HackTheBox - Heist
HTML-код
- Опубликовано: 19 мар 2025
- 01:05 - Begin of recon
04:25 - Logging into the webpage as guest and viewing attachments
04:45 - Examining the cisco type 7 passwords, using ciscot7
07:00 - Decrypting the MD5Crypt password using Hashcat
10:20 - Using CrackMapExec to perform a SMB password spray with users/credentials we have
11:30 - Using Metasploit to do the same thing (smb_login), to show it keeps tracks of creds. Then doing a WinRM Login
14:10 - WinRM Login was unsuccessful. Lets see if we can enumerate users with Impacket's lookupsid
15:15 - Using RPCClient to replicate how LookupSID did the RID/SID Bruteforce, so we can understand it
19:25 - Doing the Winrm_Login again with new usernames and see Chase can login
20:25 - Using Evil WinRM to login to the box
22:00 - Low Priv shell returned
24:00 - Examining wwwroot, and sourcecode to see if we can get a shell as the IIS User (cannot)
26:45 - See firefox running with Get-Process
29:00 - Upload procdump64.exe to dump firefox's memory
31:00 - Running strings against the binary and finding the administrator password
34:35 - Testing logins with WinRM and CME, to see Administrator could PSEXEC or WinRM
I know this box is from 4 years ago, but I still want to thank you for this walkthrough!
Wow. I thought I was confident with Linux and Windows administration. I've got a lot to learn.
"I always hate sending websites my passwords"
Cries in login page xD
Oh My God every time I learn something new. I always wonder I should drop my university and start watching all your videos xD :p
do it, things change so fast universities cannot keep up.
As someone with a master's degree, I learned more in this video than I did in those expensive years of just writing fucking papers. Fuck the universities. They only get you in the door, they don't teach you a goddamn thing.
I've been learning more about the sysinternals suite, this was super cool.
Why I haven't been subscribed to your channel is the real question here.
It seems sooo easy when someone else does it!
Eeee thx u for use evil-winrm!!! Nice!!! Coming soon news features!
lol at the last microsecond the root flag appears
tbh it doesn't matter, just follow the guide and you get root anyways. I don't understand why he hides the flags, the boxes are retired anyway so
Oliver T. He is encouraging others to try it themselves, its similar to the concept that if you copy paste code you wont learn anything but if you write the same code instead of copying you will learn alot
RUclips recommended me this video after watching the latest… I guess they wanted me to see JSON - sorry, Jason was around then too 😂
Always the best.
This one was super cool, THX!!!!
thanks to ippsec, no one need skills to gain score on hackthebox 😈
Except that he only does retired boxes, so your score will always be 0 :p
Great walkthrough, thanks
If I pass OSCP, then just because of you. Great content as usual!
hey, i really had a doubt for long time that oscp really costs $1750?
@@Anonimbus It's "just" around $800-1200, depends on how much lab time you purchase. But it's worth the price.
@@pentestical what if one fails the test?
@@Anonimbus you can retake the exam for $60. There's no limit of it. It's up to you how often you want to retake the exam.
@@pentestical Thanks a lot!!
Excellent. Subscribed. Waiting to exhale.
And this was supposed to be an EASY box!!
WTF!!!!!!!!!!!!!
yah...that hit for medium i think
@@youtubeuser96 yeah that was my first box i tried.. i did get the passwords but couldnt login and then was stuck..^^
I can't figure out what about that config file gave away its relation to cisco?
Similarly, how does one identify those numbers as an md5 hash sum?
really great
Thank you for all these videos sincerely.
Watch till the last second for flag😂😂
Thanks man!
6:46 - Bash hack to erase a word to the left of the cursor is Ctrl + w
Another box I'm waiting desperately for is Forest
good to learn how to dump firefox process. many thanks
u are awesome!
Thanks sir..I m wait for you..
very late comment, but 20:10 it says http because winrm goes over http!
great great
I got lost when he does ssh kracken, what does kracken supose to be?
its his own machine or main OS I could say
So I could use my main machine (Windows) for that job (32gb i7 9k, gpu 2070 rtx) ?
ippsec: I don't like using online tools, because then I need to send the password
also ippsec: i'm not going to try to crack this, i'll just throw it into hashes.org
He put a hash up, not the password.
@@TheSeanis yeah ik, i'm mostly joking
can you tell me about fg ? is it foreground like background but opposite ? how can i use it in my system ? just type fg ?
Man i must know, how do you open another window in your current terminal tab?
Terminal Multiplexer. Look for "tmux" or similar multiplexers. Takes a while to get used to but is much better than wiggling around with 5 different terminals :D.
tmux. He's explained it in detailhere
ruclips.net/video/Lqehvpe_djs/видео.html
Thanks a lot
Having challenging time getting access to hackthebox. Tried using the method on youtube but not working, anything I am missing?
Good now!
🤯🤯🤯
Microsoft skipped IIS version 9.0 because 7 ate 9.
Do you dual boot or run a VM or have a dedicated kali machine?
Vm
What kind of knowledge do I need to start understanding this stuff?
Omni Scientist - Start with easier targets where you can learn one technique at a time, like root-me.org. Get Kali and learn one tool at a time too. Find a group on Discord. And have fun!
@@SchoolforHackers Alright thanks
Just curious how do you install kracken on kali linux. I have search all over for it and couldn't find anything.
Also, I could not get a successful login with chase with the passowrd. I followed everything correctly until than.
Kracken is the hostname of IppSec's cracking rig. It's a system he connects to for the sake of cracking passwords/hashes.
@@invisibleliberty2275 same here. Can anyone help ?
@@bittupractice1600 I think he's using a different security OS.
Ippsec!!!!!thanks
sorry bro i have not watched your previous videos can you Please enlighten me on kracken ?
Please how to scroll down or up in Tmux ?
IppSec has a video on how he set up his Tmux in which that is explained as well.
You use Ctrl+B (or whatever key combination you have set up as prefix key; Ctrl+B is default) and then [ to enter copy mode where you can scroll up and down in freely. Using Return/Enter you go back to the prompt.
Thanks
I didn't dump the memory - you could also find the password through the last hash that didn't work for you on hashes.org here: md5hashing.net/hash/sha256/91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040
It also worked for me here: md5decrypt.net/en/Sha256 - but for some reason it's not working anymore - either way - two more sites to check hashes at.
每次提权都让我猝不及防
Third
CCNA?:)
hi, where is kracken?
it hasn't been released yet
None of the previous responses are correct. Kraken is ipsecs password cracking machine. The actual tool he uses to crack the password is hashcat.
@the sickest noodle whooosh
I'm so fucking lost
Another easy one..i am waiting for any hard box to be retired, which is taking too long .
Hello teacher wants help, please help? How can I exploit this sql vulnerability?
Warning: pg_query (): Query failed: ERROR: Syntax error on or near line "8" LINE 1: ... accounts on login account = 'admin \' # 'and password =' 8dde4f5938 ... ^ on line 183 xampp \ htdocs \ index.php
Warning: pg_num_rows () expects the source to be Boolean given in C: \ xampp \ htdocs \ index.php on line 184 of parameter 1.
sign in
hello or 1 = 1-
I can't do anything, but I can't take advantage of this weakness.
what is kracken ? how to download kracken?
Just use hashcat on your host machine. Kracken is just a box in my house that has hashcat.
it's his cracking rig
@@ippsec thank you
I hacked you, I could see the root.txt content using low playback speed in the last seconds of the video.
evil-winrm is evil sometimes xD , when I download the dmp file it displays downloaded successfully without downloading it. Thus I resort to set up an smb server using New-PSDRive and it works!