HackTheBox - Fuse
Рет қаралды 32,148
Күн бұрын00:00 - Intro
01:00 - Begin of nmap, see a Active Directory server with HTTP
05:20 - Gathering usernames from the website
06:20 - Using KerBrute to enumerate which users are valid
08:00 - Using Cewl to generate a password list for brute forcing
09:25 - Using Hashcat to generate a password list for brute forcing
15:50 - Trying to use RPCClient to change the password. Cannot
18:00 - Using SMBPasswd to change the password
22:00 - Logging in via RPCClient and enumerating Active Directorry with EnumDomUsers and EnumPrinters
24:40 - Password for SVC-PRINT found via Printer description (EnumPrinters) in Active Directory, Logging in with WinRM
26:50 - Discovering SeLoadDriverPrivilege
27:30 - Switching to Windows Downloading everything needed for loading the Capcom Driver and Exploiting it
28:50 - Compiling the EoPLoadDriver from TarlogicSecurity
31:50 - Compiling ExploitCapcom from FuzzySecurity
35:00 - Copying everything to our Parrot VM then to Fuse
37:45 - Loading the Capcom Driver then failing to get code execution
41:30 - Creating a DotNet Reverse shell incase the Capcom Exploit didn't like PowerShell
47:50 - Exploring the ExploitCapcom source and editing it to execute our reverse shell
50:11 - Copying our new ExploitCapcom file and getting a shell
@outlaw8379 3 жыл бұрын
I just discovered your channel and only recently joined HTB, I really appreciate all the videos you are putting out there, it's absolute gold. I use your HTB videos to see your approach on on a box and compare it to the approach I used.
@Ms.Robot. 3 жыл бұрын
This was very well done. Another masterpiece. Clear, well explained, easy to understand. 💝
@octagear 3 жыл бұрын
Don't ask me why but the way he says '10 10 10' is just great. When my attention decides to wander off, the '10 10 10' always makes return to focus 😅❤️
@tzachihazan3459 3 жыл бұрын
amazing as always!! thank you
@jaysiddik 3 жыл бұрын
Ippsec make the parrot OS video , your way and customise
@darkstark4673 3 жыл бұрын
github.com/theGuildHall/pwnbox
@loganmay2105 3 жыл бұрын
20:00 Yea the password reset on this box was brutal. Your changed password works for one login.
@humanflybzzz4568 3 жыл бұрын
Yo, Ippsec, can you do a vid on staying stealthy during enumeration/privesc phase ? Also maybe wedge some staying-in-scope advice in there. Could be fun :)
@balajijangde8470 3 жыл бұрын
can you please share your configurations for tmux. i really loves the way you customized it for mouse support, copying to clipboard etc,
@shirubaino 3 жыл бұрын
He's done it already: kzbin.info/www/bejne/gqLImammmsSXoNU
@user-rz4pc1tv5x 3 жыл бұрын
Thank You very much!!!
@not1sfound966 3 жыл бұрын
very nice !
@doomdie4792 3 жыл бұрын
Waw, actually hacked be the print machine, that was poetic.
@Meowkak 3 жыл бұрын
Excuse my noobness, but what does adding the domain to the host file or the resolv.conf do for us? Does it constrain our queries or tell the device that it should be using or connected to that domain?
@adhilazeez6039 3 жыл бұрын
Thanks bro. Do you provide any course in udemy or any?
@AhmedAbdullah-pp2mp 3 жыл бұрын
Thanks ippsec
@jimcolabuchanan6579 3 жыл бұрын
Didn't realize you can do so much with hashcat.
@d4rckh122 3 жыл бұрын
Fun box ☺️
@leejh-vm9oj 10 ай бұрын
Hello ippsec, I have a question for you. When I try smbpasswd, I get an error saying Could not connect to machine: error was the transport connection is now disconnected. I spent this morning analyzing this error code, but I couldn't solve it. Could you possibly help me?
@werdna_sir 10 ай бұрын
I'm stuck here, too. My only thought at the moment is that the current version of our tools are not compatible with this older box.
@ayushprajapati2630 Жыл бұрын
i am getting error the transport connection is disconnected when i tried smbpasswd
@anthonysimonyan4763 3 жыл бұрын
hey. Why did smbpasswd work for changing the password of the user but rpcclient no. What's the difference on how those tools work
@anthonysimonyan4763 3 жыл бұрын
and then rpcclient decided to work after the whole password error
@noussayrderbel5631 3 жыл бұрын
why would we use hashcat to generate weak password, while in real pentesting missions, you can usually find strong password. Is it possible to choose crunch as a tool to generate all possibilities ( obviously it's gonna be a large file ) but we can proove that users must change their password every amount of time.
@ippsec 3 жыл бұрын
Real pentesting missions have timelimits, if you go the BruteForce all combination approach; you won't get to your goal fast enough.
@noussayrderbel5631 3 жыл бұрын
@@ippsec so what approaches take pentesters to get client passwords? do they usually verify if those passwords are contained in those wordlists simply ?
@berndeckenfels 3 жыл бұрын
A Pentest result of hacking passwords with wordlists is usually very significant since it proofs the passwords are really bad. If you brute force complex passwords at a great cost there is not much to gain from that (you can look at the used hash method and tell in theory how easy/expensive it will be, there is no point in proofing it for pentest engagements - especially since available hashes is a game over anyway)
@noussayrderbel5631 3 жыл бұрын
@@berndeckenfels let's assume that all users use good passwords, should we say that every pentesting mission gonna fail cause we couldn't find passwords? Is it based only on passwords? I hope that you got my point
@berndeckenfels 3 жыл бұрын
@@noussayrderbel5631 depends on your definition of fail. However in the concrete example the actual problem is that you can spray passwords and there is no lockout. Finding that - even with not finding passwords - would be a major pentesting finding aka success (of course that’s not a htb objective). Besides, bruteforcing strong passwords online (instead of hashes) is slow anyway. But forget my answer, I was not aware you where referring to the pattern Generation with hashcat - just reached that place in the video.
@shba9300 Жыл бұрын
is this box matches an AD machine for oscp? so is it 40 points? or this is just one client
@elikelik3574 3 жыл бұрын
Hi. I'm a little bit confused. Maybe it will sound stupid but anyway I want to ask =) So we have LoadDriver.cpp, ExploitCapcom.exe, capcom.sys and rev.ps1 1)why do we need capcom.sys? What happens if we don't use it and try exploitCapcom.exe rec.ps1?
@ippsec 3 жыл бұрын
I'm not positive! When i first tried that it failed due to ExploitCapcom having the program hard coded. No reason why you can't try it out :-)
@tyrewald9083 3 жыл бұрын
Timestamps-thanx!
@IND_Abhi 3 жыл бұрын
I just wonder what are your pc specs @IppSec can i know
@eugenchirila7903 3 жыл бұрын
Same request, please: your .bashrc or whatever .*rc -- I like very much the prompt, for e.g. Thanks!
@tymekl1509 3 жыл бұрын
Ippsec, I have a problem with parrot (Security with MATE) on VirtualBox, and when I change my resolution (using xrandr or just settings), it just freezes on a black screen.
@ippsec 3 жыл бұрын
I dont use VirtualBox sorry.
@TracerPortable 3 жыл бұрын
@@ippsec Do you virtualize your parrot os? Or do you have it installed on bare metal? I was thinking about switching to parrot but I don't know if having "hacking" system is secure as daily system. What do you recommend?
@karimmohamed3744 3 жыл бұрын
@Drew Pena Try out vmware
@ilhamdhonyagid6646 3 жыл бұрын
yow
@MajorKassad 3 жыл бұрын
This box is shit I couldn't figure it out and it is hard.
@dhaneshsivasamy8865 3 жыл бұрын
also tested out for zerologon which was expoited successfully ❤️
@fusemb7095 3 жыл бұрын
What the f
David Bombal
Рет қаралды 455 М.