HackTheBox - Arkham

00:55 - Begin of Recon 02:20 - Checking the WebPages 03:50 - Examining /userSubscribe.faces, to discover potential deserialization 05:00 - Exploring javax.faces.ViewState 05:50 - Googling around to see what an unencrypted serialized object should look like 07:15 - Checking out SMB to discover an openshare 09:00 - Downloading appserver.zip from batshare via smbclient 11:00 - Cracking a luks encrypted file with dd and hashcat 14:00 - Luks cracked, mounting the disk with luksOpen 16:20 - Discovery of the secret used to encrypt the java object 18:10 - Creating a python script to decrypt the ViewState to verify we have correct crypto settings 23:10 - Script completed, lets test the decryption! 24:15 - Downloading ysoserial to create a deserialization CommonCollections gadget 26:00 - Creating a python script to exploit the deserialization vuln 31:00 - Script complete! We got a ping, testing the MyFaces serialization objects (did not work) 33:00 - Modifying the script to run commands other than what ySoSerial provided 41:10 - Script updates finished, trying to get a reverse shell via nishang (did not work) 42:40 - Trying Invoke-WebRequest, because Net.WebClient did not work. (testing for constrained mode) 45:00 - Downloading netcat to upload to the box 46:00 - Netcat returned a powershell reverse shell 47:20 - Discovering Backup.zip, downloading, using readpst to convert it to a plaintext mbox file 50:00 - Using evolution to view mbox file and find Batman's password 52:45 - Using Powershell's Invoke-Command to execute commands as Batman (like runas) 55:40 - Reverse shell as batman returned! Running a few commands to find out he is localadmin but needs to break out of UAC 58:10 - Unintended: Using net use to mount c$ and view the flag 59:30 - Checking github hfiref0x/UACME to find a UAC Bypass. Chose one by a fellow HTB Member 01:02:10 - Using GreatSCT/MSBuild to launch Meterpreter 01:02:45 - While GreatSCT installs, create a DLL to return a reverse shell 01:06:00 - c