HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS
00:00 - Intro
01:00 - Start of nmap, discovering it is an Active Directory Server and hostnames in SSL Certificates
05:20 - Running Feroxbuster and then cancelling it from navigating into a few directories
08:00 - Examining the StreamIO Website
10:20 - Finding watch.stream.io/search.php and
11:00 - Fuzzing the search field with ffuf by sending special characters to identify odd behaviors
16:10 - Writing what we think the query looks like on the backend, so we can understand why our comment did not work.
19:00 - Burpsuite Trick, setting the autoscroll on the repeater tab
19:30 - Testing for Union Injection now that we know the wildcard trick
22:15 - Using xp_dirtree to make the MSSQL database connect back to us and steal the hash
25:15 - Extracting information like version, username, database names, etc from the MSSQL Server
27:20 - Extracting the table name, id from the sysobjects table
28:45 - Using STRING_AGG and CONCAT to extract multiple SQL entries onto a single lane for mass exfil
31:30 - Extracting column names from the tables
35:20 - Using VIM and SED to make our output a bit prettier
36:45 - Cracking these MD5sum with Hashcat
39:55 - Using Hydra to perform a password spray with the credentials we cracked
45:10 - Using FFUF to fuzz the parameter name within admin to discover an LFI
51:40 - Tricking the server into executing code through the admin backdoor, using ConPtyShell to get a reverse shell on windows with a proper TTY
59:10 - Using SQLCMD on the server with the other database credentials we have to extract information from the Backup Database, cracking it and finding valid creds
1:06:00 - Running WinPEAS as Nikk37 discovering firefox, then running FirePWD to extract credentials
1:16:30 - Running CrackMapExec to spray passwords from Firefox to get JDGodd's password
1:28:20 - Running Bloodhound to discover JDGodd has WriteOwner on Core Staff which can read the LAPS Password
1:37:06 - Extracting the LAPS Password
1:46:10 - Showing you could have SQLMapped the login form
Пікірлер: 31
watching ippsec keep trying to get /etc/passwd from a Windows machine made me feel better about myself :) he's actually human!
@damuffinman6895
Жыл бұрын
Lmao
Im a total beginner still watching these hard machines just because of you ippsec sir 👀 you are great wish me luck for my journey
Ippsec guru always rocks
Thanks, nice video
Its a great video.
Is that difficulty comparable with the oscp exam? If yes, I need to train more :)
Thanks
Thanks Ipp
❤️❤️❤️
Am I correct in stating that the two crucial mistakes of the admin(s) of this box were users reusing passwords, and winrm being enabled? (aside from being vulnerable to a SQL injection attack, lol)
I think the titles with just the machine name look way cleaner
@ippsec
Жыл бұрын
I agree - However, trying a few things to grow the channel and unfortunately, I believe the title has a significant role in the SEO.
Have you ever thought doing malware analysis? That would be good too
@ippsec . what are the specs for cpu/gpu for your kracken machine? hashcat is superfast it seems on your machine
@ShinigamiAnger
Жыл бұрын
Yes I'd like to know too, I have a good machine, but still hashcat takes forever everytime.
@ippsec
Жыл бұрын
This was a MD5 with no protection. I'm pretty sure it would go fast on any machine.
@ShinigamiAnger
Жыл бұрын
@@ippsec ah ok, I replied before getting to that point of the video. Thanks
at the end when i write the full-checkup.sh file in dev/shm and try to run system checkup, it still says something went wrong, after a few seconds seems like the machine automatically deleted the file I wrote, I even tried to only put echo 'hi' in the file to test, just in case there is a bug in my code, still says something went wrong, I followed all steps correctally, anyone knows what the problem is?
I was here to just copy what you do to just pwn the machine but, That was tremendous workload. I cant even image an insane machine if medium is like this. I have lots of work to do I guess to get a point where I pwn a machine on my own.
On the way to OSCP......🤩
I also want to learn what you have learned and I want it very much. Do you have a chance to show me a way?
a question, what is hotkey to send request when u're in repeater ??
@bethdevopsbunny7201
Жыл бұрын
default is ctrl+space you can change it in 'user options/misc/hotkeys/edit hotkeys' its the action "Issue Repeater request"
:D
why don't you use sqlmap
@ippsec
Жыл бұрын
It's not about getting the flag, it's about the journey. I could just try to run SQLMap everywhere but it is not perfect. I think understanding how to exploit things manually is important. I do show SQLMap on the login form at the end of the video, but where the union is there's a WAF that blocks SQLMap. Or worse, I have seen some apps get taken offline by SQLMap. I'm sure you can tamper your way around the WAF but I enjoyed learning the manual steps.
@WasiLi0x1e
Жыл бұрын
@@ippsec okey
Hey @IppSec love your content. you seam to have a slight audio issue this time. I think your noise gate is acting up. with headphones I can what I think is a fan in the background that is partially blocked but still getting through
@IppSec what you learn to get this experience I watching you from iraq 🇮🇶 😅