Logging in with the new password."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 0, "seconds": 58}, "line": " Installing FireEye Commando to help keep our development environments sync'd"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Using Git to download mimikatz, openifang with Visual Studio 2017 and installing dependencies"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 8, "seconds": 50}, "line": " Verifying that we can compile mimikatz before we make any changes."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 11, "seconds": 15}, "line": " Creating an Antivirus Exception in Defender to ignore shared drive"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 12, "seconds": 30}, "line": " Remove String: mimikatz and then rename files with mimikatz in the name"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 13, "seconds": 45}, "line": " Remove String: all metadata by editing the RC File (accidentally wipe a quote)"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 15, "seconds": 0}, "line": " Replace Icon"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Test rebuilding after these changes."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 18, "seconds": 0}, "line": " Using \"head\" to split the binary in half to help identify where Defender is identifying mimikatz"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Tons of splitting."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 21, "seconds": 20}, "line": " Found a rough location of a bad string, opening in a hex editor to identify the string."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 22, "seconds": 30}, "line": " Appears to flag on KiwiAndRegistryTools, lets verify"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 24, "seconds": 10}, "line": " Search and replace for \"mimi\" (whoops, should of done kiwi here!)"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 25, "seconds": 50}, "line": " Remove String: KiwiAndRegistryTools"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 27, "seconds": 20}, "line": " Decompressing the Defender Signature File, this should speed up finding bad strings but i still need to do more research here."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 30, "seconds": 30}, "line": " Verifying KiwiAndRegistryTools is removed by testing it against Defender"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 32, "seconds": 0}, "line": " From here on... Tons of repetitive stuff to find other strings."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 42, "seconds": 45}, "line": " wdigest.dll is a bad character, lets see if its in a DLL Import or Print Statement."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 43, "seconds": 50}, "line": " Remove String: wdigest.dll"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 46, "seconds": 25}, "line": " Remove String: isBase64InterceptOutput, isBase64InterceptInput"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 52, "seconds": 25}, "line": " Remove String: multirdp"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 57, "seconds": 20}, "line": " Wow. Just realized double clicking a program is a better way to test if an executable is malicious. Lol."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 59, "seconds": 50}, "line": " Remove String: logonPasswords "}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 66, "seconds": 0}, "line": " Remove String: credman"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 71, "seconds": 30}, "line": " Remove String: I_NetTrustPasswordsGet, this one is different due to being in the IMPORT table. Use dumpbin /exports to show ordinal addresses"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 75, "seconds": 30}, "line": " Ordinal loading explained, kind of"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 76, "seconds": 45}, "line": " Creating a new lib file to do ordinal loading of netapi32 functions. Create DEF file, then use lib to compile it."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 79, "seconds": 40}, "line": " Whoops, string isn't here because its I_NetTrust, not I_NetPass. After this mistake, mimikatz is ran"}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 82, "seconds": 20}, "line": " Running Ghidra to view import tables to see how the ordinal loading works."}, {"machine": "AV Evasion - Mimikatz", "videoId": "9pwMCHlNma4", "timestamp": {"minutes": 87, "seconds": 0}, "line": " Lets just see what VirusTotal thinks of this binary."}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 1, "seconds": 12}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 1, "seconds": 55}, "line": " Running Cewl to generate a wordlist"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 2, "seconds": 50}, "line": " Finding secret.txt in the HTML Source, which happens to be the password"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 3, "seconds": 28}, "line": " Runninh JoomScan so we have something running in the background"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 4, "seconds": 20}, "line": " Checking the manifest to get the Joomla Version"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 6, "seconds": 20}, "line": " Explaining what equals mean in base64"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 7, "seconds": 50}, "line": " Begin of hunting for Joomla Username"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 8, "seconds": 30}, "line": " BruteForcing Joomla Login with WFUZZ"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 10, "seconds": 35}, "line": " Troubleshooting by sending wfuzz through burp"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 12, "seconds": 25}, "line": " Turns out the CSRF Token is tied to cookie, adding that to the wfuzz command"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 17, "seconds": 10}, "line": " Success! Logged into Joomla"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 17, "seconds": 58}, "line": " Gaining code execution by modifying a template"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 20, "seconds": 20}, "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 23, "seconds": 20}, "line": " Finding the file: password_backup which is encoded"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 23, "seconds": 55}, "line": " Extracting password_backup manually with xxd, zcat, bzcat, tar"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 25, "seconds": 43}, "line": " Extracting Password_Backup with CyberChef"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 27, "seconds": 35}, "line": " Logging in with Floris"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 28, "seconds": 17}, "line": " Looking at /home/floris/AdminArea"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 28, "seconds": 50}, "line": " Testing the input file by changing the url to us"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 29, "seconds": 30}, "line": " Getting LFI by using file:// within curl"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 30, "seconds": 38}, "line": " Pulling the cron, to see what is going on"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 31, "seconds": 25}, "line": " Cron shows curl -K to use curl with a config file, checking man page."}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 32, "seconds": 5}, "line": " Changing where curl saves to, in order to gain a root shell"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 33, "seconds": 45}, "line": " Showing another good file to read with the LFI (logs)"}, {"machine": "HackTheBox - Curling", "videoId": "Paajc2Dupms", "timestamp": {"minutes": 34, "seconds": 18}, "line": " Using pspy to show when processes start/end, which shows the curl command with no exploits"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 1, "seconds": 16}, "line": " Begin of Recon, until around 13 minutes gathering information to avoid rabbit holes"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 4, "seconds": 4}, "line": " Using nc/ncat to verify a port is open (-zv)"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 11, "seconds": 17}, "line": " Doing gobuster across man of the sub directories"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 13, "seconds": 3}, "line": " Examining /admin/ - Examine the HTML Source because login is not sending any data"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 14, "seconds": 9}, "line": " Discover some weird text encoding (Ook), how I went about decoding it"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 15, "seconds": 44}, "line": " Decoded to base64 with some spaces, clean up the base64 and are left with a zip file"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 19, "seconds": 19}, "line": " After cracking the zip, there is another text encoding challenge (BrainF*)"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 25, "seconds": 11}, "line": " With potential information, return to our long running recon for more information"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 28, "seconds": 49}, "line": " Discovering /playsms"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 32, "seconds": 0}, "line": " Reading ExploitDB Articles and then attempting to manuall exploit PlaySMS via uploading a CSV"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 34, "seconds": 34}, "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 39, "seconds": 0}, "line": " Running LinEnum.sh"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 40, "seconds": 0}, "line": " Finding the SetUID file: rop"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Exploiting ROP Program with ret2libc"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 45, "seconds": 30}, "line": " Getting offsets of system, exit, /bin/sh from libc using ldd, readelf, and strings"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 50, "seconds": 34}, "line": " Running our exploit to get root shell"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 54, "seconds": 0}, "line": " Begin of recovering rop.c source code"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 56, "seconds": 41}, "line": " Recreating rop.c then compiling"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 59, "seconds": 44}, "line": " Copying the physical disk to our local box via SSH and DD"}, {"machine": "HackTheBox - Frolic", "videoId": "b6WGQSJu_zQ", "timestamp": {"minutes": 61, "seconds": 44}, "line": " Using PhotoRec to restore files and finding rop.c"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 0, "seconds": 53}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Checking out the Web Page"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 4, "seconds": 20}, "line": " Doing UDP/GoBuster Scans"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Running SNMPWalk and then logging into web interface"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 10, "seconds": 20}, "line": " Reading the tickets on the web page"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Discovering code execution"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 23, "seconds": 15}, "line": " Discovering FTP Server 10.120.15.10"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 26, "seconds": 0}, "line": " Gaining access to a Router Interface"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Using Draw.io to draw out the network"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 32, "seconds": 40}, "line": " Examining routing information"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 35, "seconds": 45}, "line": " Looking at BGP Information"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 39, "seconds": 0}, "line": " First attempt at BGP Hijack, advertising a route"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 43, "seconds": 30}, "line": " Did not work, examining routing loop."}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 50, "seconds": 50}, "line": " Blocking the routing advertisement to AS300"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 56, "seconds": 50}, "line": " Showing the new routing loop (AS300 sends to AS200)"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 60, "seconds": 0}, "line": " Telling AS200 not to advertise the route to AS300"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 64, "seconds": 0}, "line": " Grabbing FTP Traffic to get root password"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 0, "seconds": 1}, "line": " -- Extra Content"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 67, "seconds": 0}, "line": " Logging into all 3 routers for some fun"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 68, "seconds": 50}, "line": " Hiding from TraceRoute by mucking with TTL's"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 73, "seconds": 20}, "line": " Redoing the attack, but showing routing tables on all routers"}, {"machine": "HackTheBox - Carrier", "videoId": "2ZxRA8BgmnA", "timestamp": {"minutes": 77, "seconds": 30}, "line": " Unintended route, Just adding an IP to eth2"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 0, "seconds": 1}, "line": " This video didn't go quite as smooth as I expected. Still putting it here to show an unintended route for Ethereal. When I get more time, I'll probably redo this video, so don't be surprised if it disappears."}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 0, "seconds": 14}, "line": " Demo of this AppLocker Bypass"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 1, "seconds": 30}, "line": " How this is different than LOLBINs"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Creating a Reverse Shell EXE"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Converting our Reverse Shell EXE to a DLL"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Performing this COR PROFILER bypass with our Reverse Shell DLL"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 11, "seconds": 21}, "line": " Trying to do this on the HackTheBox machine: Ethereal"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 18, "seconds": 43}, "line": " Creating a BAT file to set environment variables and execute TZSYNC"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 20, "seconds": 45}, "line": " Executing the BAT File and getting a meterpreter session!"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 22, "seconds": 3}, "line": " Doing JuicyPotato to privesc to SYSTEM"}, {"machine": "AppLocker Bypass COR Profiler", "videoId": "T91iXd_VPVI", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Migrating to a user to be able to read an EFS Protected file."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 0, "seconds": 50}, "line": " Begin of Recon, Downloading FTP and inspecting websites"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 10, "seconds": 23}, "line": " Recap of what we saw on the recon. Limited pages that provide paths for exploitation, Server Hostname, and FTP"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 11, "seconds": 30}, "line": " Sending MD5Hashes to VirusTotal to get file age"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 15, "seconds": 45}, "line": " Downloading PasswordBox sourcecode to examine pbox.dat and discover a password manager."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 21, "seconds": 0}, "line": " Use Hydra to try to bruteforce ethereal.htb:8080, find blind command injection in page by running various ping commands but no way to view output."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 25, "seconds": 45}, "line": " Using nslookup to exfil the results of commands executed."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 33, "seconds": 15}, "line": " Creating Python Script to automate exploitaiton of this program. Using Scapy, BeutifulSoup, and Requests."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 55, "seconds": 23}, "line": " Script working! Now to make the output a bit more pretty using tokens to sepereate spaces"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 62, "seconds": 0}, "line": " Running commands to get interesting information about the page"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 65, "seconds": 20}, "line": " Enumerating the Firewall via netsh"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 69, "seconds": 10}, "line": " Using OpenSSL to get a reverse shell on windows"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 77, "seconds": 25}, "line": " Reverse shell returned. "}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 79, "seconds": 40}, "line": " Creating a malicious shortcut via powershell"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 82, "seconds": 40}, "line": " Using OpenSSL To transfer files"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 88, "seconds": 0}, "line": " Getting reverse shell as Alan, then using OpenSSL to convert files to base64 to make exfil easier"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 92, "seconds": 30}, "line": " Creating and signing a malicious MSI with WiX."}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 108, "seconds": 15}, "line": " First attempt failed, creating a less complicated MSI File by just having it execute our shortcut"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 113, "seconds": 0}, "line": " Getting reverse shell as SYSTEM - Cannot read EFS Files"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 115, "seconds": 20}, "line": " Having our MSI not run as SYSTEM by changing impersonation in WiX"}, {"machine": "HackTheBox - Ethereal", "videoId": "Bhh5yPHjwUY", "timestamp": {"minutes": 118, "seconds": 30}, "line": " Shell as Rupal returned."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 0, "seconds": 58}, "line": " Begin of recon: ftp, telnet, IIS 7.5"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Downloading all files off an FTP Server with WGET"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Examining the \"Access Control.zip\" file."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Cracking a zip file with John"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 7, "seconds": 45}, "line": " Creating a wordlist for cracking the zip (strings of the mdb file)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Exploring the MDB Files (Access Database) with MDBTools (mdb-sql and mdb-tables)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 12, "seconds": 30}, "line": " Grabbing the same password we cracked by checking the auth_user table"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 13, "seconds": 35}, "line": " Converting the PST File (Outlook Email) to PlainText via readpst"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 15, "seconds": 0}, "line": " Logging into telnet with the credentials from the email"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 15, "seconds": 45}, "line": " Switching to a Nishang Shell to execute powershell"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 18, "seconds": 15}, "line": " Running JAWS (Just Another Windows Scanner)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 23, "seconds": 34}, "line": " Discovering Stored Credentials on the box for ACCESS\\Administrator "}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 25, "seconds": 11}, "line": " Examining the Shortcut on PUBLIC\\DESKTOP which shows us how the \"Stored Credential\" is used."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 25, "seconds": 58}, "line": " Using powershell to view information of a Shortcut"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 27, "seconds": 25}, "line": " Using the Stored Credential via runas /savecred"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (some flailing around, darn windows quotes)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 30, "seconds": 31}, "line": " Creating Base64 (UTF-16LE) on linux to use in as a Powershell EncodedCommand"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 31, "seconds": 54}, "line": " Box done, Administrator returned."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (Flailing around until 54:20)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 32, "seconds": 38}, "line": " Begin of decrypting the Stored Credential, uploading Mimikatz"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 33, "seconds": 40}, "line": " Using powershell to download files"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 36, "seconds": 36}, "line": " Discovering that I was trying to save mimikatz to a directory i cannot write to :("}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 37, "seconds": 15}, "line": " Testing Applocker methods to bypass the Software Restriction Policy (Give up on this one)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 38, "seconds": 50}, "line": " Trying to get Meterpreter shell via Unicorn (Fails, unknown reason)"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 41, "seconds": 28}, "line": " Getting a Empire Agent running"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 43, "seconds": 35}, "line": " Empire Agent Returned, Injecting meterpreter shellcode."}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 45, "seconds": 46}, "line": " Attempting to use Mimikatz from within Meterpreter to decrypt dpapi::creds"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 46, "seconds": 52}, "line": " Explaining Mimikatz Arguments when in \"non-interactive\" mode"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 54, "seconds": 20}, "line": " Grabbing needed files to decrypt DPAPI::CREDS offline"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 56, "seconds": 9}, "line": " Switing to Windows to run Mimikatz"}, {"machine": "HackTheBox - Access", "videoId": "Rr6Oxrj2IjU", "timestamp": {"minutes": 62, "seconds": 32}, "line": " Decrypting the Creds stored in DPAPI"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 1, "seconds": 15}, "line": " Start of NMAP"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 4, "seconds": 10}, "line": " Signing into Zabbix as Guest"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Getting potential usernames from inside Zabbix and guessing creds"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Running Searchsploit and looking for vulnerabilties"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 7, "seconds": 20}, "line": " Analyzing the \"API\" Script from SearchSploit as we have API Creds"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 10, "seconds": 15}, "line": " Modifying the \"API\" Script "}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 11, "seconds": 15}, "line": " Showing a shortcut to skip the Container to Host Lateral Movement."}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 15, "seconds": 35}, "line": " Shell on the Container."}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 17, "seconds": 25}, "line": " Searching for Zabbix MySQL Password "}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 18, "seconds": 35}, "line": " Dumping the Zabbix User Database"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 20, "seconds": 0}, "line": " Logging into Zabbix as Admin, discover ZBX Agent on Host. Testing if port is accessible"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 23, "seconds": 30}, "line": " Running commands on the Zabbix Agent (Host OS) from Zabbix Server (Guest OS)"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 29, "seconds": 53}, "line": " Getting a Reverse Shell on Zabbix (use nohup to fork)"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 32, "seconds": 40}, "line": " Running LinEnum on Zabbix Host"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 35, "seconds": 15}, "line": " Examining home directories to find Zapper Creds"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 36, "seconds": 42}, "line": " Examining the \"Zabbix-Service\" SetUID "}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 39, "seconds": 0}, "line": " PRIVESC #1: Running ltrace to discover it is vulnerable to $PATH Manipulation"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 42, "seconds": 0}, "line": " PRIVESC #2: Weak permissions on Purge-Backups Service"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 48, "seconds": 30}, "line": " Extra Content: Building a Zabbix API Client from Scratch!"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 48, "seconds": 55}, "line": " \"Pseudo Terminal\" Skeleton Script via Cmd module"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Adding Login Functionality"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 56, "seconds": 8}, "line": " Making the script login upon starting"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 57, "seconds": 50}, "line": " Adding functionality to dump users"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 64, "seconds": 0}, "line": " Adding functionality to dump groups"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 65, "seconds": 25}, "line": " Adding functionality to add users"}, {"machine": "HackTheBox - Zipper", "videoId": "RLvFwiDK_F8", "timestamp": {"minutes": 70, "seconds": 45}, "line": " Adding functionality to modify users"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin of intro"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 2, "seconds": 17}, "line": " Examining port 80 and 443"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 3, "seconds": 15}, "line": " Using gobuster to discover directories"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 4, "seconds": 20}, "line": " /remote discovered, nothing to do here"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 5, "seconds": 25}, "line": " /mvc discovered"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 6, "seconds": 15}, "line": " SQL Injection everywhere"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 9, "seconds": 15}, "line": " Attempt to perform union injection on search"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 10, "seconds": 15}, "line": " Having trouble, send to SQLMap look at other places in the applicaiton"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 12, "seconds": 20}, "line": " SQLMap having trouble with search SQL, change to ITEM"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 16, "seconds": 50}, "line": " Attempting XP_CMDSHELL (Fails)"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 19, "seconds": 50}, "line": " Using XP_DIRTREE to read files off SMBShare"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 23, "seconds": 30}, "line": " Use Responder to steal the authentication attempt of XP_DIRTREE"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 25, "seconds": 0}, "line": " Cracking the NetNTLMv2 Hash"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 26, "seconds": 0}, "line": " Logging into /remote with cracked credentials"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 26, "seconds": 40}, "line": " Discovering unifi video is installed, this has a known privesc"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 29, "seconds": 30}, "line": " Attempting to use Meterpreter. (Fail: AV)"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 32, "seconds": 15}, "line": " Grabbing and compiling a DotNet Reverse Shell"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 35, "seconds": 15}, "line": " Actually compiling the reverse shell"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 38, "seconds": 58}, "line": " Using xcopy to copy our reverse shell to the victim"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 39, "seconds": 0}, "line": " Attempting to find Unifi Service name so we can restart it. End up searching registry due to permission issues."}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 42, "seconds": 10}, "line": " Restarting Unifi Service so it executes TaskKill.exe"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 0, "seconds": 1}, "line": " # Box Done"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 44, "seconds": 25}, "line": " Start of Bypassing AppLocker Bypass by copying executable into a directory under Windows"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 45, "seconds": 50}, "line": " Escaping powershell constrained mode with PSBypassCLM"}, {"machine": "HackTheBox - Giddy", "videoId": "J2unwbMQvUo", "timestamp": {"minutes": 60, "seconds": 25}, "line": " Showing the Powershell History file which contained a hint at Unifi"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Want the WireShark Sticker? http://weirdstuffis.online "}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 2, "seconds": 25}, "line": " Enumerating OpenBSD Patch Date via SSH Version"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Examining port 80... Use Wireshark to see why NMAP gets a response but firefox does not"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Invalid Requests, will cause HTTP Service to send error message"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Using ldapsearch to enumerate ldap, use wireshark to see how the nmap script works"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 21, "seconds": 30}, "line": " Using SMBMap to PassTheHash and enumerate fileshares and download Putty Key"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 23, "seconds": 20}, "line": " Using PuttyGen to convert Putty Key to an RSA Key"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 24, "seconds": 55}, "line": " Testing out ssh_enumusers to see if that would have worked to get valid usernames"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 26, "seconds": 30}, "line": " Logged in as Alice, use LinEnum"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 28, "seconds": 40}, "line": " Examining doas configuration (like Sudo -l)"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Examining HTTPD Configuration to see why we couldn't hit the webserver earlier"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 32, "seconds": 30}, "line": " Examining SSHD Configuration to see SSH is configured to allow CA Signed Keys"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 34, "seconds": 40}, "line": " Getting hashes from SSH Keys to know what publics go to which privates"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Playing with the SSHAUTH webservice to enumerate what principals go to which users"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 41, "seconds": 45}, "line": " Signing a SSH Key using DoAs to sign a key with the root Principal"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 45, "seconds": 30}, "line": " Testing the key, explaining how this all works"}, {"machine": "HackTheBox - Ypuffy", "videoId": "UoB-J-eDvrg", "timestamp": {"minutes": 47, "seconds": 30}, "line": " Unintended privesc, Xorg exploit"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 0, "seconds": 40}, "line": " Begin of the box"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 3, "seconds": 20}, "line": " Checking the HTTP Ports out"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 4, "seconds": 38}, "line": " Using wfuzz to bruteforce a login on port 80"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 8, "seconds": 15}, "line": " Begin examining port 8080, use wfuzz to bruteforce a cookie"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 11, "seconds": 30}, "line": " Using wfuzz to enumerate the WAF and determine bad characters"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 14, "seconds": 40}, "line": " Doing a SSRF Like attack with wfuzz and enumerating open ports on localhost."}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 16, "seconds": 50}, "line": " Begin examining port 11211 (MemCache)"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 18, "seconds": 0}, "line": " Dumping data from Memcache"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 23, "seconds": 50}, "line": " Using CVE-2018-15473 to enumerate valid users over SSH"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 27, "seconds": 35}, "line": " Cracking the users hash and logging into the box"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 29, "seconds": 0}, "line": " Using R2 to analyzing rabbit hole application \"try_harder\""}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 33, "seconds": 30}, "line": " Going through LinEnum"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 38, "seconds": 30}, "line": " Using r2 to examine myexec to find password"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 40, "seconds": 13}, "line": " Using r2 to examine libseclogin.so"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 41, "seconds": 30}, "line": " Examining ld.so.conf.d to identify if we can use ldconfig to hijack a library"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 42, "seconds": 10}, "line": " Creating a malicious library to hijack seclogin()"}, {"machine": "HackTheBox - Dab", "videoId": "JvqBaZ0WnV4", "timestamp": {"minutes": 45, "seconds": 10}, "line": " Lets bypass the login by hijacking printf()"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 0, "seconds": 55}, "line": " Begin of Recon (Port Scans)"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 4, "seconds": 9}, "line": " Reverse Image Searching an favicon to get application used"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 8, "seconds": 20}, "line": " NODE-RED: Reverse Shell Returned"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 15, "seconds": 30}, "line": " NODE-RED: Running IP and Port Scans to identify lateral movement targets"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 24, "seconds": 29}, "line": " Downloading Chisel (Go Program for Tunnels)."}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 25, "seconds": 0}, "line": " Shrinking Go Programs by using ldflags and upx packing from 10Mb to 3Mb!"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 27, "seconds": 0}, "line": " PowerPoint: Explaining Reverse Pivot Tunnel using Chisel"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 31, "seconds": 25}, "line": " WWW: Tunnel online, examining the website"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 34, "seconds": 23}, "line": " Full Port Scan to 172.19.0.2, discover REDIS"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 36, "seconds": 30}, "line": " Searching for ways to execute code against REDIS"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 38, "seconds": 7}, "line": " Using REDIS to create a PHP Shell"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 41, "seconds": 6}, "line": " PowerPoint: Explaining Local Pivot Tunnel using Chisel"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 44, "seconds": 30}, "line": " WWW: Reverse Shell Returned"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 45, "seconds": 45}, "line": " Notice wildcard used with RSYNC, go search GTFOBins"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 51, "seconds": 32}, "line": " Abusing the wildcard within RSYNC"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 57, "seconds": 23}, "line": " WWW: Got Root, but no flag... Lets go look at RSYNC again."}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 60, "seconds": 15}, "line": " Explaining how to tunnel from Backup - WWW - NODE-RED - Kali"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 77, "seconds": 50}, "line": " Getting reverse shell on BACKUP via uploading CronJob through rsync"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 80, "seconds": 30}, "line": " BACKUP: Reverse Shell Returned... No root.txt here either!?"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 86, "seconds": 30}, "line": " BACKUP: Noticing this is has /dev/sda*, where other dockers do not"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 88, "seconds": 15}, "line": " BACKUP: Dropping a cronjob on root disk to get shell on the host"}, {"machine": "HackTheBox - Reddish", "videoId": "Yp4oxoQIBAM", "timestamp": {"minutes": 90, "seconds": 45}, "line": " ExtraContent: PowerPoint Reverse SOCKS5 Proxy with Chisel"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Begin of recon"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 2, "seconds": 45}, "line": " Checking out the website"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 3, "seconds": 50}, "line": " Using wfuzz to enumerate usernames"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 5, "seconds": 45}, "line": " Logging in with an account we created"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 7, "seconds": 23}, "line": " Checking out Change Password and noticing it does this poorly"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 9, "seconds": 25}, "line": " Using the contact form, to see if tyler will follow links"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 14, "seconds": 14}, "line": " Changing Tyler's password by sending him to the ChangePassword Page"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 15, "seconds": 0}, "line": " Logged in and find SMB Share with credentials."}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 16, "seconds": 15}, "line": " Found a webshare but not sure the directory it executes from. Begin hunting for a different webserver."}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 17, "seconds": 48}, "line": " Port 8808 found via nmap'ing all ports. Creating a php script to gain code execution"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 19, "seconds": 15}, "line": " Downloading netcat for windows to use as a Reverse Shell"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 21, "seconds": 14}, "line": " Playing with Bash on Windows"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 22, "seconds": 35}, "line": " Finding the administrator password in ~/.bash_history"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 0, "seconds": 1}, "line": " -- Box done"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 23, "seconds": 45}, "line": " Alternate way to find the .bash_history file"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 25, "seconds": 36}, "line": " Unintended way to bypass the CSRF. SQL Injection + bad Static Code analysis"}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 0, "seconds": 1}, "line": " In the Holiday video, I do a bit more that may be helpful with card type attacks "}, {"machine": "HackTheBox - SecNotes", "videoId": "PJXb2pK8K84", "timestamp": {"minutes": 0, "seconds": 1}, "line": " : https://www.youtube.com/watch?v=FvHyt7KrsPE&app=desktop"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 0, "seconds": 50}, "line": " Start of the box"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Attempting GoBuster but wildcard response gives issue"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 7, "seconds": 40}, "line": " Start of doing wfuzz to find content"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 10, "seconds": 38}, "line": " Manually testing SQLInjection"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 13, "seconds": 7}, "line": " Running SQLMap and telling it exactly where the injection is"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 16, "seconds": 4}, "line": " Manually extracting files with the SQL Injection"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 19, "seconds": 50}, "line": " Cracking the hash with hashcat"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 25, "seconds": 0}, "line": " Start of examining the custom webapp, playing with Template Injection"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Explaining a way to enumerate language behind a webapp"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 35, "seconds": 17}, "line": " Reverse Shell returned on first Docker Container"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 38, "seconds": 0}, "line": " Examining SQL Database"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 39, "seconds": 40}, "line": " Doing the Port Knock to open up SSH"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 43, "seconds": 50}, "line": " Gain a foothold on the host of the docker container via ssh"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Identifying containers running"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 50, "seconds": 10}, "line": " Creating SSH Port Forwards without exiting SSH Session then NMAP through"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " SSH"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 55, "seconds": 11}, "line": " Begin looking into Portainer, finding a weak API Endpoint"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 59, "seconds": 0}, "line": " Start of creating a container in portainer that can access the root file"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " system"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 68, "seconds": 25}, "line": " Changing sudoers so dorthy can privesc to root"}, {"machine": "HackTheBox - Oz", "videoId": "yX00n1UmalE", "timestamp": {"minutes": 69, "seconds": 50}, "line": " Lets go back and create a python script to play with SQL Injection"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 1, "seconds": 20}, "line": " Begin of NMAP"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 2, "seconds": 30}, "line": " Extra nmaps, SNMP and AllPorts"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Playing with OneSixtyOne (SNMP BruteForce)"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Looking at SNMPWalk Output"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 8, "seconds": 40}, "line": " Installing SNMP Mibs so SMPWalk is readable"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 10, "seconds": 5}, "line": " Accessing the box over Link Local IPv6 Address"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 14, "seconds": 0}, "line": " Looking at Por 3366 (Website), getting PW from SNMP Info"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 17, "seconds": 50}, "line": " Getting IPv6 Routable Address via SNMP"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 19, "seconds": 20}, "line": " NMAP the IPv6 Address"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 21, "seconds": 0}, "line": " Accessing the page over IPv6"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Getting output from the command execution page"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 24, "seconds": 55}, "line": " Viewing Credentials Files and accessing the box via SSH"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 29, "seconds": 0}, "line": " Examining why loki cannot use /bin/su (getfacl)"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 31, "seconds": 0}, "line": " Getting a shell as www-data"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 0, "seconds": 1}, "line": " 38;10 - Finding the root.txt file from using find command to search for files by"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 0, "seconds": 1}, "line": " date"}, {"machine": "HackTheBox - Mischief", "videoId": "GKo6xoB1g4Q", "timestamp": {"minutes": 40, "seconds": 30}, "line": " Extra content, reading files via ICMP"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 1, "seconds": 15}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 2, "seconds": 0}, "line": " Looking at what Filtered means in Nmap"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Start of looking at webpage (GoBuster)"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Manual HTTP Enumeration"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 9, "seconds": 50}, "line": " Start of exploiting with BurpSuite"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 17, "seconds": 0}, "line": " SSH Key Found, logging in with nobody"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 19, "seconds": 12}, "line": " Discovering a second SSH Server"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 23, "seconds": 36}, "line": " Using the same SSH Key to login to the second SSH Server as monitor"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 24, "seconds": 38}, "line": " Escaping rBash by modifying an executable file in our current $PATH"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 28, "seconds": 13}, "line": " Running LinEnum.sh to search for PrivEscs"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 30, "seconds": 50}, "line": " Enabling ThoroughTests in LinEnum to see what else it will check"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 36, "seconds": 30}, "line": " Looking into capabilities permission sin linux"}, {"machine": "HackTheBox - Waldo", "videoId": "1klneIHECqY", "timestamp": {"minutes": 39, "seconds": 0}, "line": " Begin of second way to escape rBash and setup a SSH Tunnel for fun"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 1, "seconds": 10}, "line": " Begin of recon "}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Poking at DNS - Nothing really important."}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Examining what NMAP Scripts are ran. "}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 6, "seconds": 35}, "line": " Lets just try out smbclient to list shares available"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 7, "seconds": 25}, "line": " Using SMBMap to show the same thing, a great recon tool!"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 8, "seconds": 30}, "line": " Pillaging the Replication Share with SMBMap"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 9, "seconds": 20}, "line": " Discovering Groups.xml and then decrypting passwords from it"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 13, "seconds": 10}, "line": " Dumping Active Directory users from linux with Impacket GetADUsers"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 16, "seconds": 28}, "line": " Using SMBMap with our user credentials to look for more shares"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 18, "seconds": 25}, "line": " Switching to Windows to run BloodHound against the domain "}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 26, "seconds": 0}, "line": " Analyzing BloodHound Output to discover Kerberostable user"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 27, "seconds": 25}, "line": " Performing Kerberoast attack from linux with Impacket GetUsersSPNs"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 29, "seconds": 0}, "line": " Cracking tgs 23 with Hashcat"}, {"machine": "HackTheBox - Active", "videoId": "jUc1J31DNdw", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Getting root on the box via PSEXEC"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 3, "seconds": 50}, "line": " Checking FTP Server for hidden files"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Creating a bunch of files varying in length to narrow likely ciphers down."}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 14, "seconds": 35}, "line": " Encrypting all of the above files and checking their file sizes"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 22, "seconds": 45}, "line": " Decrypting file, obtaining a password"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 24, "seconds": 25}, "line": " Begin looking at Drupal, running Droopescan"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 25, "seconds": 12}, "line": " Manually examining Drupal, finding a way to enumerate usernames"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 25, "seconds": 50}, "line": " Placing invalid emails in create account, is a semi-silent way to enumerate usernames"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 28, "seconds": 15}, "line": " Logging into Drupal with Admin. "}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 29, "seconds": 25}, "line": " Gaining code execution by enabling PHP Plugin, then previewing a page with php code"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 32, "seconds": 30}, "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 33, "seconds": 25}, "line": " Running LinEnum.sh - Discover H2 (Database) runs as root"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Hunting for passwords in Drupal Configuration"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 39, "seconds": 25}, "line": " Finding database connection settings. SSHing with daniel and the database password (not needed)"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 40, "seconds": 10}, "line": " Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk\u2019s Loopback. Only need to do one of those, just showing its possible without daniel"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 44, "seconds": 30}, "line": " Accessing Hawk\u2019s H2 Service (8082) via the loopback address"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console."}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 51, "seconds": 45}, "line": " Logging into H2 by using a non-existent database, then testing code execution"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 52, "seconds": 50}, "line": " Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service."}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 59, "seconds": 50}, "line": " Reverted box, cleaning up environment then getting reverse shell"}, {"machine": "HackTheBox - Hawk", "videoId": "UGd9JE1ZXUI", "timestamp": {"minutes": 62, "seconds": 45}, "line": " Discovering could have logged into the database with Drupal Database Creds."}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Introduction, nmap"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Clicking around in Tomcat"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 2, "seconds": 20}, "line": " Playing around with HTTP Authentication"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 5, "seconds": 45}, "line": " Bruteforcing tomcat default creds with Hydra and seclists"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Sending hydra through a proxy to examine what is happening"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 12, "seconds": 50}, "line": " Logging into tomcat and using msfvenom + metasploit to upload a malicious war file"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 22, "seconds": 42}, "line": " Begin of doing this box without MSF"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 23, "seconds": 45}, "line": " Downloading a cmd jsp shell and making a malicious war file"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 26, "seconds": 25}, "line": " WebShell returned"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 28, "seconds": 0}, "line": " Begin of installing SilentTrinity"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 30, "seconds": 55}, "line": " SilentyTrinity Started, starting listener and generating a payload"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 33, "seconds": 0}, "line": " Pasting the payload into the webshell"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 34, "seconds": 0}, "line": " Debugging SSL Handshake errors"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Starting SilentTrinity back up, how to use modules"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 39, "seconds": 10}, "line": " Start of Execute-Assembly, compiling Watson"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 43, "seconds": 10}, "line": " Running Watson"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 43, "seconds": 30}, "line": " Start of Seatbelt and debugging why some dotNet code may not run (versioning issues)"}, {"machine": "HackTheBox - Jerry", "videoId": "PJeBIey8gc4", "timestamp": {"minutes": 0, "seconds": 1}, "line": " SilentTrinity Talk: https://www.youtube.com/watch?v=NaFiAx737qg"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 0, "seconds": 42}, "line": " Begin of Nmap"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 4, "seconds": 23}, "line": " Examining the anonymous FTP Directory and discovering email addresses in Meta Data"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 6, "seconds": 50}, "line": " Manually enumerating valid email addresses via SMTP"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 10, "seconds": 50}, "line": " Creating a \"Canary Document\" in Word to ping back to our server when a word document is opened"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 13, "seconds": 14}, "line": " Generating a malicious RTF Document (CVE-2017-0199)"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 26, "seconds": 28}, "line": " Shell Returned. Enumerating the AppLocker Policy"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 32, "seconds": 53}, "line": " Decrypting a PowerShell Secure String to reveal Tom's Password, Testing access with SSH"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 35, "seconds": 22}, "line": " Lets forget we had Tom and run Bloodhound from Nico!"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 40, "seconds": 30}, "line": " First time opening BloodHound on this box."}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 49, "seconds": 45}, "line": " Lets update Bloodhound, looks like some data is missing and there were errors when running it"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 53, "seconds": 25}, "line": " Finding a path from Nico to BACKUP_ADMINS and explaining AD Security Objects (GenericWrite, WriteOwner,etc)"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 58, "seconds": 23}, "line": " Taking Ownership over Herman then allowing Nico to change his password and examining bloodhound"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 61, "seconds": 40}, "line": " Adding Herman to the Backup_Admins group"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 64, "seconds": 30}, "line": " Finding the Administrator Password within backup scripts."}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 67, "seconds": 0}, "line": " Attempting to run Watson (ends up not working)"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 83, "seconds": 22}, "line": " Using Metasploit to do the box"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 85, "seconds": 42}, "line": " Since Watson failed, lets just look at last patch times on the box to get an idea whats vulnerable."}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 87, "seconds": 19}, "line": " Attempting to do the ALPC Exploit within Metasploit"}, {"machine": "HackTheBox - Reel", "videoId": "ob9SgtFm6_g", "timestamp": {"minutes": 91, "seconds": 0}, "line": " That failed - Lets just prove the box is vulnerable, by overwriting a DLL"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Start of Recon"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 2, "seconds": 15}, "line": " TFTP Enumeration - Identifying configuration and OS information"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 6, "seconds": 32}, "line": " Finding a path to code execution"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 7, "seconds": 17}, "line": " Examining PSExec Metasploit Module"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 8, "seconds": 55}, "line": " Using irb within metasploit to print a powershell payload"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 12, "seconds": 30}, "line": " Examining PsExec()"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 15, "seconds": 40}, "line": " Examining native_upload"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 18, "seconds": 10}, "line": " Examining mof_upload"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 20, "seconds": 34}, "line": " Using irb within metasploit to print the MOF File"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 22, "seconds": 35}, "line": " Quick explanation of MOF Files"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 25, "seconds": 5}, "line": " Modifying the MOF to run NetCat"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Uploading nc to the target"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 28, "seconds": 50}, "line": " Uploading the malicious MOF File and getting a shell!"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 29, "seconds": 50}, "line": " Using Streams to view Hidden text within ADS"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ==== Box Done, Lets play with MSF"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 33, "seconds": 8}, "line": " Start of Bonus Content, finging a TFTP Exploit that uses MOF"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 35, "seconds": 5}, "line": " Attempting to use distrinct_ftp_traversal against DropZone"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 36, "seconds": 30}, "line": " Installing pry.byebug in order to allow us to drop to a debug console and step through metasploit modules"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 40, "seconds": 50}, "line": " Testing out pry.byebug"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 42, "seconds": 30}, "line": " Finding why the exploit module didn't work"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 44, "seconds": 50}, "line": " Module still doesn't work, TFTP Stopping mid transfer"}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 49, "seconds": 30}, "line": " Whoops, changed the delay on the wrong timeout "}, {"machine": "HackTheBox - DropZone", "videoId": "QzP5nUEhZeg", "timestamp": {"minutes": 51, "seconds": 0}, "line": " Meterpreter Shell returned, showing off the extended API and some WMI Commands."}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 0, "seconds": 38}, "line": " Begin of recon"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 1, "seconds": 48}, "line": " Gobuster, using -x aspx to find aspx pages"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 3, "seconds": 16}, "line": " Playing with a file upload form, seeing what can be uploaded"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 5, "seconds": 15}, "line": " Using Burp Intruder to automate checking file extensions"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Finding a way to execute code from file upload in ASPX (web.config)"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 10, "seconds": 55}, "line": " Executing code via web.config file upload"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 13, "seconds": 8}, "line": " Installing Merlin to be our C2"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 15, "seconds": 25}, "line": " Compiling the Merlin Windows Agent"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 18, "seconds": 37}, "line": " Modifying web.config to upload and execute merlin"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 21, "seconds": 14}, "line": " Merlin Shell returned!"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 24, "seconds": 18}, "line": " Checking for SEImpersonatePrivilege Token then doing Juicy Potato"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 27, "seconds": 44}, "line": " Getting Admin via Juicy Potato"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 29, "seconds": 44}, "line": " Box completed"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 30, "seconds": 0}, "line": " Start of doing this box again, with Metasploit! Creating a payload with Unicorn"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 33, "seconds": 0}, "line": " Having troubles getting the server call back to us, trying Ping to see if the exploit is still working"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 34, "seconds": 17}, "line": " Reverted box. Have to update our payload with some updated VIEWSTATE parameters"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 36, "seconds": 45}, "line": " Metasploit Session Returned! Checking local_exploit_suggester"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 40, "seconds": 1}, "line": " Comparing local_exploit_suggester on x32 and x64 meterpreter sessions"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 40, "seconds": 30}, "line": " Getting Admin via MS10-092"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 42, "seconds": 5}, "line": " Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host #PivotProblems)"}, {"machine": "HackTheBox - Bounty", "videoId": "7ur4om1K98Y", "timestamp": {"minutes": 47, "seconds": 20}, "line": " Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 1, "seconds": 10}, "line": " Begin of recon"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Discovery of Wordpress and fixing broken links with burp"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 6, "seconds": 50}, "line": " Start of WPScan"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 7, "seconds": 14}, "line": " Start of poking at Monstra, (Rabbit Hole)"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 13, "seconds": 5}, "line": " Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 16, "seconds": 30}, "line": " Reverse shell returned as www-data"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 18, "seconds": 8}, "line": " Confirming monstra was read-only"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 18, "seconds": 50}, "line": " Running LinEnum.sh to see www-data can run tar via sudo"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 20, "seconds": 30}, "line": " Use GTFOBins to find a way to execute code with Tar"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 22, "seconds": 0}, "line": " Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 24, "seconds": 10}, "line": " Examining backuperer script"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 26, "seconds": 0}, "line": " Hunting for vulnerabilities in Backuperer"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 32, "seconds": 15}, "line": " Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 34, "seconds": 20}, "line": " Begin of exploiting the backuperer service by exploiting intregrity check"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 36, "seconds": 40}, "line": " Creating our 32-bit setuid binary"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 39, "seconds": 16}, "line": " Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 40, "seconds": 54}, "line": " Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 42, "seconds": 30}, "line": " Exploiting the Backuperer Service via SetUID!"}, {"machine": "HackTheBox - Tartarsauce", "videoId": "9MeBiP637ZA", "timestamp": {"minutes": 45, "seconds": 0}, "line": " Unintended Exploit: Using SymLinks to read files via backuperer service"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 0, "seconds": 54}, "line": " Start of Recon"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 3, "seconds": 10}, "line": " Start of GoBuster"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Looking at /upload, testing with a normal XML File"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 6, "seconds": 15}, "line": " Valid XML File created, begin of looking for XML Entity Injection XXE"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 8, "seconds": 20}, "line": " XXE Returns a a local file off the server"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 9, "seconds": 30}, "line": " Grabbing the source code to the webserver to find newpost function."}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 11, "seconds": 35}, "line": " Discovery of vulnerability due to user data being passed to pickle"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 12, "seconds": 44}, "line": " Creating the script to exploit pickle"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 16, "seconds": 38}, "line": " Reverse shell returns!"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 19, "seconds": 55}, "line": " Poking around at Source Code"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 20, "seconds": 15}, "line": " Discover of an SSH Key within deployment stuff."}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 21, "seconds": 15}, "line": " Trying SSH Key for other users on the box to see if it is valid"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 22, "seconds": 57}, "line": " Hunting for git filers, the boxes name is \"Gitter\" and we have an SSH Key that goes nowhere. "}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Discovery ~roosa/work is the same as ~roosa/deploy but there's a .git repo in this one!"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 23, "seconds": 45}, "line": " Examining Git Log to see the SSH Key has changed!"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 25, "seconds": 20}, "line": " SSH'ing with the old key, to see it's root's key."}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 25, "seconds": 58}, "line": " The webserver could read Roosa's SSH Key. Could bypass the entire pickle portion"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 26, "seconds": 20}, "line": " Start of \"Extra Practice\""}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 27, "seconds": 40}, "line": " Creating a Python Script to automate the LFI With XXE"}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 0, "seconds": 1}, "line": " == Note this piece leads to failure. However, if we could convert the output to a more friendly format such as Base64 it would of worked. This is likely in PHP WebServers due to \"PHP Wrappers\", perhaps it is with python too but I don't know a way =="}, {"machine": "HackTheBox - DevOops", "videoId": "tQ34Ntkr7H4", "timestamp": {"minutes": 35, "seconds": 50}, "line": " Script completed, lets improve it to try to download an exposed git repo"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 0, "seconds": 55}, "line": " Begin of Recon Nmap, Identify OS Version, Check out Page to find hostname is streetfighterclub.htb."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 2, "seconds": 53}, "line": " Using GoBuster and WFUZZ to identify: members.streetfighterclub.htb and members.streetfighterclub.htb/old/login.asp"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 8, "seconds": 45}, "line": " Begin poking around the members.streetfighterclub.htb page - Find SQL Injection"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Boolean injection to force the query to return \"valid login\". Play with logins to find it always returns to \"Service not available\""}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 14, "seconds": 25}, "line": " Testing Union Injections for easy exfil of data"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 15, "seconds": 50}, "line": " Examining Stacked Queries to make running our own SQL Statements easy. Then bunch of injections to run Xp_CMDShell and get output."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 19, "seconds": 30}, "line": " Some valuable recon/information in debugging our SQL queries. Noticing small things really helps."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 34, "seconds": 40}, "line": " Start of making a program to give us a command shell."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 69, "seconds": 40}, "line": " Explaining the program we just created. Then fix a small bug."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 72, "seconds": 45}, "line": " Begin of popping the box the intended way. Finding powershell is blocked but specifying the 32-bit version is not"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 77, "seconds": 10}, "line": " Return of 32-bit PowerShell... Identifying we can append data to c:\\users\\decoder\\clean.bat -- That's odd lets try to place a shell in it to see if it is being ran."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 92, "seconds": 40}, "line": " Found the issue! Powershell is encoding in UTF-16 which is confusing cmd prompt. 64-bit Shell as Decoder returned!"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 95, "seconds": 30}, "line": " Exploiting Capcom Driver to gain root shell, this post is super helpful: http://www.fuzzysecurity.com/tutorials/28.html"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 102, "seconds": 18}, "line": " Escalating to System via Capcom Exploit, then copying root.exe and checkdll.dll to our box so we can reverse it."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 107, "seconds": 25}, "line": " Looking at the binaries in Ida64 Free"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 111, "seconds": 14}, "line": " Explaining what's happening and then writing a script to bypass the password check."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 115, "seconds": 35}, "line": " Start of unintended way (Juicy Potato)"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 118, "seconds": 10}, "line": " Finding a world write-able spot under System32 for AppLocker Bypass, thanks @Bufferov3rride -- Then uploading JuicyPotato"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 126, "seconds": 10}, "line": " Start of modifying JuicyPotato to accept uppercase arguments."}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 130, "seconds": 14}, "line": " Finding a vulnerable CLSID to get JuicyPotato working"}, {"machine": "HackTheBox - Fighter", "videoId": "CW4mI5BkP9E", "timestamp": {"minutes": 148, "seconds": 25}, "line": " Running JuicyPotato with a vulnerable CLSID to gain a SYSTEM Shell, then create our own DLL to bypass the check."}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 0, "seconds": 48}, "line": " Begin of NMAP Discovery of Finger"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 3, "seconds": 36}, "line": " Enumerating Finger with Finger-User-Enum"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 5, "seconds": 0}, "line": " Nmap'ing all port quickly by lowering max-retries"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 8, "seconds": 40}, "line": " Adding an old Key Exchange Alogorithm to SSH"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 9, "seconds": 30}, "line": " Showing Hydra doesn't work, then using Patator"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (Patator also can do Finger Enum! Try it out)"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 11, "seconds": 19}, "line": " Using find to count lines in all wordlist files"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 14, "seconds": 7}, "line": " Logged in with sunny:sunday"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 14, "seconds": 45}, "line": " Grabbing /backup/shadow.backup and cracking sha256crypt with Hashcat"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 16, "seconds": 46}, "line": " Just noticed this box is oooooold, try to privesc with sudo and ShellShock (Fail)"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 18, "seconds": 53}, "line": " Privesc by overwriting the /root/troll binary"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 0, "seconds": 1}, "line": " == Box Done"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 23, "seconds": 30}, "line": " Using wget to exfil files quickly"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 24, "seconds": 50}, "line": " Viewing what wget --post-file looks like"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 25, "seconds": 50}, "line": " Creating a PHP Script to accept uploaded files"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Hardening our upload location to prevent executing PHP Files and/or reading what was uploaded"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 29, "seconds": 10}, "line": " Starting a php webserver with php -S (ip):(port) -t ."}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 31, "seconds": 10}, "line": " Replacing the root password by changing the shadow file"}, {"machine": "HackTheBox - Sunday", "videoId": "xUrq29OTSuM", "timestamp": {"minutes": 33, "seconds": 30}, "line": " Demoing a way to create directories and upload files!"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Begin of Recon, nmap filtered explanation"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Begin of initial DNSRecon, hunting for a domain name"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 6, "seconds": 4}, "line": " Web page enumeration, finding xdebug in header"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 9, "seconds": 47}, "line": " Installing xdebug plugin in Chrome to show its use"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 12, "seconds": 50}, "line": " Getting a reverse shell on the first docker (Icarus)"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 15, "seconds": 0}, "line": " Setting up nginx to accept files uploaded over HTTP / WebDav"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 20, "seconds": 30}, "line": " Examining the Wireless Capture from Icarus"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 21, "seconds": 30}, "line": " Cracking WPA with aircrack / hashcat"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 25, "seconds": 0}, "line": " Decrypting WPA traffic in Wireshark"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 27, "seconds": 50}, "line": " Enumerating valid usernames via SSH (CVE-2018-15473)"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 33, "seconds": 15}, "line": " SSH into port 2222 with information from Wireless Capture"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 34, "seconds": 40}, "line": " Domain Name found! Time to do a DNS Zone Transfer"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 36, "seconds": 15}, "line": " Port Knocking to open up port 22"}, {"machine": "HackTheBox - Olympus", "videoId": "7ifJOon5-G8", "timestamp": {"minutes": 40, "seconds": 5}, "line": " PrivEsc to root via being a member of the Docker Group"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 43}, "line": " Start of Recon, nmap and poking around the website"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Dirbusting a site that always respond 200"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 9, "seconds": 43}, "line": " Switching to a different Wordlist (SecLists/Discovery/Web/Common)"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 10, "seconds": 48}, "line": " Discovery of .git - Poking around to clone it and download"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 15, "seconds": 10}, "line": " Downloaded .git, examining commit history"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 19, "seconds": 50}, "line": " Start of Pickle Talk"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 21, "seconds": 25}, "line": " Begin writing of the pickle exploit"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 28, "seconds": 45}, "line": " Return of Reverse Shell as www-data"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 32, "seconds": 30}, "line": " Begin looking into CouchDB"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 34, "seconds": 0}, "line": " Poking around at documents within CouchDB"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 36, "seconds": 15}, "line": " Examining first exploit with creating a CouchDB User"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 39, "seconds": 50}, "line": " Exploring the passwords database with our newly created admin user and finding Homers Password."}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Getting root with sudo pip install"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 45, "seconds": 55}, "line": " Box Done. Begin second unintended way to get to Homer User"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 47, "seconds": 3}, "line": " Playing with the public RCE Exploit for CouchDB "}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 48, "seconds": 20}, "line": " Running the exploit"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 49, "seconds": 36}, "line": " Examining the exploit, doing each step manually to see where it fails"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 54, "seconds": 30}, "line": " Searching on how to create a new CouchDB Cluster, maybe it will allow this work?"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 55, "seconds": 55}, "line": " Digging into how erlang works"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 57, "seconds": 30}, "line": " Finding default CouchDB Cookie"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 59, "seconds": 10}, "line": " Connecting to the Erlang pool then searching for how to run commands."}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 61, "seconds": 54}, "line": " Exploring how to send long commands as distributed task"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 64, "seconds": 30}, "line": " Getting reverse shell"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Extra Links"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://malicious.link/post/2018/erlang-arce/"}, {"machine": "HackTheBox - Canape", "videoId": "rs75y2qPonc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Blackhat 2011 - Sour Pickles - https://www.youtube.com/watch?v=HsZWFMKsM08"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 0, "seconds": 56}, "line": " Start of recon, use Bootstrap XSL Script to make nmap pretty"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 3, "seconds": 10}, "line": " Looking at nmap in web browser "}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 3, "seconds": 52}, "line": " Navigating to the web page, and testing all the pages."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 6, "seconds": 25}, "line": " Testing for LFI"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Using PHP Filters to view the contents of php file through LFI (Local File Inclusion)"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 8, "seconds": 40}, "line": " Testing for RFI (Remote File Inclusion) [not vuln]"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Code Execution via LFI + phpinfo()"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 14, "seconds": 45}, "line": " Modifying the PHP-LFI Script code to get it working"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 17, "seconds": 10}, "line": " Debugging the script to see why tmp_name couldn't be found"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 20, "seconds": 12}, "line": " Shell returned!"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 21, "seconds": 25}, "line": " Looking at pwdbackup.txt and decoding 13 times to get password."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 23, "seconds": 37}, "line": " SSH into the box (Do not privesc right away!)"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 24, "seconds": 29}, "line": " Getting shell via Log Poisoning"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 26, "seconds": 39}, "line": " Whoops. Broke the exploit, because of bad PHP Code... We'll come back to this! (42:50)"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 28, "seconds": 47}, "line": " Begin of PrivEsc, grabbing secret.zip off"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 32, "seconds": 38}, "line": " Searching for processes running as root, find VNC"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 33, "seconds": 49}, "line": " Setting up SSH Tunnels without exiting SSH Session."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 37, "seconds": 43}, "line": " Something weird happend... Setting up SSH Tunnels manually."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 40, "seconds": 10}, "line": " PrivEsc: VNC through the SSH Tunnel, passing the encrypted VNC Password"}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 41, "seconds": 40}, "line": " Decrypting the VNC Password because we can."}, {"machine": "HackTheBox - Poison", "videoId": "rs4zEwONzzk", "timestamp": {"minutes": 42, "seconds": 50}, "line": " Examining the log file to see why our Log Poison Failed, then doing the Log Poison"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 1, "seconds": 11}, "line": " Begin of recon"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 3, "seconds": 48}, "line": " Manually checking the page out"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Discovering the webserver is java/tomcact"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 5, "seconds": 35}, "line": " Starting up GoBuster / Hydra"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 9, "seconds": 40}, "line": " The Directory /Monitoring was found - Discovering its Struts because of .action"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 11, "seconds": 0}, "line": " Stumbling upon an exploit trying to find out how to enumerate Struts Versions"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 14, "seconds": 10}, "line": " Searching Github for CVE-2017-5638 exploit script, exploiting the box to find out its firewalled off"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 21, "seconds": 10}, "line": " Using a HTTP Forward Shell to get around the strict firewall"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " # Sokar Video Explaining it: https://www.youtube.com/watch?v=k6ri-LFWEj4"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " # Inception - Another box where i modify the FWD Shell POC: https://www.youtube.com/watch?v=J2I-5xPgyXk&t=3s"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 22, "seconds": 40}, "line": " Go here if you want to start copying the Forward Shell Script"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 23, "seconds": 34}, "line": " Explaining how it works"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 25, "seconds": 10}, "line": " Explaining the code"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 31, "seconds": 6}, "line": " Forward Shell Returned - Enumerating Database to find creds"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 37, "seconds": 29}, "line": " Examining User.py"}, {"machine": "HackTheBox - Stratosphere", "videoId": "uMwcJQcUnmY", "timestamp": {"minutes": 40, "seconds": 15}, "line": " Privesc: Abusing Python's Path to load a malicious library and sudo user.py"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 0, "seconds": 58}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 3, "seconds": 0}, "line": " Looking at the web application and finding the Serialized Cookie"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 4, "seconds": 38}, "line": " Googling for Node JS Deserialization Exploits"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Start of building our payload"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 7, "seconds": 10}, "line": " Examining Node-Serialize to see what the heck _$$ND_FUNC$$_ is"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 9, "seconds": 10}, "line": " Moving our serialized object to \"Name\", hoping to get to read stdout"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 11, "seconds": 30}, "line": " Really busing the deserialize function by removing the Immediately Invokked Expression (IIFE)"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 13, "seconds": 25}, "line": " Failing to convert an object (stdout) to string."}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 14, "seconds": 2}, "line": " Verifying code execution via ping"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 15, "seconds": 32}, "line": " Code execution verified, gaining a shell"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (Get a shell via NodeJSShell at end of video)"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 18, "seconds": 49}, "line": " Reverse shell returned, running LinEnum.sh"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 21, "seconds": 26}, "line": " Examining logs to find the Cron Job running as root"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 22, "seconds": 9}, "line": " Privesc by placing a python root shell in script.py"}, {"machine": "HackTheBox - Celestial", "videoId": "aS6z4NgRysU", "timestamp": {"minutes": 24, "seconds": 15}, "line": " Going back and getting a shell with NodeJSShell"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 1, "seconds": 40}, "line": " Begin of Recon (nmap, setting hostname, dns, nmap, ipv6)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 5, "seconds": 45}, "line": " Checking websites (80,443,8080)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 8, "seconds": 10}, "line": " Attempting to enumerate users of OWA-2010 (Fails)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 14, "seconds": 10}, "line": " Checking out Joomla Version (/administrator/manifets/files/joomla.xml)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 15, "seconds": 50}, "line": " Using SearchSploit with (Complain Management System)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 19, "seconds": 38}, "line": " Register Account, Login, Verify/Play with SQL Union Injection"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 23, "seconds": 30}, "line": " Enumerating SQL Injection with SQLMap"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 29, "seconds": 18}, "line": " Going back to MSF/OWA_LOGIN and testing credentials."}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 32, "seconds": 15}, "line": " Logging into OWA and reading email to find out OpenOFfice, Defender, and Powershell Constain Mode is installed"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 36, "seconds": 20}, "line": " Creating a malicious OpenOffice macro with LibreOffice + Downloading an Executing a file without Powershell (certutil ftw)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 40, "seconds": 18}, "line": " Compiling Merlin (like MSF/Empire)"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 48, "seconds": 40}, "line": " Sending the email and waiting."}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 50, "seconds": 20}, "line": " Merlin call back, Switch to Powershell Nishang to get a interactive shell"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 54, "seconds": 30}, "line": " Running PowerUp to find we are an Administrator"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 56, "seconds": 56}, "line": " Running JAWS to do some more Windows Enumeration"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 63, "seconds": 4}, "line": " Found an odd scheduled task \"System Maintenance\""}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 66, "seconds": 3}, "line": " Attempting to write a php shell to HTTPD"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "line": " * Begin of weird issue with File Encoding breaking something *"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 72, "seconds": 30}, "line": " Frusterated creating a PHP Script... Switch to the SCHTask Privesc"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 78, "seconds": 20}, "line": " Uhh. Testing if echo is somehow breaking .bat/.php files"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "line": " * Wth. That was actually the issue!?"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 81, "seconds": 50}, "line": " Going back to test PHP to verify it just didn't like echo."}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Videos mentioned:"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Charon - Exploring Union Injection: https://www.youtube.com/watch?v=_csbKuOlmdE"}, {"machine": "HackTheBox - Rabbit", "videoId": "5nnJq_IWJog", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Enterprise - Exploring Double Union Injection - https://www.youtube.com/watch?v=NWVJ2b0D1r8"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Begin of recon"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 3, "seconds": 15}, "line": " Begin of installing SQLPlus and ODAT (Oracle Database Attack Tool)"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 8, "seconds": 45}, "line": " Bruteforcing the SID with ODAT"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 10, "seconds": 15}, "line": " Holy crap, this is slow lets also do it with Metasploit"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 13, "seconds": 0}, "line": " Bruteforcing valid logins with ODAT"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 16, "seconds": 0}, "line": " Credentials returned, logging into Oracle with SQLPlus as SysDBA"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Reading files from disk via Oracle"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 23, "seconds": 20}, "line": " Writing files to disk from Oracle. Testing it in WebRoot Directory"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 25, "seconds": 52}, "line": " File Written, lets write an ASPX WebShell to the Server"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 29, "seconds": 10}, "line": " WebShell Working! Lets get a Reverse Shell"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 31, "seconds": 28}, "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 32, "seconds": 24}, "line": " Finding a DropBox link, but password doesn't display well."}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 33, "seconds": 55}, "line": " Attempting to copy file via SMB to view UTF8 Text"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 35, "seconds": 18}, "line": " That didn't work, lets transfer the file by encoding it in Base64."}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 36, "seconds": 55}, "line": " Got the password lets download the dump!"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 39, "seconds": 10}, "line": " Begin of Volatility"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 45, "seconds": 20}, "line": " Running the HashDump plugin from volatilty then PassTheHash with Administrator's NTLM!"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ### Box Done"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 47, "seconds": 35}, "line": " Begin of unintended way, examining odat and uploading an meterpreter exe"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 50, "seconds": 30}, "line": " Using odat externaltable to execute meterpreter and get a system shell!"}, {"machine": "HackTheBox - Silo", "videoId": "2c7SzNo9uoA", "timestamp": {"minutes": 52, "seconds": 20}, "line": " Examining odat verbosity flag to see what commands it runs and try to learn."}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 0, "seconds": 25}, "line": " Start of Recon, identifying end of life OS from nmap"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 3, "seconds": 20}, "line": " Running vulnerability scripts in nmap to discover heartbleed"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 0, "seconds": 1}, "line": " (In video on Blue, I go a bit more in NMAP Scripts. https://www.youtube.com/watch?v=YRsfX6DW10E)"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 4, "seconds": 16}, "line": " Going to the HTTP Page to see what it looks like"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Begin of Heartbleed - Grabbing Python Module"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 7, "seconds": 13}, "line": " Explaining Heartbleed -- XKCD ftw"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 10, "seconds": 15}, "line": " Explaining and running the exploit"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 13, "seconds": 40}, "line": " Exporting large chunks of memory by running in a loop"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 14, "seconds": 10}, "line": " Finding an encrypted SSH Key on the server"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 15, "seconds": 35}, "line": " Examining heartbleed output to discover SSH Key Password"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 17, "seconds": 45}, "line": " SSH as low priv user returned"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 21, "seconds": 55}, "line": " Finding a writable tmux socket to hijack session and find a root shell"}, {"machine": "HackTheBox - Valentine", "videoId": "XYXNvemgJUo", "timestamp": {"minutes": 23, "seconds": 50}, "line": " Alternative Privesc, DirtyC0w"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 1, "seconds": 26}, "line": " Start of Recon"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 3, "seconds": 25}, "line": " Notice SSH configured for Pub Key Only. Hint at what to grab later!"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 3, "seconds": 50}, "line": " Grabbing test.txt off ftp server via anonymous auth"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 4, "seconds": 7}, "line": " Determining if I want to go down the \"Exploit VSFTPD\" rabbit hole"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 5, "seconds": 54}, "line": " Viewing test.txt and hosts.php"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 6, "seconds": 48}, "line": " Figuring out how hosts.php works and discovering XXE"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 8, "seconds": 58}, "line": " Start of XXE Discovery"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 10, "seconds": 16}, "line": " Making the XXE Output /etc/passwd"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 11, "seconds": 33}, "line": " Encoding output in Base64 in order to view PHP Files"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 12, "seconds": 58}, "line": " Using Burp Intruder to BruteForce Files"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 16, "seconds": 20}, "line": " Creating a program to bruteforce home directories"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 26, "seconds": 41}, "line": " Program Finished. Finding SSH ID_RSA Key"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 28, "seconds": 15}, "line": " Low Priv Access Granted"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 30, "seconds": 24}, "line": " LinEnum.sh shows Wordpress CHMOD'd to 777"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 31, "seconds": 5}, "line": " Examining Wordpress Site (big hint left by author)"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 32, "seconds": 10}, "line": " Enumerating MySQL Database"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 35, "seconds": 15}, "line": " Giving up on MySQL, lets edit PHP Files to dump passwords!"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 36, "seconds": 50}, "line": " Identifying the file we want to backdoor"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 37, "seconds": 51}, "line": " Placing our PHP Code"}, {"machine": "HackTheBox - Aragog", "videoId": "NFdi-2tgvxY", "timestamp": {"minutes": 42, "seconds": 6}, "line": " Got the password!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 1, "seconds": 54}, "line": " Begin Recon, Windows IIS/OS Mapping and GoBuster"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 5, "seconds": 20}, "line": " Explanation of Virtual Host Routing"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 9, "seconds": 50}, "line": " Developers name exposed in HTML Source, also discover /monitor"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 11, "seconds": 10}, "line": " Enumerating Username in PHP Server Monitor: Challenge Watch Sense to und"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " erstand CSRF and write an automated bruteforcer"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 16, "seconds": 33}, "line": " Discover of Internal-01.bart.htb"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 19, "seconds": 17}, "line": " Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /Log/log.php)"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 29, "seconds": 34}, "line": " Finally got Hydra to return the password!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 32, "seconds": 20}, "line": " Log Poisoning + LFI = Remote Code Execution"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 37, "seconds": 30}, "line": " Return of Reverse Shell"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 41, "seconds": 30}, "line": " Why you should check if you're a 32-bit process on a 64-bit machine"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ### Start of Failing attempting to do a RunAs... Lol."}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 48, "seconds": 35}, "line": " Attempting to use b33f/FuzzySecurity Invoke-RunAs"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 56, "seconds": 0}, "line": " Mistake with Invoke-RunAs is probably pointing it to the wrong port. D:"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 63, "seconds": 40}, "line": " ARGH! Lets try to use this account via Empire"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 71, "seconds": 0}, "line": " Bring out the big guns, it's Metasploit Time!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 78, "seconds": 10}, "line": " Alright, lets poke a hole in the firewall and connect over SMB!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 81, "seconds": 17}, "line": " Failed to PSExec in MSF"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ### End of Failing!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 81, "seconds": 40}, "line": " Found Impacket-PSExec! And it works!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ### Box Done"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 83, "seconds": 45}, "line": " Lets go hunt for creds!"}, {"machine": "HackTheBox - Bart", "videoId": "Cz6vQvGGiuc", "timestamp": {"minutes": 95, "seconds": 23}, "line": " Cracking Salted Hashes with Hashcat (Sha265.Salt)"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Original Video with In-Depth Explanations of Intended Solution: https://youtu.be/frh-jYaUvrU"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 1, "seconds": 10}, "line": " End of intro, Start of nmap"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 2, "seconds": 47}, "line": " Playing with Second-Order Union Injection"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 5, "seconds": 44}, "line": " Dumping all users"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 7, "seconds": 15}, "line": " Converting SFTP Exploit from 64bit to 32bit"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 13, "seconds": 27}, "line": " Reversing SLS Binary"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 15, "seconds": 19}, "line": " Kernel Exploit"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 22, "seconds": 31}, "line": " First Method - Executing ELF Binaries from memory (Reflective loading elf)"}, {"machine": "HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions", "videoId": "TVhtjiSedjU", "timestamp": {"minutes": 35, "seconds": 57}, "line": " Second Method - Crashing a program to create a write-able file."}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Edit: Whoops forgot @stefano_118 helped create this machine! "}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 1, "seconds": 50}, "line": " Start of Recon"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 4, "seconds": 58}, "line": " /documents and /secret rabbit hole enumeration"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 8, "seconds": 13}, "line": " Using wfuzz on the /secret rabbit hole to find argument for download.php"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 13, "seconds": 40}, "line": " Begin of Web Application Enumeration, some XSS Found"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 18, "seconds": 23}, "line": " Throwing bad characters in username and finding Second-Order SQL Injection."}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 23, "seconds": 50}, "line": " Begin of Union Injection to dump the database via second order sql injection"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 39, "seconds": 36}, "line": " Dumping users and passwords from SysAdmin table and using Hydra to bruteforce SSH"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 43, "seconds": 54}, "line": " Enumerating SFTP (Using SSHFS to Dump a File Listing)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 53, "seconds": 0}, "line": " Converting 64-Bit SFTP Exploit to 32-Bit"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 71, "seconds": 46}, "line": " Reverse Shell Returned, some stuff and finding Set-GID Binary"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 82, "seconds": 55}, "line": " Reversing SLS binary with Radare2 (r2)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 107, "seconds": 53}, "line": " Exploiting SLS Binary with new line character (Get to Decoder User)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 111, "seconds": 47}, "line": " Begin of Kernel Exploitation (CVE-2017-1000112)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 116, "seconds": 0}, "line": " Kernel Exploit Compiled (silly mistake before)"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 119, "seconds": 52}, "line": " Creating a new lsb-release file so exploit can identify kernel"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 127, "seconds": 3}, "line": " Recap of Box"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 129, "seconds": 56}, "line": " Creating a Tamper Script to do Second-Order SQL Injection"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ###"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " #Referenced Videos:"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ## Holiday Hack Analytics - https://www.youtube.com/watch?v=zcJyhDC9kgo/watch?v=zcJyhDC9kgo"}, {"machine": "HackTheBox - Nightmare", "videoId": "frh-jYaUvrU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ## Charon (Union Injection) - https://www.youtube.com/watch?v=_csbKuOlmdE"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Testing out a new microphone, enjoy the random video."}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 1, "seconds": 18}, "line": " Downloading Empire + PowerShell Port Forward"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 2, "seconds": 13}, "line": " Explaining Empire Directory Structure"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 3, "seconds": 28}, "line": " Copying the PowerShell Template (Empire Module) to a working directory"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 4, "seconds": 30}, "line": " Creating the Empire Module"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 11, "seconds": 35}, "line": " Converting PowerShell Port Forward Script to an Empire Friendly Format"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 14, "seconds": 54}, "line": " Starting Empire"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 16, "seconds": 58}, "line": " Empire Agent Active"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 19, "seconds": 50}, "line": " Checking if the module worked. It did not, begin troubleshooting!"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 24, "seconds": 20}, "line": " Found the Error! Huzzah!"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 24, "seconds": 50}, "line": " Reloading the module"}, {"machine": "How To Create Empire Modules", "videoId": "6l4ZIKwzW8U", "timestamp": {"minutes": 26, "seconds": 4}, "line": " Executing the module again, this time it works."}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 0, "seconds": 18}, "line": " Start of Recon"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 1, "seconds": 15}, "line": " Finding hidden directory via Source"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 2, "seconds": 15}, "line": " Downloading NibbleBlog to help us with finding version information"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 3, "seconds": 59}, "line": " Identifying what vresion of NibblesBlog is running"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 4, "seconds": 42}, "line": " Using SearchSploit to find vulnerabilities"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 5, "seconds": 36}, "line": " Examining the Exploit"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 6, "seconds": 8}, "line": " Explanation of exploit"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 7, "seconds": 25}, "line": " Attempting to find valid usernames for NibblesBlog"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 9, "seconds": 13}, "line": " Finding usernames in /content/private"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 10, "seconds": 15}, "line": " Using Hydra to attempt to bruteforce"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 14, "seconds": 8}, "line": " Oh crap. Hydra not good idea we're blocked..."}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 0, "seconds": 1}, "line": " -- Some minor panicing about how to continue"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 15, "seconds": 40}, "line": " Using SSH Proxies to hit nibbles from another box (Falafel)"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 18, "seconds": 20}, "line": " Guessing the password"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 20, "seconds": 10}, "line": " Logged in, lets attempt our exploit!"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 22, "seconds": 46}, "line": " Code Execution achieved. Lets get a reverse shell"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 24, "seconds": 53}, "line": " Reverse shell returned."}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 26, "seconds": 0}, "line": " Running sudo -l examine sudoer, then finding out why sudo took forever to return"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 26, "seconds": 50}, "line": " Privesc via bad sudo rules"}, {"machine": "HackTheBox - Nibbles", "videoId": "s_0GcRGv6Ds", "timestamp": {"minutes": 32, "seconds": 10}, "line": " Alternative PrivEsc via RationalLove"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 0, "seconds": 1}, "line": " *Note: RationalLove was patched after I did this box. So mistakenly thought it was still vulnerable. Enjoy the fails/confusion!"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 1, "seconds": 15}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 4, "seconds": 25}, "line": " Bruteforcing valid users"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 11, "seconds": 15}, "line": " Manually finding SQL Injection"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 13, "seconds": 13}, "line": " Using --string with SQLMap to aid Boolean Detection"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 15, "seconds": 41}, "line": " PHP Type Confusion ( == vs === with 0e12345) [Type Juggling]"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 18, "seconds": 35}, "line": " Attempting Wget Exploit with FTP Redirection (failed)"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 26, "seconds": 39}, "line": " Exploiting wget's maximum file length"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 33, "seconds": 30}, "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 36, "seconds": 19}, "line": " Linux Priv Checking Enum"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 41, "seconds": 0}, "line": " Checking web crap for passwords"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 44, "seconds": 0}, "line": " Grabbing the screenshot of tty"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 49, "seconds": 0}, "line": " Privesc via Yossi being in Disk Group (debugfs)"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 50, "seconds": 15}, "line": " Grabbing ssh root key off /dev/sda1"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 52, "seconds": 15}, "line": " Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll)"}, {"machine": "HackTheBox - Falafel", "videoId": "CUbWpteTfio", "timestamp": {"minutes": 67, "seconds": 42}, "line": " Manually exploiting the SQL Injection! with Python"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 1, "seconds": 18}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 4, "seconds": 55}, "line": " Start of aChat buffer Overflow: Finding the exploit script with Searchsploit"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 7, "seconds": 24}, "line": " Begin of replacing POC's Calc Shellcode with what is generated from MSFVenom"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 9, "seconds": 42}, "line": " Correction: Payload Size wrong, should be 3,xxx -- look at \"Payload Size\" I accidentally highlighted the size of the python file."}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 14, "seconds": 30}, "line": " Whoops, erased too much out of POC. Lets correctly replace the shellcode this time and get a shell."}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 17, "seconds": 50}, "line": " Running PowerUp to find AutoLogon Credentials"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 20, "seconds": 5}, "line": " Running Code as Administrator"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 24, "seconds": 18}, "line": " First Privesc Method: Using Start-Process to execute commands as a different user because Invoke-Command did not work. "}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 27, "seconds": 30}, "line": " Alternate way to read root.txt -- Alfred owns root.txt, so he can edit the files access list. Get-ACL to view access list and cacls to modify"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 33, "seconds": 12}, "line": " Summary of the box"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ### BOX DONE"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 34, "seconds": 37}, "line": " Doing the box with Metasaploit, Warning: Lots of fails."}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 43, "seconds": 10}, "line": " Using meterpreters PortFwd to bypass ChatterBox's firewall and access port 445"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 51, "seconds": 25}, "line": " Doing the box with Empire !"}, {"machine": "HackTheBox - Chatterbox", "videoId": "_dRrvJNdP-s", "timestamp": {"minutes": 58, "seconds": 20}, "line": " Using Empire's Run_As module to execute commands as Administrator"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 2, "seconds": 8}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 14, "seconds": 0}, "line": " XXE Detection on Fulcrum API"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 17, "seconds": 40}, "line": " XXE Get Files"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 23, "seconds": 40}, "line": " XXE File Retrieval Working"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 24, "seconds": 30}, "line": " Lets Code a Python WebServer to Aid in XXE Exploitation"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 39, "seconds": 45}, "line": " Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 47, "seconds": 28}, "line": " Shell Returned + Go Over LinEnum"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 56, "seconds": 49}, "line": " Finding WebUser's Password and using WinRM to pivot"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 66, "seconds": 0}, "line": " Getting Shell via WinRM, finding LDAP Credentials"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 74, "seconds": 0}, "line": " Using PowerView to Enumerate AD Users"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 87, "seconds": 6}, "line": " Start of getting a Shell on FILE (TroubleShooting FW)"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 95, "seconds": 35}, "line": " Getting shell over TCP/53 on FILE"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 97, "seconds": 58}, "line": " Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 118, "seconds": 10}, "line": " Troubleshooting the error correctly and getting Domain Admin!"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 123, "seconds": 54}, "line": " Begin of unintended method (Rooting the initial Linux Hop)"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 129, "seconds": 54}, "line": " Root Exploit Found"}, {"machine": "HackTheBox - Fulcrum", "videoId": "46RJxJ-Fm0Y", "timestamp": {"minutes": 132, "seconds": 25}, "line": " Mounting the VMDK Files and accessing AD."}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 1, "seconds": 18}, "line": " Begin of Recon: Getting ubuntu version"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Navigating to the CrimeStoppers Page"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 5, "seconds": 15}, "line": " First Hint - Read The Source!"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 5, "seconds": 50}, "line": " 2nd Hint - No SQL Databases and playing with the upload form"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 7, "seconds": 55}, "line": " 3rd Hint - Setting Admin cookie to 1 to see whiterose.txt"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 9, "seconds": 0}, "line": " Explanation of PHP App and why I went down testing $op parameter"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 10, "seconds": 45}, "line": " Testing $op parameter, another hint what year is it?"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 12, "seconds": 20}, "line": " Finding out $op appends .php"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 13, "seconds": 5}, "line": " Using php b64 filter to view php files (\"Read the source luke\")"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 22, "seconds": 50}, "line": " Looking into PHP Wrappers to try to gain code execution"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 24, "seconds": 50}, "line": " Placing our PHP Script in a zip so we can reference it with zip://, also improperly upload it to the server"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 26, "seconds": 20}, "line": " Attempting to use the zip:// wrapper to execute our php script, then troubleshooting the bad upload."}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 30, "seconds": 30}, "line": " Easy way to copy binary data into BurpSuite (Base64)"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 34, "seconds": 10}, "line": " Getting a shell"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 37, "seconds": 18}, "line": " Downloading ThunderBird Directory and reading email + getting dom's password"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 46, "seconds": 20}, "line": " Begin of looking into Apache Rootkit (mod_rootme)"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 48, "seconds": 4}, "line": " Begin of using r2 (Radare) to analyze rootkit, basic intro"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 50, "seconds": 55}, "line": " Analyzing DarkArmy Function"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 55, "seconds": 30}, "line": " Grabbing the strings and using python to XOR them to get secret that allows root"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 58, "seconds": 35}, "line": " Get Root "}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ##### BOX DONE"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 59, "seconds": 10}, "line": " Potential rabbit hole in the binary /var/www/html/whiterose.txt in the binary"}, {"machine": "HackTheBox - CrimeStoppers", "videoId": "bgKth1K44QA", "timestamp": {"minutes": 64, "seconds": 20}, "line": " Second way to get root, looking around at file modification times to find FunSociety in logs"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 1, "seconds": 45}, "line": " Start of NMAP"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 4, "seconds": 17}, "line": " Begin of Sharepoint/GoBuster (Special Sharepoint List)"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 6, "seconds": 32}, "line": " Manually browsing to Sitecontent (Get FTP Creds)"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 10, "seconds": 18}, "line": " Mirror FTP + Pillage for information, Find keypass in Tim's directory and crack it."}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 18, "seconds": 22}, "line": " Mounting/Mirroring ACCT Share with found Creds and finding hardcoded SQL Creds"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 25, "seconds": 24}, "line": " Logging into MSSQL with SQSH, enabling xp_cmdshell and getting a Nishang Rev Shell"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 34, "seconds": 35}, "line": " Finding SPBestWarmUp.ps1 Scheduled Task that runs as Administrator"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 40, "seconds": 0}, "line": " Begin of RottenPotato without MSF (Decoder's Lonely Potato)"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 45, "seconds": 56}, "line": " Using Ebowla Encoding for AV Evasion to create an exe for use with Lonely Potato"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 58, "seconds": 0}, "line": " Lonely Potato Running to return a Admin Shell"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ### BOX DONE"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 64, "seconds": 22}, "line": " Finding CVE-2017-0213"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 68, "seconds": 33}, "line": " Installing Visual Studio 2015 && Compiling the exploit"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 75, "seconds": 50}, "line": " Exploit Compiled, trying to get it to work...."}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 78, "seconds": 11}, "line": " Just noticed the SPBestWarmUp.ps1 executed and gave us a shell!"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 88, "seconds": 37}, "line": " Found the issue, exploit seems to require interactive process"}, {"machine": "HackTheBox - Tally", "videoId": "l-wzBhc9wFc", "timestamp": {"minutes": 90, "seconds": 0}, "line": " Begin of Firefox Exploit Cluster (Not recommended to watch lol). It's a second unreliable way to get user"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 1, "seconds": 19}, "line": " Begin of Enumeration"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 4, "seconds": 15}, "line": " Avoiding the Rabbit Hole on port 80 (IIS)"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 6, "seconds": 0}, "line": " Begin of Jenkins"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 9, "seconds": 0}, "line": " Using Jenkins Script Console (Groovy) to gain code execution"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Reverse TCP Shell via Nishang"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 17, "seconds": 0}, "line": " Reverse Shell returned. PowerSplit dev branch to find unintended privesc (Tokens)"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 22, "seconds": 20}, "line": " Powersploit's Invoke-AllChecks completes"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 24, "seconds": 20}, "line": " Finding Keepass Database using Impack-SMBServer to transfer files"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Cracking the KeePass Database"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 30, "seconds": 20}, "line": " Using KeePass2 to open database"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 34, "seconds": 25}, "line": " PassTheHash via pth-winexe to gain administrator shell"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 35, "seconds": 20}, "line": " Grabbing root.txt that is hidden via Alternate Data Streams (ADS)"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ### BOX DONE"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 39, "seconds": 0}, "line": " Using RottenPotato to escalate to root via MSF"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 41, "seconds": 0}, "line": " Using Unicorn to gain a reverse MSF SHell"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 45, "seconds": 20}, "line": " Performing the attack"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 48, "seconds": 0}, "line": " Impersonating Token to gain root"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ### Unintended Done. Rest of video is me failing around, may be useful?"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Good Read: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/"}, {"machine": "HackTheBox - Jeeves", "videoId": "EKGBskG8APc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " If you want to try Rotten Potato without MSF Read this: https://decoder.cloud/2017/12/23/the-lonely-potato/"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 1, "seconds": 25}, "line": " Begin of recon"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 2, "seconds": 20}, "line": " Wiresharking NMAP to identify fingerprint"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 5, "seconds": 53}, "line": " Checking the WebPage"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 9, "seconds": 15}, "line": " Finding /sync and why web browser has a 403"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 12, "seconds": 45}, "line": " Using wfuzz to find what arguments /sync takes"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 15, "seconds": 45}, "line": " The actual wfuzz command"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 20, "seconds": 30}, "line": " Finding Bad Characters with wfuzz"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 24, "seconds": 51}, "line": " Getting command execution"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 32, "seconds": 0}, "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 43, "seconds": 40}, "line": " Privesc to root abusing custom script"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " #### Box Done"}, {"machine": "HackTheBox - Flux Capacitor", "videoId": "XLIBbkQJKuY", "timestamp": {"minutes": 47, "seconds": 48}, "line": " Examining how NGINX/OpenResty was configured"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 0, "seconds": 23}, "line": " Explaining VM Layout"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 1, "seconds": 47}, "line": " Nmap Start"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 5, "seconds": 20}, "line": " Poking at Virtual Host Routing (Beehive & Calvin)"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 10, "seconds": 25}, "line": " Fixing GoBuster to find /cgi-bin/"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 11, "seconds": 48}, "line": " Enumerating WAF (Web Application Firewall), to see how it detects Shellshock"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 15, "seconds": 8}, "line": " Using VirtualHostRouting to navigate to Calvin.htb.htb"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 18, "seconds": 15}, "line": " Using ImageTragick to exploit Calvin"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 25, "seconds": 30}, "line": " Calvin Reverse shell returned"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 31, "seconds": 35}, "line": " Poking at /common, which allows pivot to Bastion Host"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 34, "seconds": 20}, "line": " SSH into the Bastion Host"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 38, "seconds": 45}, "line": " Explain SSH Local and Remote Port Forwarding"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 46, "seconds": 0}, "line": " Beehive Reverse Shell Returned"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Finding the root password via /common/containers/bastion-live/Dockerfile"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 54, "seconds": 50}, "line": " PrivEsc via Docker (much like the LXC shown in Calamity)"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 57, "seconds": 5}, "line": " Getting root access to filesystem"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ==== BOX DONE."}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 58, "seconds": 10}, "line": " Failing to get root shell via Crontab"}, {"machine": "HackTheBox - Ariekei", "videoId": "Pc4tzsn-ats", "timestamp": {"minutes": 66, "seconds": 20}, "line": " Yeah screw crontab, lets just create an ssh key."}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 0, "seconds": 1}, "line": " The CSRF Video I refer to is here: https://www.youtube.com/watch?v=d2nVDoVr0jE at 42m"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 1, "seconds": 20}, "line": " Start of Recon, nmap + dump web users"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 3, "seconds": 35}, "line": " Writing Python Program to dump uers."}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 12, "seconds": 0}, "line": " Dumping Users/Group done. Now to dump PW Hints"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 24, "seconds": 0}, "line": " Python coding done."}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 24, "seconds": 57}, "line": " Examining the PW Reset Functionality, reset King (Unintended)"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 29, "seconds": 40}, "line": " Start of examining File Upload"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 33, "seconds": 37}, "line": " Finding local user + Exploiting File Upload"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 35, "seconds": 45}, "line": " Unintended Privilege Kernel Escalation (CVE-2017-16995)"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ----- Box Done, Rest is extra content -----"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 41, "seconds": 45}, "line": " Stealing CoolDude89's Cookie to gain Moderator Access"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 61, "seconds": 0}, "line": " Playing with moderator function to promote user to Admin"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 69, "seconds": 50}, "line": " Using Admin Permission to unmod admin and gain access to PM's"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 74, "seconds": 50}, "line": " Poking around the box looking for intended PrivEsc"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 82, "seconds": 50}, "line": " Exploiting Calc NodeJS App on Port 88"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 96, "seconds": 45}, "line": " Final Exploits of Calc App"}, {"machine": "Vulnhub - Trollcave 1.2", "videoId": "2EW78bkwztg", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Troll Cave VM Download: https://www.vulnhub.com/entry/trollcave-12,230/"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 1, "seconds": 5}, "line": " Start of Recon + Finding dompdf"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 8, "seconds": 30}, "line": " PHP Wrappers + Failed testing for RCE"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 11, "seconds": 35}, "line": " Writing Python Program to automate file disclosure bug"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 18, "seconds": 40}, "line": " Finding WebDav Configuration + Uploading Files for RCE"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 25, "seconds": 50}, "line": " Modifying Sokar's Forward Shell (PTY over HTTP)"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 33, "seconds": 55}, "line": " Forward shell returned"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 38, "seconds": 50}, "line": " Using Squid to pivot to ports listening locally + NMAP via ProxyChains"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 47, "seconds": 48}, "line": " Getting nmap on Inception to speed up scanning private network"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 59, "seconds": 16}, "line": " Nmap results returned for 192.168.0.1, FTP Anonymous Login"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 61, "seconds": 15}, "line": " Finding TFTP as a Running Service"}, {"machine": "HackTheBox - Inception", "videoId": "J2I-5xPgyXk", "timestamp": {"minutes": 66, "seconds": 35}, "line": " Using TFTP to grab crontab & creating a pre-invoke apt script"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://www.vulnhub.com/entry/pinkys-palace-v2,229/"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 0, "seconds": 47}, "line": " Start of Recon, get debian rev from apache header."}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 3, "seconds": 15}, "line": " Explanation of NMAP Filtered // TCPWrapped"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 6, "seconds": 45}, "line": " Enumerating Wordpress"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 9, "seconds": 58}, "line": " Finding /secret folder with Port Knock Ports"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 10, "seconds": 42}, "line": " Trying to take advantage of open wordpress installer (Rabbit Hole)"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 16, "seconds": 45}, "line": " Writing port knock script"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 34, "seconds": 10}, "line": " Finally successful port knock, lets see what ports are open"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 38, "seconds": 40}, "line": " Using Cewl to build a wordlist, then using Hydra to bruteforce HTTP Post Login"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 44, "seconds": 57}, "line": " Login, ignoring an SSH Key :( and instead playing with an LFI!"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 63, "seconds": 50}, "line": " Reverse Shell via LFI + Log Poisoning"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 67, "seconds": 50}, "line": " Enough playing, lets crack SSH Key with John + sshng2john"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 73, "seconds": 35}, "line": " Analyzing qsub binary with radare2"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 84, "seconds": 0}, "line": " Finding the command injection in send function"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 86, "seconds": 14}, "line": " Exploiting command injection to setup SetUID Binary (Stefano - Pinky)"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 89, "seconds": 29}, "line": " Using SSH Keys to get proper session to pinky, then exploit cron script to get to demon"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 96, "seconds": 49}, "line": " Analyzing panel with Radare2"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 108, "seconds": 29}, "line": " Enough of me learning, lets just take the easy route and use GDB+PEDA"}, {"machine": "VulnHub - Pinkys Palace v2", "videoId": "qZDGVqTCdXA", "timestamp": {"minutes": 116, "seconds": 39}, "line": " Finishing up the exploit with some Shell Code"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 1, "seconds": 8}, "line": " Start of Recon (NetDiscover/Masscan/Nmap)"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 5, "seconds": 37}, "line": " Finding the CGI Script and using Shellshock"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Start creating ShellShock python script"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 16, "seconds": 8}, "line": " Converting script \"Forward Shell\" for FW Evasion with mkfifo"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 40, "seconds": 0}, "line": " Adding Threading (Background Task) to improve script"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 45, "seconds": 0}, "line": " Script completed - Attempt to enumerate FW Rules"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 49, "seconds": 0}, "line": " Fumbling around with IPv6 (Check out Sneaky Video for more)"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 53, "seconds": 25}, "line": " Reverse shell via IPv6 and ncat"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 65, "seconds": 0}, "line": " Reading Bynarr's mail to get password and PrivEsc via LIME/Memory Dum"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 0, "seconds": 1}, "line": " p"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 67, "seconds": 20}, "line": " Unintended PrivEsc via ShellShock + Environment Variables"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 78, "seconds": 20}, "line": " Begin of MITM (Man in the Middle) First with Ettercap"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 84, "seconds": 19}, "line": " Installing Bettercap2 + Usage"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 93, "seconds": 40}, "line": " Spoofing ARP and DNS with BetterCap"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 101, "seconds": 11}, "line": " Privesc to root via Git on case-insensitive FS"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 113, "seconds": 30}, "line": " Woot root, lets take a look at the IPTable FW"}, {"machine": "VulnHub - Sokar", "videoId": "k6ri-LFWEj4", "timestamp": {"minutes": 116, "seconds": 0}, "line": " Explaining the exploit a bit better"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Every time I saw CSRF, I means SSRF."}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 0, "seconds": 40}, "line": " Begin of Recon"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Start of GoBuster"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 5, "seconds": 40}, "line": " Finding a SSRF"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 9, "seconds": 0}, "line": " Passing arguments to cmd.aspx via SSRF"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 12, "seconds": 5}, "line": " Firewall Enumeration "}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 16, "seconds": 35}, "line": " Begin of setting up ICMP Reverse Shell"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 22, "seconds": 25}, "line": " Begin of sending ICMP Rev Shell to Server (Warning: Lots of Fail)"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 46, "seconds": 31}, "line": " Return of ICMP Rev Shell"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 52, "seconds": 20}, "line": " PrivEsc form IIS to Decoder"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 71, "seconds": 15}, "line": " Unzipping via Powershell"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 74, "seconds": 5}, "line": " Finding Administrator password hidden in NTFS File Stream"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 76, "seconds": 30}, "line": " Using Net Use to mount C: As Administrator"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 79, "seconds": 30}, "line": " Using IDA to analyze root.exe and grab the flag (Misses last character of hash)"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 84, "seconds": 15}, "line": " Using Invoke Command to execute root.exe as admin (Lots of Fail)"}, {"machine": "HackTheBox - Minion", "videoId": "IbVmpr6IFQU", "timestamp": {"minutes": 92, "seconds": 52}, "line": " Opening up the Firewall then just using RDP to gain access"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 1, "seconds": 20}, "line": " Star of Recon"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 3, "seconds": 40}, "line": " GoBuster"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 4, "seconds": 45}, "line": " Getting banned and Pivoting to verify"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 10, "seconds": 20}, "line": " Logging into PFSense"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 16, "seconds": 50}, "line": " Manually Exploiting PFsense "}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 38, "seconds": 30}, "line": " Using Metasploit to exploit"}, {"machine": "HackTheBox - Sense", "videoId": "d2nVDoVr0jE", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Creating a Bruteforce Script in Python ( CSRF )"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Begin of recon"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Finding the vulnerable Wordpress Plugin"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 17, "seconds": 50}, "line": " Exploiting lcars plugin "}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 28, "seconds": 30}, "line": " Logging into WP and Getting Reverse Shell"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 35, "seconds": 0}, "line": " Wordpress RevShell Returned"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 40, "seconds": 0}, "line": " Using Meterpreter to pivot and provide access to MySQL"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 50, "seconds": 0}, "line": " MySQL Shell Returned"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 52, "seconds": 0}, "line": " Logging into Joomla and Getting Reverse Shell"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 57, "seconds": 20}, "line": " Joomla Reverse Shell returned"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 59, "seconds": 0}, "line": " Getting Reverse Shell on Host OS (port 443)"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 62, "seconds": 0}, "line": " Shell Returned begin of local privesc recon"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 72, "seconds": 6}, "line": " Beginning of Binary Exploitation "}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 81, "seconds": 0}, "line": " Start writing exploit script "}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ===== Extra Content ======"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 88, "seconds": 30}, "line": " Analyzing the PHP SQL Injection Scripts"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 96, "seconds": 30}, "line": " Viewing what SQLMap does to exploit this"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 100, "seconds": 0}, "line": " Stepping through Double Query Injection"}, {"machine": "HackTheBox - Enterprise", "videoId": "NWVJ2b0D1r8", "timestamp": {"minutes": 107, "seconds": 20}, "line": " Writing our own SQL Injection Exploit Script"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " For the unintentional method, I'm just downloading a file versus doing it live on the box because I wanted to save doing it live for another video. "}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " A really good SSRF Presentation: https://www.youtube.com/watch?v=D1S-G8rJrEk"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 1, "seconds": 38}, "line": " Start of nmap"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 3, "seconds": 40}, "line": " Accessing port 60000"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 6, "seconds": 20}, "line": " Manually enumerating ports on localhost via SSRF"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 7, "seconds": 0}, "line": " Using wfuzz to portscan localhost via SSRF"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Tomcat creds exposed & Uploading tomcat reverse shell"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 13, "seconds": 40}, "line": " Return of shell"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 14, "seconds": 20}, "line": " Extracting NTDS + SYSTEM Hive"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 20, "seconds": 20}, "line": " Using HashKiller to crack the hashes"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 21, "seconds": 30}, "line": " Escalating to Atanas & Identifying wget vulnerability"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 27, "seconds": 10}, "line": " Starting exploit"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 33, "seconds": 22}, "line": " Exploit failed, light debugging"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 35, "seconds": 40}, "line": " Issue found, not listening all interfaces"}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 39, "seconds": 35}, "line": " Root shell returned."}, {"machine": "HackTheBox - Kotarak", "videoId": "38e-sxPWiuY", "timestamp": {"minutes": 40, "seconds": 10}, "line": " Unintentional Root Method (Edited Footage, IP Change)"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Begin of NMAP"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 3, "seconds": 0}, "line": " GoBuster (Fails)"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 8, "seconds": 15}, "line": " Screw GoBuster, BurpSpider FTW"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 9, "seconds": 12}, "line": " Examing Routes File to find more pages"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 10, "seconds": 10}, "line": " Finding Credentials and downloading backup"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 14, "seconds": 45}, "line": " Cracking the zip with fcrackzip"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 16, "seconds": 45}, "line": " Finding more credentials (SSH) within MongoSource"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 21, "seconds": 50}, "line": " Privesc to Tom User"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 35, "seconds": 4}, "line": " Analyzing Backup Binary File"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 36, "seconds": 49}, "line": " Using strace to find binary password"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 40, "seconds": 25}, "line": " Finding blacklisted characters/words"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Unintended method one, abusing CWD"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 52, "seconds": 20}, "line": " Unintended method two, wildcards to bypass blacklist"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 54, "seconds": 45}, "line": " Unintended method three, command injection via new line"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 59, "seconds": 15}, "line": " Intended root Buffer Overflow ASLR Brute Force"}, {"machine": "HackTheBox - Node", "videoId": "sW10TlZF62w", "timestamp": {"minutes": 0, "seconds": 1}, "line": " If you want to see more detail on the ret2libc check out October: https://www.youtube.com/watch?v=K05mJazHhF4&t=21m14s"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 1, "seconds": 20}, "line": " Start of nmap"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 3, "seconds": 22}, "line": " Poking at a rabbit hole (8080)"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 8, "seconds": 8}, "line": " GoBuster to find hidden directory"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 9, "seconds": 50}, "line": " Finding SQL Creds in hidden directory"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 13, "seconds": 40}, "line": " Using dbeaver to enumerate database"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 16, "seconds": 50}, "line": " Impacket-PSExec to Admin"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Proving James is not an Admin"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 20, "seconds": 35}, "line": " Using MSF to Enable Remote Desktop to do Incident Response"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 27, "seconds": 0}, "line": " Start of Remote Desktop Looking at Event Log + Active Directory"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 31, "seconds": 0}, "line": " Installing Sysmon to get better logs"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 36, "seconds": 15}, "line": " Looking at Sysmon Logs"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 42, "seconds": 20}, "line": " Proving the PrivEsc was due to Impacket-PSExec not cleaning up"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 48, "seconds": 0}, "line": " Using Forensics to get Service Creation Date"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 53, "seconds": 30}, "line": " Finding a HTB User creating a Git Issue to Impacket (LOL)"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 55, "seconds": 10}, "line": " Intended Route - Forging a Kerberos Ticket MS14-068"}, {"machine": "HackTheBox - Mantis", "videoId": "VVZZgqIyD0Q", "timestamp": {"minutes": 71, "seconds": 0}, "line": " Explaining why the unintended route probably got created"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 0, "seconds": 1}, "line": " If you want some more details about the actual ShellShock exploit, check out the Beep Video. "}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 0, "seconds": 39}, "line": " Begin Nmap, OS Enum via SSH/HTTP Banner"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 5, "seconds": 0}, "line": " GoBuster"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 7, "seconds": 8}, "line": " Viewing CGI Script"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 8, "seconds": 50}, "line": " Begin NMAP Shellshock"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 9, "seconds": 50}, "line": " Debugging Nmap HTTP Scripts via Burp"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 11, "seconds": 10}, "line": " Fixing the HTTP Request & nmap script"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 14, "seconds": 45}, "line": " Performing Shellshock & more fixing"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 18, "seconds": 25}, "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 21, "seconds": 19}, "line": " Running LinEnum.sh"}, {"machine": "HackTheBox - Shocker", "videoId": "IBlTdguhgfY", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Rooting the box"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 0, "seconds": 49}, "line": " Nmap"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 1, "seconds": 31}, "line": " Examining some odd behavior. Nmap different result than browser."}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Getting to /admin and testing for Zone Transfer"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 5, "seconds": 40}, "line": " Testing SSH Default Raspberry Pi Creds"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 6, "seconds": 11}, "line": " Escalate to root 'sudo su'"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 7, "seconds": 10}, "line": " Recovering the deleted root.txt"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 8, "seconds": 38}, "line": " GrepFu"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 10, "seconds": 40}, "line": " Downloading /dev/sdb via SSH"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 12, "seconds": 48}, "line": " Running Binwalk against it"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 13, "seconds": 18}, "line": " Trying to recover with TestDisk"}, {"machine": "HackTheBox - Mirai", "videoId": "SRmvRGUuuno", "timestamp": {"minutes": 14, "seconds": 37}, "line": " Trying to recover with PhotoRec"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 1, "seconds": 0}, "line": " Nmap"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 2, "seconds": 23}, "line": " Examining the Web Page"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 4, "seconds": 8}, "line": " GoBuster"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 4, "seconds": 53}, "line": " Finding /uploads/ Directory"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 5, "seconds": 50}, "line": " Finding /secret_area_51/ Directory"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 6, "seconds": 20}, "line": " Using Audacity to find Steg in Audio"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 8, "seconds": 50}, "line": " FTP With Creds revealed from Steg"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 10, "seconds": 6}, "line": " Examining files downloaded from FTP"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 12, "seconds": 43}, "line": " Finding decryption key + blob"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 14, "seconds": 33}, "line": " Using Python seccure to decrypt ecc"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 16, "seconds": 5}, "line": " SSH Into Shrek as SEC"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 16, "seconds": 35}, "line": " Farquad Rabbit Hole"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 17, "seconds": 42}, "line": " Incident Response : Finding files modified between two times"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 20, "seconds": 47}, "line": " What is /usr/src/thoughts.txt?"}, {"machine": "HackTheBox - Shrek", "videoId": "tI592BjTd4o", "timestamp": {"minutes": 21, "seconds": 45}, "line": " Privesc through cron running: chown *"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Blog Post: https://reboare.github.io/lxd/lxd-escape.html"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 1, "seconds": 28}, "line": " Begin of recon"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 2, "seconds": 20}, "line": " GoBuster"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 3, "seconds": 30}, "line": " admin.php discovered, finding the pw"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 4, "seconds": 50}, "line": " Getting Code Execution"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 7, "seconds": 45}, "line": " Finding out why Reverse Shells weren't working"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 9, "seconds": 45}, "line": " Getting a reverse shell by renaming nc"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 11, "seconds": 30}, "line": " Transfering files via nc"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 14, "seconds": 0}, "line": " Opening the wav file"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 16, "seconds": 25}, "line": " Using audiodiff to identify differences in sound"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 17, "seconds": 5}, "line": " The next step, why is the same song there twice?"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 19, "seconds": 25}, "line": " Importing files into Audacity and Inverting"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 22, "seconds": 25}, "line": " Attempting to exploit the process blacklist"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 24, "seconds": 25}, "line": " Unintended root LXC Background"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 28, "seconds": 30}, "line": " Creating an Alpine LXC"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 30, "seconds": 40}, "line": " Importing the image into lxc"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 32, "seconds": 0}, "line": " Creating the container"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 32, "seconds": 40}, "line": " Adding the host drive to container"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 34, "seconds": 20}, "line": " Starting the container and entering it"}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 35, "seconds": 5}, "line": " Examining the Process Blacklist script "}, {"machine": "HackTheBox - Calamity", "videoId": "EloOaaGg3nA", "timestamp": {"minutes": 35, "seconds": 54}, "line": " Running through the exploit again on a Ubuntu Host"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 0, "seconds": 38}, "line": " Start of Recon"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 1, "seconds": 20}, "line": " Finding NMAP Scripts (Probably a stupid way)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 2, "seconds": 0}, "line": " Running Safe Scripts - Not -sC, which is default."}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 2, "seconds": 52}, "line": " Listing NMAP Script Categories (Prob a really stupid way)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 3, "seconds": 18}, "line": " Really Cool Grep (Only show matching -oP)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 4, "seconds": 40}, "line": " Nmap Safe Script Output"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Exploiting MS17-010 with MSF"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 7, "seconds": 40}, "line": " Setting up Dev Branch of Empire"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 9, "seconds": 7}, "line": " Starting a Listener"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 10, "seconds": 55}, "line": " Getting a PowerShell Oneliner to launch payload"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 12, "seconds": 16}, "line": " Invoke-Expression (IEX) to Execute Launcher"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 13, "seconds": 25}, "line": " Interacting with a single agent"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 13, "seconds": 40}, "line": " Using Modules - PowerUp Invoke-AllChecks"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 14, "seconds": 40}, "line": " Fixing weird issue with PS Module"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 16, "seconds": 15}, "line": " Invoke-AllChecks finished"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 17, "seconds": 15}, "line": " Loading PS Modules into Memory"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 17, "seconds": 40}, "line": " Executing funcitons out of above module"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 18, "seconds": 20}, "line": " Why I don't pass to MSF via InjectShellcode"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 22, "seconds": 45}, "line": " How I pass from Empire to MSF (Unicorn + IEX)"}, {"machine": "HackTheBox - Blue", "videoId": "YRsfX6DW10E", "timestamp": {"minutes": 25, "seconds": 53}, "line": " Just running Powershell CMDs from Empire (Shell)"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 0, "seconds": 52}, "line": " Recon - NMAP"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 4, "seconds": 5}, "line": " Recon - Getting Linux Distro"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 4, "seconds": 35}, "line": " Recon - GoBuster"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 5, "seconds": 40}, "line": " Analyzing Jail.c source"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 9, "seconds": 45}, "line": " Begin Binary Exploitation"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 15, "seconds": 10}, "line": " Verify Buffer Overflow"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 17, "seconds": 35}, "line": " Create Exploit Skeleton"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 20, "seconds": 50}, "line": " Finding EIP Overwrite"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 23, "seconds": 2}, "line": " Adding Reverse TCP Shellcode"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 30, "seconds": 15}, "line": " Switching to \"Socket Re-Use\" Shellcode"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 32, "seconds": 20}, "line": " Shell Returned"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 34, "seconds": 0}, "line": " NFSv3 Privesc Begin"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 40, "seconds": 15}, "line": " Begin incorrectly playing with SetUID"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 43, "seconds": 10}, "line": " SELinux Escape"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 45, "seconds": 25}, "line": " Using SELinux Escape to copy SSH Key"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 48, "seconds": 55}, "line": " Logging in as Frank"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 50, "seconds": 0}, "line": " Privesc to adm (sudo rvim)"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 51, "seconds": 44}, "line": " Begin of finding a way to root"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 55, "seconds": 58}, "line": " Begin cracking rar file "}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 57, "seconds": 18}, "line": " Using Hashcat to generate custom wordlist"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 60, "seconds": 40}, "line": " Cracking with JohnTheRipper"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 62, "seconds": 30}, "line": " RsaCtfTool to exploit weak SSH Pub Key"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 63, "seconds": 36}, "line": " Login as root with SSH Private Key"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 64, "seconds": 11}, "line": " EXTRA CONTENT: Alternative Privesc to ADM (NFS)"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 65, "seconds": 21}, "line": " Creating a directory to give other users NFS Write access"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 67, "seconds": 30}, "line": " Correct way to do SetUID Program"}, {"machine": "HackTheBox - Jail", "videoId": "80-73OYcrrk", "timestamp": {"minutes": 71, "seconds": 4}, "line": " Using SetUID Programs to write to disk"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 1, "seconds": 58}, "line": " Begin Recon (NMAP)"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 4, "seconds": 19}, "line": " GoBuster HTTP + HTTPS"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 6, "seconds": 35}, "line": " Accessing Pages "}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 7, "seconds": 5}, "line": " Using Hydra against HTTP + HTTPS Web Forms"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 11, "seconds": 30}, "line": " Logging into HTTP and hunting for vulns"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 17, "seconds": 0}, "line": " Second Hydra attempt against HTTPS"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 17, "seconds": 57}, "line": " Logging into HTTPS (phpLiteAdmin)"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 20, "seconds": 17}, "line": " Chaining Exploits to get Code Execution"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 26, "seconds": 38}, "line": " Reverse Shell Returned"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 28, "seconds": 0}, "line": " LinEnum.sh Script Review"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 31, "seconds": 30}, "line": " Watching for new Processes"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 37, "seconds": 0}, "line": " Found the error in script :)"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 39, "seconds": 30}, "line": " Getting reverse root shell"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 41, "seconds": 51}, "line": " Intended Route to get User"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 46, "seconds": 12}, "line": " Reviewing Knockd configuration"}, {"machine": "HackTheBox - Nineveh", "videoId": "K9DKULxSBK4", "timestamp": {"minutes": 49, "seconds": 33}, "line": " Doing the PortKnock"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 0, "seconds": 1}, "line": " The STTY command I messed up was simply `stty rows ## cols ##`"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 1, "seconds": 15}, "line": " Begin Recon with Reconnoitre"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 3, "seconds": 15}, "line": " Examining findings from Reconnoitre"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 6, "seconds": 50}, "line": " Decompiling java Jar Files with JAD"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 8, "seconds": 18}, "line": " Using JD-GUI"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 10, "seconds": 33}, "line": " Running WPScan"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 12, "seconds": 10}, "line": " Manually enumerating wordpress users"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 12, "seconds": 43}, "line": " SSH To the box and PrivEsc"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 0, "seconds": 1}, "line": " ------ Box Completed, Below extra content (Some mistakes, pretty much do this live without prep)"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 15, "seconds": 30}, "line": " Rabbit hole, gaining access through FTP"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 17, "seconds": 9}, "line": " Finding Wordpress DB Password"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 18, "seconds": 33}, "line": " Switching to WWW-DATA by using phpMyAdmin + Wordpress"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 20, "seconds": 10}, "line": " Generating a PHP Password for Wordpress"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 21, "seconds": 50}, "line": " Gaining code execution with Wordpress Admin access"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 25, "seconds": 40}, "line": " Shell as www-data"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 26, "seconds": 40}, "line": " Enumerating Kernel Exploits with Linux-Exploit-Suggester"}, {"machine": "HackTheBox - Blocky", "videoId": "C2O-rilXA6I", "timestamp": {"minutes": 30, "seconds": 10}, "line": " Attempting CVE-2017-6074 Dccp Kernel Exploit (Unstable AF)"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 0, "seconds": 17}, "line": " Why I like Tmux"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 1, "seconds": 20}, "line": " Creating Tmux Session"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 1, "seconds": 45}, "line": " Bash: Ctrl + R - Recursive Search"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 2}, "line": " Tmux: Prefix Key (default Ctrl+B)"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 5}, "line": " Tmux: New Window - Prefix c"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 7}, "line": " Tmux: Switch Window - Prefix #"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 36}, "line": " My Tmux Config"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 2, "seconds": 50}, "line": " Demo of \"nested tmux\""}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 4, "seconds": 0}, "line": " Tmux: Rename Window - Prefix ,"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 4, "seconds": 20}, "line": " Tmux: Send/Join Pane Prefix [s|j]"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 5, "seconds": 8}, "line": " Tmux: Setting Search to Vi mode"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Tmux: Enter edit mode Ctrl+["}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 5, "seconds": 45}, "line": " Tmux: Showing off tmux Searching"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 6, "seconds": 3}, "line": " Tmux: Copy and pasting lots of text"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 6, "seconds": 27}, "line": " Tmux: Logging Plugin"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://github.com/tmux-plugins/tmux-logging"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 7, "seconds": 30}, "line": " Tmux: Splitting"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Tmux: Zooming - Prefix z"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 9, "seconds": 0}, "line": " Tmux: Moving Panes"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 9, "seconds": 20}, "line": " Bash: Cycle through past arguments Alt+."}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 9, "seconds": 50}, "line": " Bash: Moving cursor to begin, end or skipping words"}, {"machine": "Introduction to tmux", "videoId": "Lqehvpe_djs", "timestamp": {"minutes": 10, "seconds": 45}, "line": " Tmux: Help Page Prefix ?"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Image in the intro is an XKCD comic if you didn't immediately recognize it as XKCD check out https://xkcd.com"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 0, "seconds": 24}, "line": " Recon with Sparta"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 2, "seconds": 0}, "line": " Enumerating SSL Certificate "}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 3, "seconds": 55}, "line": " Manually View SSL Certificate"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 4, "seconds": 35}, "line": " VirtualHostRouting Explanation"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 7, "seconds": 42}, "line": " SQL Injection - Auth Bypass"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 13, "seconds": 0}, "line": " Dumping the Database with SQLMap"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 16, "seconds": 45}, "line": " Begin of Web Exploit (Regex //e)"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 23, "seconds": 0}, "line": " Getting a Shell"}, {"machine": "HackTheBox - Europa", "videoId": "OsxDB41jg6A", "timestamp": {"minutes": 27, "seconds": 10}, "line": " Begin PrivEsc (CronJob)"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 1, "seconds": 26}, "line": " Enumeration Start"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 2, "seconds": 58}, "line": " WPScan Start"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 5, "seconds": 40}, "line": " Directory Scanning with GoBuster"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 10, "seconds": 54}, "line": " Examining WPScan Output"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 13, "seconds": 40}, "line": " Bruteforcing with WPScan"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 14, "seconds": 40}, "line": " Bruteforcing HTTP Post with Hydra"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 18, "seconds": 30}, "line": " Edit WP Theme to get Code Execution"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 22, "seconds": 9}, "line": " Return of Reverse Shell"}, {"machine": "HackTheBox - Apocalyst", "videoId": "TJVghYBByIA", "timestamp": {"minutes": 26, "seconds": 25}, "line": " Privelege Escalation Word Writeable Passwd"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Articles Mentioned:"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://ictf.cs.ucsb.edu/pages/the-2016-2017-ictf-ddos.html"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/index.html"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 46}, "line": " NMAP Scan and Review"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 1, "seconds": 53}, "line": " GoBuster and identify User Agent based Routing"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 4, "seconds": 9}, "line": " SQLMap the Login"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 8, "seconds": 0}, "line": " Login to the page"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 8, "seconds": 55}, "line": " Begin of XSS"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 11, "seconds": 15}, "line": " Bypass first XSS Filter"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 14, "seconds": 45}, "line": " Encoded JS Payload - Getting XSS to call back to us"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 16, "seconds": 56}, "line": " Using Python to encode JS which will call back to us."}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 24, "seconds": 25}, "line": " Executing the paylaod"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 25, "seconds": 6}, "line": " Stage 2 XSS Attack - XMLHttpRequest"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 31, "seconds": 30}, "line": " Troubleshooting, No code works the first time."}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 36, "seconds": 0}, "line": " Stage 2 Fixed."}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 40, "seconds": 57}, "line": " Initial access to /admin"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 42, "seconds": 0}, "line": " Finding Command Injection"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 43, "seconds": 40}, "line": " Explanation of IP \"Encoding\""}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 48, "seconds": 40}, "line": " Rev Shell obtained"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 49, "seconds": 30}, "line": " How I found out about the IP Encode Trick"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 51, "seconds": 40}, "line": " Begin of PrivEsc"}, {"machine": "HackTheBox - Holiday", "videoId": "FvHyt7KrsPE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Creator: g0blin"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 0, "seconds": 1}, "line": " If you're wondering how this could be an hour long video, over half the video is talking about IPv6."}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 0, "seconds": 44}, "line": " Recon + Web Enum"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 1, "seconds": 33}, "line": " SQL Injection"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 5, "seconds": 30}, "line": " Start of IPv6 Talk"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 6, "seconds": 30}, "line": " What is an IPv6 IP Address?"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 11, "seconds": 27}, "line": " Types of IPv6 Addresses"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 14, "seconds": 6}, "line": " IPv6 Subnetting Explained"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 21, "seconds": 20}, "line": " End of IPv6 Primer, Exploit time!"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 22, "seconds": 43}, "line": " Method 1: Getting MAC and calculating fe80"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 30, "seconds": 30}, "line": " Method 2: Enumerating Networks by pinging Multicast"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 33, "seconds": 56}, "line": " Extra: Getting Windows to respond from Multicast Ping"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 38, "seconds": 7}, "line": " Extra: NMAP Scanning ipv6 local networks"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 40, "seconds": 15}, "line": " Convert RPM to DEB (Needed for install nmap on tenten)"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 41, "seconds": 30}, "line": " Intended Solution: Getting IPv6 via SNMP"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 43, "seconds": 58}, "line": " No SNMP MIB Output"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 45, "seconds": 58}, "line": " Getting SNMP MIBS Installed and Configured"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 47, "seconds": 52}, "line": " Tool: Enyx - SNMPv6 Enumeration via Python"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 50, "seconds": 44}, "line": " Privesc Enumeration"}, {"machine": "HackTheBox - Sneaky", "videoId": "1UGxjqTnuyo", "timestamp": {"minutes": 52, "seconds": 49}, "line": " Buffer Overflow"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 1, "seconds": 30}, "line": " Rabbit Hole - Searching for SuperCMS"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 6, "seconds": 23}, "line": " Running enumeration in the background (GoBuster)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 7, "seconds": 40}, "line": " Rabbit Hole - SQLMap Blog SinglePost.php"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 12, "seconds": 4}, "line": " Finding PHP Files in /cmsdata/ (GoBuster)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 12, "seconds": 53}, "line": " Manual Identification of SQL Injection"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 15, "seconds": 50}, "line": " SQL Injection Explanation"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 17, "seconds": 20}, "line": " Rabbit Hole - Starting SQLMap in the Background"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 18, "seconds": 10}, "line": " SQL Union Injection Explanation"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 19, "seconds": 30}, "line": " Identifying \"Bad/Filtered Words\" in SQL Injection"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 21, "seconds": 2}, "line": " SQL Union Finding number of items returned"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 21, "seconds": 48}, "line": " Returning data from Union Injection"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 22, "seconds": 48}, "line": " SQL Concat Explanation"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 23, "seconds": 55}, "line": " Enumerating SQL Databases Explanation (Information_Schema)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 25, "seconds": 46}, "line": " Returning Database, Table, Columns from Information_Schema"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 29, "seconds": 30}, "line": " Scripting to dump all columns"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 36, "seconds": 45}, "line": " Listing of columns in SuperCMS"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 37, "seconds": 15}, "line": " Dumping User Credentials"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 41, "seconds": 36}, "line": " Logging in and exploiting SuperCMS"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 47, "seconds": 0}, "line": " Return of reverse shell"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 48, "seconds": 40}, "line": " Transfering small files from shell to my machine"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 50, "seconds": 56}, "line": " Using RsaCtfTool to decrypt contents with weak public key"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 52, "seconds": 52}, "line": " Breaking weak RSA manually"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 61, "seconds": 20}, "line": " Begin PrivEsc to Root"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 62, "seconds": 40}, "line": " Transering large files with NC"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 63, "seconds": 50}, "line": " Analyzing SuperShell with BinaryNinja (Paid)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 66, "seconds": 4}, "line": " Analyzing SuperShell with Radare2 (Free)"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 68, "seconds": 22}, "line": " Exploiting SuperShell"}, {"machine": "HackTheBox - Charon", "videoId": "_csbKuOlmdE", "timestamp": {"minutes": 72, "seconds": 46}, "line": " Encore. Getting a Root Shell with SetUID Binary"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 1, "seconds": 38}, "line": " Go to HTTPFileServer"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 2, "seconds": 56}, "line": " Explanation of Vulnerability"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 4, "seconds": 49}, "line": " Testing the Exploit"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 6, "seconds": 25}, "line": " Getting rev tcp shell with Nishang"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 11, "seconds": 54}, "line": " Shell returned"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 13, "seconds": 15}, "line": " Finding exploits with Sherlock"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 15, "seconds": 15}, "line": " Using Empire Module without Empire for Privesc"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 21, "seconds": 0}, "line": " Start of doing the box with Metasploit"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 22, "seconds": 36}, "line": " Reverse Shell Returned (x32)"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 24, "seconds": 45}, "line": " MSF Error during PrivEsc"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 25, "seconds": 35}, "line": " Reverse Shell Returned (x64)"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 26, "seconds": 19}, "line": " Same PrivEsc as earlier, different result"}, {"machine": "HackTheBox - Optimum", "videoId": "kWTnVBIpNsE", "timestamp": {"minutes": 28, "seconds": 47}, "line": " Examining how Rejetto MSF Module works with Burp"}, {"machine": "HackTheBox - Pivoting Update: Granny and Grandpa", "videoId": "HQkDL-xh7es", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Really wanted to show people this method of pivoting, but ran into issues last video. This video doesn't explain any exploits, just uses plink.exe to set up a tunnel which we can use as a gateway for Reverse_TCP Sessions."}, {"machine": "HackTheBox - Pivoting Update: Granny and Grandpa", "videoId": "HQkDL-xh7es", "timestamp": {"minutes": 0, "seconds": 1}, "line": " If you wanted to see the explanations behind exploits check out the original video: https://www.youtube.com/watch?v=ZfPVGJGkORQ"}, {"machine": "HackTheBox - Pivoting Update: Granny and Grandpa", "videoId": "HQkDL-xh7es", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Apologies for any confusion/wasted time."}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Heads up. The pivot idea, was a pretty big fail. Should of prep'd more but was short on time. Enjoy watching me struggle, if you wanted to see the pivot stuff working I uploaded an updated video here: https://youtu.be/HQkDL-xh7es"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 1, "seconds": 50}, "line": " Nmap Results (Discovery of WebDav)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 4, "seconds": 35}, "line": " DavTest"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 6, "seconds": 22}, "line": " HTTP PUT Upload Files"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 7, "seconds": 0}, "line": " MSFVenom Generate aspx payload"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 13, "seconds": 0}, "line": " User Shell Returned"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 16, "seconds": 23}, "line": " Get Admin Shell (ms14-070)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 17, "seconds": 14}, "line": " Beginning of Pivot Fail. Socks Proxy"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 29, "seconds": 35}, "line": " Shell on Grandpa (CVE-2017-7269)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 32, "seconds": 45}, "line": " Using portfwd to access ports not exposed to routable interfaces"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 34, "seconds": 45}, "line": " Cracking LM Hash Explanation"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 38, "seconds": 30}, "line": " Cracking LM Hashes via Hashcat"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 41, "seconds": 30}, "line": " Grandpa acts cranky. Revert. "}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 42, "seconds": 30}, "line": " Expected behavior when exploiting via CVE-2017-7269. None of that auto system weirdness (45:20 gets admin)"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 45, "seconds": 50}, "line": " Using Hashcat to crack NTLM using LM Hashes"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 48, "seconds": 50}, "line": " Finally log into SMB using the portfwd from 32:45"}, {"machine": "HackTheBox - Granny and Grandpa", "videoId": "ZfPVGJGkORQ", "timestamp": {"minutes": 49, "seconds": 7}, "line": " Random pivot attempt failure."}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 0, "seconds": 1}, "line": " OLEVBA - https://github.com/decalage2/oletools/wiki/olevba"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 1, "seconds": 58}, "line": " Extract Macro with olevba"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 2, "seconds": 40}, "line": " ExifTool to examine Document Metadata (Comments used in Macro)"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 3, "seconds": 48}, "line": " Examining Macro Code"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 4, "seconds": 21}, "line": " Using Python to explan Right(left))"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 7, "seconds": 20}, "line": " Opening ProcMon"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 9, "seconds": 7}, "line": " Why you should be careful when executing portions of \"bad code\""}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 9, "seconds": 55}, "line": " Viewing Macro's in Word and DeObfuscating by changing Shell to Print"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 12, "seconds": 17}, "line": " Start of Obfuscated Powershell (after de-base64)"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 13, "seconds": 21}, "line": " Malicious Powershell Code "}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 15, "seconds": 15}, "line": " Upload to VirusTotal"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 16, "seconds": 51}, "line": " Looking at process explorer"}, {"machine": "Reversing Malicious Office Document (Macro) Emotet(?)", "videoId": "cjlctph9cZE", "timestamp": {"minutes": 20, "seconds": 21}, "line": " Looking at Wireshark"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 1, "seconds": 2}, "line": " Going over NMAP"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 2, "seconds": 0}, "line": " Anonymous FTP + File Upload"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 4, "seconds": 30}, "line": " MSFVenom "}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 7, "seconds": 20}, "line": " Metasploit"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 10, "seconds": 0}, "line": " Exploit Suggestor"}, {"machine": "HackTheBox - Devel", "videoId": "2LNyAbroZUk", "timestamp": {"minutes": 11, "seconds": 30}, "line": " Getting Root"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Bitterman: https://github.com/ctfs/write-ups-2015/blob/master/camp-ctf-2015/pwn/bitterman-300/bitterman?raw=true"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Good Links."}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "line": " PLT/GOT explanation: https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html"}, {"machine": "Camp CTF 2015 - Bitterman", "videoId": "6S4A2nhHdWg", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Great Writeup to similar CTF Challenge: https://blog.skullsecurity.org/2015/defcon-quals-r0pbaby-simple-64-bit-rop"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 0, "seconds": 39}, "line": " Basic Web Page Discovery"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 3, "seconds": 30}, "line": " Examining Cookies - Pt1 (Burp Sequencer)"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 5, "seconds": 5}, "line": " Fuzzing Usernames (2nd Order SQL Injection)"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 7, "seconds": 15}, "line": " Examining Cookies - Pt2"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 7, "seconds": 40}, "line": " Cookie Bitflip"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 12, "seconds": 45}, "line": " Oracle Padding Attack - Pt1"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 15, "seconds": 30}, "line": " Rooting the Box"}, {"machine": "HackTheBox - Lazy", "videoId": "3VxZNflJqsw", "timestamp": {"minutes": 22, "seconds": 50}, "line": " Oracle Padding Attack - Pt2"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 1, "seconds": 45}, "line": " GoBuster"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 4, "seconds": 40}, "line": " Exploiting exposed.php"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 11, "seconds": 40}, "line": " Getting Shell"}, {"machine": "HackTheBox - Haircut", "videoId": "9ZXG1qb8lUI", "timestamp": {"minutes": 20, "seconds": 9}, "line": " Screen Privesc"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 0, "seconds": 27}, "line": " Port Enumeration"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 2, "seconds": 54}, "line": " UDP Port Review"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 3, "seconds": 40}, "line": " TFTP Enumeration"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 6, "seconds": 30}, "line": " Cracking Squid PW"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 8, "seconds": 0}, "line": " FoxyProxy Setup"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 9, "seconds": 45}, "line": " Burp Setup"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 14, "seconds": 45}, "line": " Running Commands"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 21, "seconds": 20}, "line": " Reverse Shell"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 22, "seconds": 30}, "line": " PrivEsc to Alekos #1"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 28, "seconds": 0}, "line": " PrivEsc to Alekos #2"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 30, "seconds": 37}, "line": " Root #1 (SymLink)"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 30, "seconds": 48}, "line": " Root #2 (Tar Checkpoint)"}, {"machine": "HackTheBox - Joker", "videoId": "5wyvpJa9LdU", "timestamp": {"minutes": 44, "seconds": 45}, "line": " Root #3 (Remove Development)"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 0, "seconds": 39}, "line": " Nmap Results"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 1, "seconds": 15}, "line": " DNS Enumeration"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 4, "seconds": 8}, "line": " HTTP VirtualHost Routing"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 5, "seconds": 28}, "line": " DirSearch (Web Enumeration) "}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 8, "seconds": 50}, "line": " HTTP Redirect Vulnerability"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 13, "seconds": 23}, "line": " PW in Balance-Transfer"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 18, "seconds": 0}, "line": " File Upload, WebShell"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 21, "seconds": 48}, "line": " First Shell"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 30, "seconds": 10}, "line": " First Privesc Method (SUID)"}, {"machine": "HackTheBox - Bank", "videoId": "JRPWFSzFaG0", "timestamp": {"minutes": 31, "seconds": 38}, "line": " Second Privesc Method (passwd)"}, {"machine": "HackTheBox - Bastard", "videoId": "lP-E5vmZNC0", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Sherlock was fixed, should no longer report the false negative https://github.com/rasta-mouse/Sherlock/commit/ceb49f5b54be54effbada47fa3198abf744af390"}, {"machine": "HackTheBox - Bastard", "videoId": "lP-E5vmZNC0", "timestamp": {"minutes": 0, "seconds": 1}, "line": " If you wanted to do this with MSF -- Watch the Arctic Video and use the exploit shown in the video. If it doesn't work, try changing the payload with the exploit and ensure you're a 64 bit process."}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Watch me fail my way to victory as I exploit beep 4 different ways. Next time I try to exploit something multiple ways, I'll probably split it up in multiple videos."}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 1, "seconds": 35}, "line": " Method 1: LFI + Password"}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 16, "seconds": 3}, "line": " Method 2: Turning LFI into RCE"}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 37, "seconds": 46}, "line": " Method 3: Code exec via call"}, {"machine": "HackTheBox - Beep", "videoId": "XJmBpOd__N8", "timestamp": {"minutes": 54, "seconds": 0}, "line": " Method 4: Shellshock"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 0, "seconds": 20}, "line": " Recon"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 3, "seconds": 40}, "line": " Start of WP Hacking"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 10, "seconds": 30}, "line": " Logged into WP"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 15, "seconds": 0}, "line": " Login to SuperSecretForum"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 25, "seconds": 0}, "line": " Cracking the SSH Key"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 27, "seconds": 15}, "line": " Begin of getting root.txt (RSA Cracking)"}, {"machine": "HackTheBox - Brainfuck", "videoId": "o5x1yg3JnYI", "timestamp": {"minutes": 0, "seconds": 1}, "line": " http://rumkin.com/tools/cipher/ -- Site used to during the SecretForum stuff."}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 0}, "line": " Intro"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 12}, "line": " Enumerate with nmap"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 40}, "line": " Going to the webpage"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 1, "seconds": 50}, "line": " Using SearchSploit to find ColdFusion Exploits"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 2, "seconds": 40}, "line": " Attempt to exploit through MSF. Debug why it failed."}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 3, "seconds": 50}, "line": " Setting up a Burp Redirect listener"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 4, "seconds": 55}, "line": " Examining request send by MSF Exploit"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 6, "seconds": 35}, "line": " Getting a reverse shell"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 7, "seconds": 50}, "line": " Using Unicorn to create a Powershell Meterpreter Loa"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 0, "seconds": 1}, "line": " der"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 11, "seconds": 35}, "line": " Reverseshell returned"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 12, "seconds": 10}, "line": " Using the MSF post module local_exploit_suggestor"}, {"machine": "HackTheBox - Arctic", "videoId": "e9lVyFH7-4o", "timestamp": {"minutes": 15, "seconds": 29}, "line": " Privesc via MS10-092"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Twitter @ippSec"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Low Priv: Default Account + File Upload"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 1}, "line": " PrivEsc: Return to LibC + ASLR Bruteforce"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 0, "seconds": 45}, "line": " Pulling up Web Page."}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 1, "seconds": 10}, "line": " Searchsploit"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 2, "seconds": 40}, "line": " Enumerating Version (Download Versions, Hash Static Files)"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 8, "seconds": 20}, "line": " Default cred /backend -- Upload Shell"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 9, "seconds": 51}, "line": " User Reverse Shell"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 12, "seconds": 10}, "line": " Transfering file over nc"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 14, "seconds": 45}, "line": " Begin \"fuzzing\" Binary"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 16, "seconds": 15}, "line": " GDB Analysis"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 18, "seconds": 46}, "line": " Get a full reverse shell with tab autocomplete."}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 19, "seconds": 0}, "line": " Showing ASLR changing address "}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 20, "seconds": 20}, "line": " Disable ASLR on Exploit Dev Machine"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 21, "seconds": 15}, "line": " Start of exploit development for ovrflw binary (Pattner_Create)"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 27, "seconds": 27}, "line": " Start of Return to LibC attack - Getting Addresses"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 37, "seconds": 20}, "line": " Grabbing memory locations off October Machine"}, {"machine": "HackTheBox - October", "videoId": "K05mJazHhF4", "timestamp": {"minutes": 41, "seconds": 0}, "line": " Convert script to Bruteforce ASLR"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 25}, "line": " TMUX and Connecting to HTB"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 2, "seconds": 0}, "line": " Virtual Host Routing Explanation"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 2, "seconds": 40}, "line": " File Enumeration (Dirb)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 3, "seconds": 59}, "line": " Discover of Web App"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 5, "seconds": 45}, "line": " Starting SQLMap in the Background"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 9, "seconds": 30}, "line": " Uploading a PHP Shell"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 14, "seconds": 1}, "line": " Python PTY Reverse Shell (Tab Autocomplete!)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 19, "seconds": 25}, "line": " MOTD Root (Method 1)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 23, "seconds": 50}, "line": " Dirtyc0w Root (Method 2)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Twitter: @ippSec"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Low Priv - File Upload (Torrent image)"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Roots: MOTD/PAM exploit and DirtC0w"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Stuff about phpinfo(): https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf"}, {"machine": "HackTheBox - Popcorn", "videoId": "NMGsnPSm8iw", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Python PTY Shells: https://github.com/infodox/python-pty-shells"}, {"machine": "HHC2016 - Getting Coins", "videoId": "ylBjVicempc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Write Up:"}, {"machine": "HHC2016 - Getting Coins", "videoId": "ylBjVicempc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://ippsec.github.io/holidayhack2016/tokens/"}, {"machine": "HHC2016 - Getting Coins", "videoId": "ylBjVicempc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Note: Video may contain slight errors, most notably in this video is using \"function\" and \"variable\" interchangeably."}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Write Up:"}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://ippsec.github.io/holidayhack2016/part-4/#analytics"}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Note: Video may contain slight errors, most notably in this video is mistakenly saying \"Hash\" instead of \"Encrypt\" (ex: @5 minutes). "}, {"machine": "HHC2016 - Analytics", "videoId": "zcJyhDC9kgo", "timestamp": {"minutes": 0, "seconds": 1}, "line": " A full text writeup can be found at:"}, {"machine": "HHC2016 - Exception", "videoId": "2jQ2W5epPYc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Write Up:"}, {"machine": "HHC2016 - Exception", "videoId": "2jQ2W5epPYc", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://ippsec.github.io/holidayhack2016/part-4/#exception"}, {"machine": "HHC2016 - Debug", "videoId": "fcemTQaosOQ", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Write Up:"}, {"machine": "HHC2016 - Debug", "videoId": "fcemTQaosOQ", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://ippsec.github.io/holidayhack2016/part-4/#debug"}, {"machine": "HHC2016 - Ads", "videoId": "5UZy8OdqA4o", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Write Up:"}, {"machine": "HHC2016 - Ads", "videoId": "5UZy8OdqA4o", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://ippsec.github.io/holidayhack2016/part-4/#ad"}, {"machine": "HHC2016 - Terminal Speedrun", "videoId": "yy6z3fL3vi8", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Write Up Link:"}, {"machine": "HHC2016 - Terminal Speedrun", "videoId": "yy6z3fL3vi8", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://ippsec.github.io/holidayhack2016/part-3/"}, {"machine": "HHC2016 - Dungeon", "videoId": "hWC7mlIYOtU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " Write Up:"}, {"machine": "HHC2016 - Dungeon", "videoId": "hWC7mlIYOtU", "timestamp": {"minutes": 0, "seconds": 1}, "line": " https://ippsec.github.io/holidayhack2016/part-4/#dungeon"}]