Jump to content

HackTheBox - Fulcrum

Recommended Posts

Full Video:



02:08 - Begin of Recon

14:00 - XXE Detection on Fulcrum API

17:40 - XXE Get Files

23:40 - XXE File Retrieval Working

24:30 - Lets Code a Python WebServer to Aid in XXE Exploitation

39:45 - Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution

47:28 - Shell Returned + Go Over LinEnum

56:49 - Finding WebUser's Password and using WinRM to pivot

01:06:00 - Getting Shell via WinRM, finding LDAP Credentials

01:14:00 - Using PowerView to Enumerate AD Users

01:27:06 - Start of getting a Shell on FILE (TroubleShooting FW)

01:35:35 - Getting shell over TCP/53 on FILE

01:37:58 - Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare

01:58:10 - Troubleshooting the error correctly and getting Domain Admin!

02:03:54 - Begin of unintended method (Rooting the initial Linux Hop)

02:09:54 - Root Exploit Found

02:12:25 - Mounting the VMDK Files and accessing AD.

Edited by OKQL

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now