HackTheBox - POV

00:00 - Introduction
01:00 - Start of nmap
02:45 - Discovering the Dev Subdomain
04:00 - Playing with the Resume Download, discovering a File Disclosure Vulnerability
05:40 - Discovering some odd behavior with ../, its just a replace. Grabbing web.config
08:15 - Using YsoSerial.Net to create a malicious ViewState Gadget, be careful with command prompt and single quotes!
12:00 - Getting a reverse shell with a web cradle
14:10 - Shell returned, discovering a Password stored with Secure String, decrypting it
17:40 - Showing the password, using Invoke-Command to switch users but having trouble getting the SeDebugPriv enabled
23:00 - Method 1: Using Meterpreter to take advantage of SeDebug by Migrating into another process
24:45 - Method 2: Showing RunasCS will get us the debug permission but PSGetSys script will fail. Meterpreter does not fail oddly
29:45 - Method 2.5: Disabling the firewall and showing Evil-WINRM works with PSGetSys, so it is how RunasCS is generating the shell

Support the originator by clicking the read the rest link below.