Jump to content

HackTheBox - Fulcrum

Recommended Posts

Full Video:



02:08 - Begin of Recon

14:00 - XXE Detection on Fulcrum API

17:40 - XXE Get Files

23:40 - XXE File Retrieval Working

24:30 - Lets Code a Python WebServer to Aid in XXE Exploitation

39:45 - Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution

47:28 - Shell Returned + Go Over LinEnum

56:49 - Finding WebUser's Password and using WinRM to pivot

01:06:00 - Getting Shell via WinRM, finding LDAP Credentials

01:14:00 - Using PowerView to Enumerate AD Users

01:27:06 - Start of getting a Shell on FILE (TroubleShooting FW)

01:35:35 - Getting shell over TCP/53 on FILE

01:37:58 - Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare

01:58:10 - Troubleshooting the error correctly and getting Domain Admin!

02:03:54 - Begin of unintended method (Rooting the initial Linux Hop)

02:09:54 - Root Exploit Found

02:12:25 - Mounting the VMDK Files and accessing AD.

Edited by OKQL
  • Upvote 1

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now