Myvideo

Guest

Login

HackTheBox - Hancliffe

Uploaded By: Myvideo
34 views
0
0 votes
0

00:00 - Intro 01:00 - Start of nmap 02:25 - Identifying it is a windows box via ping and looking at its TTL, and running Gobuster with a lowercase wordlist since windows is not case sensitive. 04:30 - Looking at HashPass to see it just generates static passwords based upon Name/Website/Master Password 08:40 - Identifying a JSESSIONID cookie given when accessing /maintenance/ which enables a weird path traversal vuln [MasterRecon] 12:15 - Identifying the Nuxeo application and searching for the web vulnerability 15:55 - Testing for SSTI in an error message, normal SSTI doesn't work since it is java. Going to payloadallthethings to get a valid payload 19:40 - Testing an java EL SSTI Payload to get code execution. Don't get output but can validate we run code via ping 21:25 - Getting a reverse shell 24:25 - Looking at listening ports, running a powershell snippet to get process name and the port they listen on 29:15 - Looking for an exploit with Unified Remote. Using Chisel

Share with your friends

Link:

Embed:

Video Size:

Custom size:

x

Add to Playlist:

Favorites
My Playlist
Watch Later