HackThebox - Eighteen
00:00 - Introduction
00:45 - Start of nmap
02:20 - Taking a look at the page, manually decoding the Flask Cookie
06:15 - Running NetExec with MSSQL Priv module which lets us know we can impersonate, switching to mssqlclient
09:30 - Impersonating appdev, which can read the financial_planner table
12:25 - Converting the PBKDF2 hash to the Django format so we can try to crack it
16:20 - Using NXC to run RID BRUTE through MSSQL and get other users to spray the password with
20:50 - Using Evil-WinRM to access the box as Adam.Scott then poke at the webserver files, nothing here
22:45 - Getting the W…
Watch on YouTube ↗
(saves to browser)
Chapters (13)
Introduction
0:45
Start of nmap
2:20
Taking a look at the page, manually decoding the Flask Cookie
6:15
Running NetExec with MSSQL Priv module which lets us know we can impersonate,
9:30
Impersonating appdev, which can read the financial_planner table
12:25
Converting the PBKDF2 hash to the Django format so we can try to crack it
16:20
Using NXC to run RID BRUTE through MSSQL and get other users to spray the pass
20:50
Using Evil-WinRM to access the box as Adam.Scott then poke at the webserver fi
22:45
Getting the Windows Patch Level, noticing windows 2025 and searching exploits
30:00
Setting up Chisel so we can tunnel back to our box to run the badsuccessor mod
32:50
Looking at NXC Issues to see the support for BadSuccessor is still a PR, insta
39:15
Setting our system time to the time on the webserver based upon the Date Heade
40:15
Running BadSuccessor getting the NTLM hash of administrator and using psexec t
DeepCamp AI