HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS

Описание к видео HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS

00:00 - Intro
01:00 - Start of nmap, discovering it is an Active Directory Server and hostnames in SSL Certificates
05:20 - Running Feroxbuster and then cancelling it from navigating into a few directories
08:00 - Examining the StreamIO Website
10:20 - Finding watch.stream.io/search.php and
11:00 - Fuzzing the search field with ffuf by sending special characters to identify odd behaviors
16:10 - Writing what we think the query looks like on the backend, so we can understand why our comment did not work.
19:00 - Burpsuite Trick, setting the autoscroll on the repeater tab
19:30 - Testing for Union Injection now that we know the wildcard trick
22:15 - Using xp_dirtree to make the MSSQL database connect back to us and steal the hash
25:15 - Extracting information like version, username, database names, etc from the MSSQL Server
27:20 - Extracting the table name, id from the sysobjects table
28:45 - Using STRING_AGG and CONCAT to extract multiple SQL entries onto a single lane for mass exfil
31:30 - Extracting column names from the tables
35:20 - Using VIM and SED to make our output a bit prettier
36:45 - Cracking these MD5sum with Hashcat
39:55 - Using Hydra to perform a password spray with the credentials we cracked
45:10 - Using FFUF to fuzz the parameter name within admin to discover an LFI
51:40 - Tricking the server into executing code through the admin backdoor, using ConPtyShell to get a reverse shell on windows with a proper TTY
59:10 - Using SQLCMD on the server with the other database credentials we have to extract information from the Backup Database, cracking it and finding valid creds
1:06:00 - Running WinPEAS as Nikk37 discovering firefox, then running FirePWD to extract credentials
1:16:30 - Running CrackMapExec to spray passwords from Firefox to get JDGodd's password
1:28:20 - Running Bloodhound to discover JDGodd has WriteOwner on Core Staff which can read the LAPS Password
1:37:06 - Extracting the LAPS Password
1:46:10 - Showing you could have SQLMapped the login form

Комментарии

Информация по комментариям в разработке