Hack The Box Hancliffe
00:00 Intro 01:00 Start of nmap 02:25 Identifying it is a windows box via ping and looking at its TTL, and running Gobuster with a lowercase wordlist since windows is not case sensitive. 04:30 Looking at HashPass to see it just generates static passwords based upon Name, Website, Master Password 08:40 Identifying a JSESSIONID cookie given when accessing, maintenance, which enables a weird path traversal vuln MasterRecon 12:15 Identifying the Nuxeo application and searching for the web vulnerability 15:55 Testing for SSTI in an error message, normal SSTI doesn t work since it is java. Going to payloadallthethings to get a valid payload 19:40 Testing an java EL SSTI Payload to get code execution. Don t get output but can validate we run code via ping 21:25 Getting a reverse shell 24:25 Looking at listening ports, running a powershell snippet to get process name and the port they listen on 29:15 Looking for an exploit with Unified Remote. Using Chisel
|
|