HackTheBox - Helpline

00:35 - Begin of Recon 01:42 - Checking the ManageEngine Page 02:23 - Running Searchsploit to see potential exploits 03:40 - Enumerating valid usernames via AjaxDomainServlet 05:40 - Logging in with guest:guest 07:10 - Running the privilege escalation script to get Administrator access 08:00 - Searching for information on this exploit 08:20 - Blog post missing... Searching Archive.org and Google Cache for a mirror 10:00 - Making curl go through burp to step through the exploit in BurpSuite 18:00 - Copying the admin cookies into FireFox 19:25 - Going to Admin then Custom Triggers to execute code on the server 21:50 - Getting a reverse shell via Nishang 22:30 - Using iconv to create UTF-16LE encoded Base64 for use with "-EncodedCommand" option 25:45 - Reverse Shell as System returned, but EFS Protects the flags 26:45 - Finding interesting files with get-childitem -recurse . | select FullName 28:50 - Copying mimikatz over to the box to steal NTLM Hashes 31:00 - Defender blocked us. Disable defender with Set-MpPreference -DisableRealtimeMonitoring $true 32:50 - Using hashes.org to view password of Zachary, checking his groups to see he can view event logs 33:30 - Doing some powershell goodness to search event logs! 40:50 - Extracting ProcessCommandLine from the logs (Tolu Password), its a shame Nishang screws with how some commands output to stdout. This could of been a lot cleaner. 43:00 - Using Mimikatz to decrypt the EFS Protected file with Tolu's password 57:25 - Need to read Leo's admin-pass.xml, load meterpreter and migrate into his namespace 01:00:20 - admin-pass is the output of SecureString, lets decrypt it to get the admin password 01:02:20 - Using Invoke-Command with the credential object created to execute commands as administrator 01:03:50 - Cannot read root.txt because of "Double Hop Problem" (how PowerShell Authenticates), using CredSSP Authentication to fix this.