HackTheBox - Fulcrum

[Fi8sVrs]

Full Video:

 

 

02:08 - Begin of Recon

14:00 - XXE Detection on Fulcrum API

17:40 - XXE Get Files

23:40 - XXE File Retrieval Working

24:30 - Lets Code a Python WebServer to Aid in XXE Exploitation

39:45 - Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution

47:28 - Shell Returned + Go Over LinEnum

56:49 - Finding WebUser's Password and using WinRM to pivot

01:06:00 - Getting Shell via WinRM, finding LDAP Credentials

01:14:00 - Using PowerView to Enumerate AD Users

01:27:06 - Start of getting a Shell on FILE (TroubleShooting FW)

01:35:35 - Getting shell over TCP/53 on FILE

01:37:58 - Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare

01:58:10 - Troubleshooting the error correctly and getting Domain Admin!

02:03:54 - Begin of unintended method (Rooting the initial Linux Hop)

02:09:54 - Root Exploit Found

02:12:25 - Mounting the VMDK Files and accessing AD.

Edited June 13, 2018 by OKQL