(YT)IppSec

HackThebox - Eighteen

(YT)IppSec — Sat, 11 Apr 2026 15:13:47 GMT

00:00 - Introduction
00:45 - Start of nmap
02:20 - Taking a look at the page, manually decoding the Flask Cookie
06:15 - Running NetExec with MSSQL Priv module which lets us know we can impersonate, switching to mssqlclient
09:30 - Impersonating appdev, which can read the financial_planner table
12:25 - Converting the PBKDF2 hash to the Django format so we can try to crack it
16:20 - Using NXC to run RID BRUTE through MSSQL and get other users to spray the password with
20:50 - Using Evil-WinRM to access the box as Adam.Scott then poke at the webserver files, nothing here
22:45 - Getting the Windows Patch Level, noticing windows 2025 and searching exploits to find BadSuccessor
30:00 - Setting up Chisel so we can tunnel back to our box to run the badsuccessor module with nxc
32:50 - Looking at NXC Issues to see the support for BadSuccessor is still a PR, installing the special branch with uv
39:15 - Setting our system time to the time on the webserver based upon the Date Header from Curl
40:15 - Running BadSuccessor getting the NTLM hash of administrator and using psexec to get on the box

HackTheBox - DarkZero

(YT)IppSec — Sat, 04 Apr 2026 15:31:36 GMT

00:00 - Introduction
01:00 - Start of nmap, mention VMRDP (2179), not important but just interesting
04:00 - Running NetExec to test the Assume Breach credentials and seeing we can connect to MSSQL
05:30 - Using MSSQL.PY to login, then using XP_DIRTREE to see the box connects back to us with a machien account, can't crack this
06:55 - Running enum_links, seeing a second MSSQL Server (DC02.darkzero.ext), switching to it and then noticing we are DBO, enable + run XP_CMDSHELL
12:30 - Shell returned on HyperV Machine, showing how to identify patch level on Windows with HKLM:\SOFTWARE\Microsoft\Windows\ NT\CurrentVersion, discover it hasn't been patched since 2024
14:20 - Loading up Meterpreter and Metasploit to use local_exploit_suggester and then exploit CVE-2024-30088 to get admin on this VM (privesc method #1)
20:00 - Enumerating Domains to show we can abuse TGT Delegation to pivot to the adjacent domain
24:30 - Looking at Rusthound/Bloodhound (another good way to enumerate the domains)
29:30 - Explaining the TGT Delegation we will abuse and why we can't just golden ticket (sid filter), get DARKZERO.HTB to connect to DARKZERO.EXT, then replay KRB Ticket
34:50 - Using Meterpreter to run Rubeus, which will get us that ticket
38:45 - Grabbing the DC01 Ticket, then using it to connect to DARKZERO.HTB and getting admin
46:30 - Showing PRIVESC Method #2, NTLMRelay with remove-mic-partial. Works on all domains missing June 2025 patch to go from Domain User to Admin
1:03:40 - Showing the June 2025 patch does fix the weird bug where we can duplicate DNS Names with the 1UWhRC... thing appended
1:10:30 - Showing Privesc Method #3 (recovering the original token of our session, so we can get SeImpersonate after the MSSQL Shell
1:23:00 - Privesc Method #4, the intended way. If we can get (or reset) the password to MSSQL its allowed to login as a service, which gives us SeImpersonate

HackTheBox - OpenKeyS

(YT)IppSec — Sun, 29 Mar 2026 09:32:01 GMT

00:00 - Introduction
00:31 - Begin of nmap
01:10 - Nmap shows it is BSD, going over some command differences
02:00 - Running GoBuster to find other PHP Scripts
04:30 - Looking at the includes directory and finding source code
10:14 - Reversing the Check_Auth binary with Ghidra, to see it doesn't decompile well
12:00 - Using VirusTotal to find out if this an old binary
13:20 - Using Cutter to decompile this binary, to see it does a better job than Ghidra!
17:50 - Finding some BSD Exploits related to authentication
20:00 - Putting SCHALLENGE as the username, causes a different error message. Then doing some code analysis around $_REQUEST
24:50 - Abusing the $_REQUEST() feature to overwrite the username file with a valid user and grab their SSH Key
26:10 - Showing how OpenBSD has some different command line switches
31:00 - Going back to the earlier CVE, since it showed a privesc aswell and explaining CVE-2019-19520
40:45 - EXTRA: Looking at the PHP Code to explain the $_REQUEST exploit again

HackTheBox - Academy Intro

(YT)IppSec — Sun, 29 Mar 2026 09:31:44 GMT

Academy URL: https://academy.hackthebox.eu

00:00 - Intro
01:03 - Accessing Academy
01:45 - Talking about Paths
02:10 - Talking about what a Cube is
03:25 - Showing all the modules and tiers
06:30 - Starting the Intro to Academy Course
08:20 - Showcasing interactive modules by starting a pwnbox instance
10:30 - Spawning a lab to interact with

HackTheBox - SneakyMailer

(YT)IppSec — Sun, 29 Mar 2026 09:31:27 GMT

00:00 - Intro
00:45 - Start of nmap
03:10 - Poking a the websites
04:20 - Starting gobusters in the background while we look at the site
07:00 - Grabbing a list of emails off of the website
08:40 - Using SWAKS to mass email users with a link
14:45 - User went to our website, grabbed credentials
17:50 - Failing to do FTP User Enumeration, do this at the end of the video
19:00 - Failing with Thunderbird to login
22:30 - Switching to the Evolution Mail client to check mailboxes, finding FTP Details in Sent Mail
28:40 - Using wget to mirror the FTP Directory, then poking at PHP Files
30:50 - Showing pypi/Register.php, which should have been used during the phishing stage
31:30 - Checking if we can upload files to the FTP Directory and finding the dev VHOST
35:00 - Shell Returned
37:00 - Discovering a HTPASSWD file, then cracking it with hashcat
39:50 - Checking out pypi.sneakycorp.htb:8080 and finding a pypi server
41:00 - Creating a Malicious PyPi Package
43:30 - Adding a reverse shell to our pypi package
44:45 - Creating a pypi configuration file
47:00 - Uploading the package and getting a shell as low
50:10 - Checking sudoers, and finding low can run pip3 - Use GTFO Bin to get root
53:30 - EXTRA: Enumerating the FTP Users by creating a quick webapp then using FFUF against it.

HackTheBox - Unbalanced

(YT)IppSec — Sun, 29 Mar 2026 09:31:00 GMT

00:00 - Introduction
01:03 - Start of nmap
02:27 - Setting Squid up to do a portscan while we work on something else
07:00 - Poking at RSYNC and seeing we can download encrypted config backups
09:40 - Examining files downloaded from RSYNC, specifically looking at entropy to validate encryption
14:30 - Finding the EncFS Config file, and then using John to Crack it
18:15 - Decrypting the config directory and finding a squid password and some hostnames
22:30 - Examining the new website exposed to us, configuring BurpSuite to use the squid proxy
24:00 - Showing the Intranet-Host header is changing, then accessing Squid Cache Manager to find some more ip addresses
26:15 - Using curl to view Squid Cache Information
28:25 - Finding a new IP Address for a decomissioned server. Looks like this one has a vulnerability
32:15 - Poking at the login form on the intranet-host1, looks like its vulnerable to SQL Injection
37:30 - Trying SQL Injection in the Password Field since the User was behaving weirdly.. Password behaving slightly differently
38:20 - Examining what XPATH Injection is
39:15 - Confirming it is XPATH Injection by using standard XPATH Payloads
44:10 - Using a XPATH Payload to extract the password length for a user
46:00 - Using XPATH Injection to bruteforce the password one character at a time
48:40 - Using Python to Automate the XPATH Injection to dump passwords
1:01:30 - Script near done, grabbing the password for all users
1:06:40 - Using Hydra to find one of the users had SSH Access
1:08:30 - Reading the TODO and finding pi-hole by checking arp with ip neigh
1:10:10 - Creating an SSH Port Forward to access Pi-Hole
1:13:55 - Finding Pi-Hole Exploits
1:15:00 - Using FFUF to bruteforce the Pi Hole login form
1:17:50 - Failing to use public exploits for this
1:19:45 - Finding a blog post to examine how this exploit works
1:21:45 - Using CyberChef to edit the payload for our Pi Hole exploit
1:23:55 - Manually sending the exploit and getting a shell
1:25:00 - Finding the root password in a config file, then using SU to get root

HackTheBox - Worker

(YT)IppSec — Sun, 29 Mar 2026 09:30:33 GMT

00:00 - Intro
01:05 - Start of nmap
02:50 - Checkign out the open SVN Port
03:45 - Adding the discovered domains to /etc/hosts and checking out the websites
05:30 - Some grep magic to show only what we want, which is URLS
09:15 - Using GoBuster to see if there are any more more VHOSTS
11:00 - Checking out the SVN and seeing creds in a previous revision (commit)
13:00 - Logging into Azure Devops (devops.worker.htb) and discovering the pipelin to deploy master branch to a server
15:00 - Pushing our webshell to the git master branch and getting shell on the box
16:10 - Choosing the revshell out of the tennc github page
21:40 - Creating a powershell one liner to get a reverse shell via Nishang
24:30 - Discovering SVN Credentials and using CrackMapExec to find valid passwords
28:50 - CrackMapExec was giving me issues, installing it from source with Poetry
30:00 - Using CrackMapExec to test a list of credentials without bruteforcing all passwords to all users
32:10 - Using WinRM to get a shell as Robisl
35:10 - Logging into Azure Devops as Robisl and discovering we can edit the build pipeline
39:45 - Copying our reverse shell to the box, so we can easily execute it from the build pipeline and getting admin
41:30 - UNINTENDED: Doing the box via RoguePotato
42:50 - Poorly explaining why we need to use chisel
45:50 - Running Chisel to setup a reverse port forward between the target and our box
52:15 - Setting up SoCAT to go through our tunnel
52:50 - Executing RoguePotato to get an admin shell
53:30 - Explaining the tunneling again in MSPaint. Hope this helps.
1:01:40 - Doing RoguePotato without socat, just a single Chisel tunnel

HackTheBox - Armageddon

(YT)IppSec — Sun, 29 Mar 2026 09:30:08 GMT

00:00 - Intro
00:50 - Start of the box, showing a quick way to nmap
02:15 - Looking at web page
03:00 - Looking for Drupal Scanners
04:00 - Showing how I would fingerprint opensource apps if there was no scanner
06:30 - Using DroopeScan to scan the site
07:50 - Starting to use Drupalgeddon2 to get a shell
11:40 - Installing gems so DrupalGeddon works
12:15 - Drupalgeddon2 works, going from a webshell to reverse shell
16:00 - Confused about OSError: out of pty devices when improving the shell, give up eventually
17:50 - Looking for users on the box, then hunting for the Drupal configuration
21:00 - Cannot find the drupal configuration, going to google and asking for how to change the SQL Password
22:45 - Logging into the Drupal MySQL Database then dumping the Drupal Hash but have trouble getting it to work since we don't have a TTY
29:00 - Cracking the Joomla Password, then testing the password with ssh and logging in
30:00 - Our user can install Snap Packages with sudo, so building a malicious snap
31:20 - Installing FPM which lets us build packages, building a lot of bad packages until we find one that works
36:20 - Our malicious packages aren't working, switching to a non-malicious one to test the exploit
40:16 - Having our snap attempt to grab the root flag, turns out i was just impatient before
43:43 - Moving bash to avoid system directories and setting it to setuid
45:10 - Explaining what snap is

HackTheBox - Cereal

(YT)IppSec — Sun, 29 Mar 2026 09:29:43 GMT

01:17 - Start of nmap, showing having valid hostnames will give more information
03:54 - Error message on source.cereal.htb leaks a path
06:30 - Showing .git doesn't exist in DirectyList but does in Raft
08:02 - Using Git-Dumper to download the .git directory and view the source
09:30 - Looking at Git History shows where deserialization happens and a hard coded JWT
12:08 - Using the hard coded JWT To build our own token in dotnet.
21:00 - Trying to use our JWT to access authenticated pages
25:42 - Going through the React JavaScript to see the token is stored in our browsers local storage
29:40 - Our browser keeps clearing the storage lets just intercept a request in BurpSuite and do what we need
32:15 - Start of the Desrialization, BadWords Filter to prevent ySoSerial, but we can manually create our own deserialization payload
33:20 - Finding the name of our JSON Library then finding a blackhat talk on abusing it, to build our payload
40:11 - More examining javascript to find routes that leaks pages of the pplication
42:15 - Using npm audit to find an XSS Vulnerability on /admin due to an out of date plugin react-marked-markdown
46:10 - Testing the XSS Vulnerability with a simple payload
49:00 - Putting it all togather, writing notes on how we are going to build the exploit
51:15 - Start of exploit script making python requests not care about SSL, then building our JWT with pyJwt
57:00 - Testing out bad character evasion with Base64 by using a benign XSS Payload first
1:06:20 - Adding stage 1 to our script to send the deserialization payload
1:08:22 - Changing our payload to use XMLHttpRequest to force the browser to make a request to perform the deserialization which bypasses the RestrictIP Policy
1:13:08 - Our script did not work, troubleshooting it
1:17:57 - Script worked, lets now host a ASPX File for it to download
1:19:20 - Using our webshell to download the SQLite Database
1:22:45 - Our Powershell One-Liner to convert the database to b64 just fails. Lets copy the database to the web directory so we can download it without encoding it
1:25:00 - Showing IIS isn't allowing us to download files that end in .db
1:27:45 - Showing odd behavior with SSH not prompting us for password due to it treating PubKey as login attempts. Fix is tell SSH to not us pubkey
1:33:00 - Discovering port 8080, forwarding that port and discovering GraphQL. Installing GraphQL Playground
1:37:20 - Using GraphQL Playground to dump data out of the database, then use a mutation to trigger the SSRF
1:39:30 - Downloading GenericPotato so we can use this SSRF to steal the Token
1:44:20 - Running Generic Potato in HTTP Mode triggering the SSRF and getting a root shell

HackTheBox - Intense

(YT)IppSec — Sun, 29 Mar 2026 09:28:40 GMT

00:00 - Intro
01:15 - Begin of nmap
03:30 - Examining the Message, pointing out the endpoint does not need authentication
06:15 - Using FFUF to fuzz the API End Point and show importence of Content-Type
12:00 - Starting SQLMAP then manually fuzzing this application
14:30 - SQLite Boolean Injection, with CASE IF/THEN/ERROR
20:00 - SQLite Boolean Injection, Enumerating Usernames
24:00 - SQLite Boolean Injection, Start of Dumping Password
26:10 - SQLite Boolean Injeciton, Optimization chat about UNICODE and SUBSTR
29:40 - Start of coding out python script to dump the hash
41:20 - This hash looks weird... Tons of troubleshooting
45:12 - Explaining the issue, we are hitting the 140 character limit... Switching script up to do SUBSTR
51:55 - Script completed to dump hashes.
53:15 - Static source code analysis, find its vulnerable to Hash Length Extension Attack
59:50 - Using HashPumpy to perform the Hash Length Extension Attack
1:11:30 - We base64'd the signing portion wrong
1:13:30 - Now we have access to /admin, can use its API to read files and directories, showing Sched_debug and /proc/net/tcp,udp,environ to get important information
1:23:30 - Finding a RW SNMP Community string and then using snmp-shell to get code execution
1:29:00 - Generating a SSH Key then copying it slowly to the box
1:35:00 - Doing a Local Port Forward with the Debian-SNMP User
1:37:20 - Binary Exploitation with Note_Server: Going over Source and recompiling with ggdb flag
1:41:00 - Binary Exploitation: Setting up PwnTools so we can interact with the binary
1:46:40 - Binary Exploitation: Defeating ASLR by leaking an address
1:56:20 - Binary Exploitation: Leaking LibC and Getting Code Execution
2:05:30 - Binary Exploitation: Creating offset's for our remote server to get it working

HackTheBox - Rope2

(YT)IppSec — Sun, 29 Mar 2026 09:27:24 GMT

00:00 - Intro
01:15 - Start of nmap
02:30 - Checking out the webpages, find Gitlab and Page about a custom chrome
03:25 - Viewing the Git log for the custom v8 javascript project and finding the vulnerability
06:00 - Finding an XSS in Contact Us
08:15 - Using the banners to find what version of Ubuntu the target is using
11:50 - Building v8 in Ubuntu 18.04
18:20 - Warning about needing 4 gigs of memory.
23:30 - Everything is compiled! Start of the exploit, looking at some webpages that help out
24:30 - Starting v8 in gdb, then examining some memory structures
29:00 - Explaining Smi, Immediate Small Integer
30:00 - Starting our helper script with number conversions (float/bigint/hex)
34:10 - Doing DebugPrints on our float arrays to examine memory
38:40 - Digging into the memory to see where Map/Property/Elements/Length are in the memory
50:20 - Showing Objects in memory
58:15 - Precursor material to AddrOf and FakeObject, why type confusion leads to memory shenanigans
1:06:30 - Finding GetLastElement() behaves different on object arrays
1:17:00 - Doing Faiths AddrOf and troubleshooting why it doesn't work in ours
1:22:27 - Recoding the AddrOf, to start out with an array not object
1:26:45 - Explaining the FakeObj Primative
1:33:20 - Doing the Read Memory portion
1:37:50 - Coding the Write Memory function
1:40:40 - Using Web Assembly to create RWX
1:42:30 - Doing some memory analysis to find where our RWX location is
1:46:30 - Doing some memory analysis to find where the Backing Store address is
1:50:10 - Using MSFVenom to create some shellcode to touch a file
1:54:20 - Replacing the shellcode with a reverse shell!
1:56:30 - Testing on the custom chrome browser
1:58:30 - Running our exploit against the target!

HackTheBox - Delivery

(YT)IppSec — Sun, 29 Mar 2026 09:26:21 GMT

00:00 - Intro
00:46 - Starting with nmap
02:15 - Enumerating the website to see links to the HelpDesk and Mattermost
03:40 - Attempting to enumerate the version of osTicket
05:45 - Searchsploit json output shows the date
06:30 - No exploits found, lets open a new ticket and see it gives us a way to update the ticket via email
08:40 - Creating an account on Mattermost with the email of the helpdesk to get the activation link
09:30 - Viewing the internal chat and seeing a password, then SSHing to the server
11:50 - Using hashcat to create a wordlist with its internal rule system
12:20 - Going over how Hashcat Rule files work
15:20 - Root #1: Running sucrack to bruteforce the root users password
19:50 - Root #2: Cracking the Mattermost Password
23:20 - Using hashcat to crack the Mattermost Password
26:45 - Going over how i set up the email server on this box

PHP Type Juggling - Why === is Important - Bug Bounty Tips

(YT)IppSec — Sun, 29 Mar 2026 08:35:58 GMT

Join Intigriti here: https://go.intigriti.com/ippsec

00:00 - Intro
00:54 - Enumerating the application utilizes Laravel based upon a default cookie name.
01:30 - Jumping into a PHP Interpreter to show off the Type confusion bug.
03:30 - Trying the same thing in Python, Javascript, Ruby, and showing that they aren't vulnerable in this way.
05:30 - Talking about the importance of the Laravel API Middleware
07:30 - Converting the GET request to have JSON Data
08:40 - Changing the JSON Data to pass a boolean for password
09:50 - Bypassing login with type confusion
10:30 - Sponsor highlight Intigriti
12:48 - End of sponsor highlight
13:30 - Looking at the Laravel Code to find where the route is for the custom login function
14:00 - Showing the vulnerable function

HackTheBox - Stacked

(YT)IppSec — Sun, 29 Mar 2026 08:35:44 GMT

00:00 - Intro
00:57 - Start of Nmap
03:10 - Start of gobuster to enumerate VHOST and Files
07:15 - Showing how I like to find the needles in a haystack when it comes to parsing lots of data.
09:40 - Using google reverse image search to try to identify what a logo means
11:00 - Hunting for XSS, putting unique URL's in all fields (check for a callback later)
13:45 - Going over the Docker Compose file we had downloaded
14:50 - Discover our XSS Attack worked, looking for LocalStack CVE's and discovering one in the dashboard
18:15 - Start of exploiting the XSS
20:00 - Creating a CSRF to force the victim to navigate to pages and send us the date, read his email to discover an S3 Domain
30:00 - Start of looking at creating an AWS Lambda application
33:20 - Using aws cli to create a lambda function
39:30 - Creating a malicious lambda, then using XSS to send the user to the LocalStack dashboard and trigger our code
44:30 - Reverse shell returned on the docker container. Use PSPY to identify what localstack does when invoking lambda functions and finding an 0day
49:30 - Testing out our 0day, creating a malicious lambda and injecting when localstack creates a docker to run the code
51:50 - Got root on the localstack container, abusing our ability to create docker containers to escalate to root on the host system

HackTheBox - Shibboleth

(YT)IppSec — Sun, 29 Mar 2026 08:35:21 GMT

00:00 - Intro
00:57 - Running NMAP
04:10 - The footer talks about BMC, explaining why I jumped to IPMI when reading this
05:30 - Running a Virtual Host (VHOST) Scan with Wfuzz to try and find a domain that points to an ILO
08:20 - Talking about IPMI
10:15 - Running Metasploit to dump the IPMI Hash and then crack it with hashcat
15:10 - Running IPMITool to explore the interface, there isn't anything really here
19:30 - Logging into Zabbix with the credentials and then fumbling around creating a malicious check
27:50 - Discovering what we were doing wrong, we didn't want to put quotes in the system.run command
29:25 - Zabbix kills our shell pretty quickly, just running a second command really fast in order to keep a process alive
32:00 - Attempting to get into the Zabbix database, need to switch to the ipmi-svc user
34:57 - Showing a cool MySQL command \G to display results in a table form, useful when dumping a lot of columns
36:05 - Running LinPEAS
39:30 - No real exploit paths found, checking for exploits in the MYSQL Server and finding CVE-2021-27928 (WSREP)
41:10 - Performing the MySQL WSREP Exploit and getting root

HackTheBox - Hancliffe

(YT)IppSec — Sun, 29 Mar 2026 08:34:59 GMT

00:00 - Intro
01:00 - Start of nmap
02:25 - Identifying it is a windows box via ping and looking at its TTL, and running Gobuster with a lowercase wordlist since windows is not case sensitive.
04:30 - Looking at HashPass to see it just generates static passwords based upon Name/Website/Master Password
08:40 - Identifying a JSESSIONID cookie given when accessing /maintenance/ which enables a weird path traversal vuln [MasterRecon]
12:15 - Identifying the Nuxeo application and searching for the web vulnerability
15:55 - Testing for SSTI in an error message, normal SSTI doesn't work since it is java. Going to payloadallthethings to get a valid payload
19:40 - Testing an java EL SSTI Payload to get code execution. Don't get output but can validate we run code via ping
21:25 - Getting a reverse shell
24:25 - Looking at listening ports, running a powershell snippet to get process name and the port they listen on
29:15 - Looking for an exploit with Unified Remote. Using Chisel to forward the port it listens on to us.
33:30 - Going over the Unified Remote Exploit script, changing where it writes files to and using msfvenom to generate a malicious exe for us
37:00 - What i say here is wrong... I did not notice I got a shell back when writing to C:\Windows\Temp... lol.
39:09 - Converting the Unified Remote script to Python3 with some vim macro magic
42:10 - Running WinPEAS and discovering a Firefox credential
50:10 - Using HashPash with the creds WinPEAS displayed to get the development users password. Using chisel to forward WinRM to us and accessing the box as development
55:00 - Start of RE of the MyFirstApp Binary. Opening Ghidra
55:30 - Searching for Strings to find where Username: is in the program and looking at code around it to see how authentication works
1:00:40 - Looking at Encrypt1() and discovering it is just Rot47
1:04:30 - Looking at Encrypt2() and discovering it is just AtBash
1:12:45 - Logging into the application and discovering what is available to us after auth
1:16:10 - Discovering a buffer overflow in the code parameter, then opening it in x32dbg and seeing we overwrite EIP
1:22:55 - EIP Overwrote, looking at ESP we only have 10 bytes of space here. Talking about JMP Backwards to get to a spot where we have more space
1:25:00 - Start of pwntools script, using x32dbg to show us a JMP ESP
1:27:00 - Using msf-metasm_shell to generate shellcode for us
1:32:05 - Disabling DEP for our process on our windows box
1:35:10 - Showing we can use the JMP ESP, to execute our JMP -70 to get back to the start of our userinput. Its still not large enough for a revshell need to use Socket Reuse to increase buffer size
1:38:20 - Setting a breakpoint on a recv() call and looking at the stack.. We will have to mirror this.
1:42:40 - Getting the location of the Socket Handle which is ESP+0x48, then writing shell code to save that
1:45:50 - When trying to add 48, we get a null byte which is bad. Using an add/sub call to add 48 without null bytes
1:51:20 - Moving ESP to the other side of EIP so we don't have to worry about overwriting EIP and buffer overflowing the program again
1:55:30 - Getting 0 on the stack by just xor ebx, ebx - Then pushing the size of data we want
2:00:35 - Pointing the memory address recv saves data to within our junk data, as this is where the program returns to after the call
2:03:35 - Using Ghidra to get the memory address of the RECV() function, so we can call it
2:09:45 - Using MSFVenom to generate the shellcode for a reverse shell and testing out the exploit
2:13:50 - Showing by setting EXITFUNC=THREAD we don't kill the program when we exit our shell
2:15:50 - Updating our script to point at the hancliffe machine and getting our shell

HackTheBox - Static

(YT)IppSec — Sun, 29 Mar 2026 08:34:26 GMT

00:00 - Intro
01:05 - Start of nmap
02:50 - Noticing there is weird behavior on /vpn, it doesn't direct to the folder /vpn/ probably reverse proxy [MasterRecon]
04:20 - Corrupted GZIP, using zcat to view it and fixgz to repair
08:30 - Building a Python Script to generate TOTP for MFA (the NTPDate failed because i didn't use -q. Nmap would have worked with -sV)
14:20 - Talking about things I would be monitoring for on Login Forms [Detection]
16:45 - Talking about a common issue when layering VPN's (MTU). Won't fix it right now, since I want to display the weird behavior later
20:15 - VPN Connection established, looking at routes. Adding additional routes that don't exist
28:30 - Going over the NMAP ran from the second VPN
30:40 - Fully understanding the weird behavior from /vpn earlier on. It is indeed a reverse proxy. [MasterRecon]
32:00 - Exploiting the fact that XDEBUG is enabled on info.php
41:40 - Running Chisel to create a pivot rhrough web to access mysql
42:10 - The Multiple VPN MTU Issue explained, demonstrating i can't send big packets because of chunking
48:00 - Finishing with setting up the chisel tunnel
51:45 - Switching up chisel to look at PKI.
53:34 - Running PHuiP-FPizdaM to exploit PHP-FPM/7.1
57:23 - Changing up our Chisel so we can send a reverse shell through the web box
1:01:45 - Looking at the ersatool source code to find a printf/format string vulnerability
1:04:15 - Verifying we have the format string vuln and some really basic talk about it
1:07:30 - Exploring the memory around our leaked address to defeat ASLR and edit the variable we want
1:10:30 - Start of a pwntools script to exploit format string
1:15:48 - Pwntools successful leak and calculating offset to the string we want to manipulate... cleaning up the script a little
1:19:05 - Explaining how we are going to write to an address and why the null byte is a small problem
1:27:15 - Overwriting the ERSA_DIR variable
1:33:55 - Tons of funny failing trying to verify this exploit worked
1:38:00 - Updating and explaining our chisel tunnel since we are proxying a lot of traffic bidirectionally through this web box
1:45:30 - Using cat to transfer a file over /dev/tcp, the trick is to base64 encode
1:50:50 - Using socat to have a binary (ersatool) listen on a TCP Port, so we can use pwntools to exploit it
1:52:45 - Updating pwntools to use a TCP Socket
1:55:50 - We can't execute out of /dev/shm, updating script to use /tmp
2:11:00 - Getting a reverse shell

PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis

(YT)IppSec — Sun, 29 Mar 2026 08:34:01 GMT

PowerSiem: https://github.com/IppSec/PowerSiem
Creating PowerSiem: https://www.twitch.tv/videos/1438252177
Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon Configuration File: https://github.com/Neo23x0/sysmon-config

00:00 - Intro
00:36 - Talking about PowerSIEM
01:40 - Installing Sysmon with Florian Roth's default config
03:30 - Showing what PowerSIEM does by running it and opening a command prompt, browser, etc
04:50 - Explaining the PowerSIEM Script, how it works, and all the current sysmon events
07:50 - Setting breakpoints in Powershell ISE
08:48 - Adding data to the Registry Set event
11:58 - Showing just running a SysInternals tool creates a registry key for accepting the EULA
13:45 - Running Impackets PSEXEC, to find out Defender stopps it. Running Sysinternals Version and showing defender allows it.
14:50 - Using PowerSIEM to show how the Sysinternals PSEXEC works.
15:50 - Disabling AV, Running impacket's version again to show how it differs
17:35 - Creating a Cobalt Strike Beacon and showing some alerts
18:25 - Hiding network connection alerts in PowerSIEM by just commenting out the Write Alert line
20:00 - Running a shell command in CobaltStrike and showing what it looks like in PowerSIEM
21:00 - Running Mimikatz and talking about its sacrificial process, pipes, and mimikatz accessing LSASS
24:05 - Showing not everything will be logged

HackTheBox - Developer

(YT)IppSec — Sun, 29 Mar 2026 08:33:40 GMT

00:00 - Intro
01:04 - Start of nmap
03:00 - Examining the web page, noticing every URL with admin gets redirected to a django login
05:00 - Creating an account and looking at the page to discover CTF Challenges
06:15 - CHALLENGE 1: Phished List, a protected excel spreadsheet. Remove protection to see hidden cells
11:50 - Submitting a writeup, discovering an old version of Firefox talks to us
14:00 - Checking for Tab Nabbing vulnerability and explaining it
17:30 - Creating a phishing page by mirroring the page with wget and then using PHP to log submitted credentials
29:30 - Phishing worked, got the admin's password. Login to Django to see another website (Sentry)
33:00 - Creating an error message in Sentry to get an error message, which contains a secret key used to encrypt the cookie
36:10 - Grabbing a django deserialization payload then installing django on python2 to use the payload
40:15 - Changing the payload in the exploit to a reverse shell, avoiding any bad characters for URL and getting a reverse shell
41:30 - Setting up the reverse shell in a way that works with ZSH, just need to do stty raw -echo; fg on one line
46:13 - Logging into Sentry Postgres Databae then enumerating tables and dumping the users table and cracking karl's password
52:25 - Discovering Karl can execute the authenticator binary with sudo, strings shows it is a rust binary. Copy it back to our box
56:55 - Examing the binary in Ghidra
58:55 - Discovering a call to Crypto::AES::CTR, using the rust docs to figure out what our variables are
1:01:22 - Showing that AES-CTR does not have defined block sizes
1:05:00 - Using GDB to help our analysis, showing how to setup break points around what our decompiler shows
1:10:36 - Examining memory to confirm our static analysis was correct
1:11:15 - Grabbing the encrypted blob the program is comparing against to get the password and getting root
1:15:40 - CHALLENGE 2: PSE, an dotnet binary that runs a uses PS2EXE to run powershell to encrypt a string
1:21:20 - CHALLENGE 3: Get Lucky, a small binary that rolls a dice. We exploit it mainly in GDB but after recording, probably could have done LD_PRELOAD, im not sure
1:34:50 - CHALLENGE 4: RevMe.exe, just open the binary in DNSpy and grab the flag, also show doing this with strings if we change the encoding
1:37:10 - CHALLENGE 5: Authentication, another Rust binary. Just have to find the correct spot to set a break point and see the password in memory
1:44:40 - CHALLENGE 6: PwnMe, a simple challenge that we can use GDB to find the password
1:49:30 - CHALLENGE 7: Easy Encryption, a simple XOR Challenge where we can use known plaintext (or bruteforce) to recover the key
1:53:29 - CHALLENGE 8: Triple Wamy, another XOR Challenge where we have to just do the XOR's backwards to get the flag

HackTheBox - Previse

(YT)IppSec — Sun, 29 Mar 2026 08:33:17 GMT

00:00 - Intro
01:00 - Start of nmap
02:00 - Running GoBuster, discovering the redirects have filesizes
03:00 - Showing the Execute After Read vulnerability (EAR) by using BurpSuite to hit / and discovering the page
04:00 - Using grep to show us only what we want (oP)
06:30 - Using BurpSuite to intercept the response to the request so we can disable the redirect (EAR). Then using the webform to create an account (IDOR)
08:00 - Examining the website source, using grep to look for places with user input
11:30 - Testing the logs.php page for shell injection, then getting a reverse shell
13:30 - Going into the webconfig to get database creds, then dump and crack creds
19:50 - Testing local users with the passwords from the database to get m4lwhere's creds
20:25 - Checking sudo to see something is weird, the env_reset/secure_path is not there. (this is configured in /etc/sudoers)
22:10 - Explaining Path Injection, then taking advantage of a script in sudo not using absolute paths
25:30 - Going back to explain things, weird behavior of the webserver always hanging. Maybe it was trying to send me a webshell? idk
28:00 - Fuzzing parameters of accounts.php to create accounts. But first discovering how important the Content-Type header is!
30:50 - Using WFUZZ to fuzz the confirmation parameter
35:20 - Explaining how the EAR Vulnerability happened in the code and how to fix it