HackTheBox - JSON

00:52 - Start of recon, NMAP 04:35 - Using SMBClient to look for OpenShares 04:50 - Examining the HTTP Redirect on the page 06:56 - Attemping default credentials 08:25 - Running GoBuster with PHP Extensions 12:45 - Examining the /api/ Requests made in BurpSuite 13:35 - Comparing Requests to notice one has a "BEARER" Header. Researching exactly what it is. 14:45 - Examining the contents of BEARER/OAUTH2 by base64 decoding it. 15:50 - Inducing an error message by placing invalid base64, then trying to get a different error message by putting valid but unexpected bas64 16:50 - See a serialization error, pointing towards JSON.NET, then switching to Windows to install ysoSerial 22:54 - Creating a .net Deserialization exploit that will ping us 27:50 - Base64 encoding the exploit, starting tcpdump, and checking for code execution. Then editing our exploit use a PowerShell webcradle with Nishang to get a reverse shell 32:51 - Reverse Shell Returned, Running WinPEAS from my SMBShare so we don't touch disk 37:00 - Going over WinPEAS.bat, which doesn't have color (we will do EXE later in the video to get colors!) 42:00 - PrivEsc #1: Reversing Sync2Ftp to decrypt a password 50:15 - Decompile SyncLocation.exe via DNSPY, then edit the executable to display the decrypted password. 56:15 - Couldn't use PSEXEC with the decrypted creds. Lets use Powershell Invoke-Command to switch users 1:05:25 - PrivEsc #2: FileZilla Server - This will require us to pop the box from Windows! 1:10:50 - Using Chisel to forward 127.0.0.1:14147 to us 1:15:15 - Running the FileZilla Server and connecting to the box through our tunnel to create new users 1:21:53 - PrivEsc #3: JuicyPotato 1:24:53 - Running JuicyPotato to get a system shell