HackTheBox - Arctic - Walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys hackersploit here back again with another video and welcome back to the ctf series in this video we're going to be taking a look at arctic on hack the box that was the next recommended box that you guys actually told me to view and i apologize for the delay uh in the hack the box series i know this video is supposed to go out on friday uh and this uh the the delay was because a lot of you actually mentioned this in the previous four videos on the channel where my keyboard and my uh my keyboard strokes and the video were not in sync or the audio and the video is not in sync and it took me a while to realize this especially when editing the videos and of course i had realized it and tried to correct it as much as possible but it usually did not correct even after editing uh and the reason was because my microphone had somehow uh really messed up in terms of it its latency and so i had to actually get a new microphone so what you're actually listening to me on right now is a new microphone so do let me know how this one actually sounds is a much better microphone and the audio and the video should be in complete sync without any delay so do let me know what you guys think of the new quality on the channel so without any further ado let's get started so as i mentioned we're going to be going through arctic on hack the box and i've just completed it a few minutes ago it took me about i would say about 35 minutes to 40 minutes to go through and it is a very good box and it explains a lot of things that are quite important and some of the important aspects of of post exploitation uh of course the exploitation like file transfers uh using uh or actually migrating processes on on a metasploit uh and using uh explore the exploit suggester and of course privilege escalation so uh quite a a few interesting things here but uh nothing that we haven't touched upon of course there are going to be a few things that i've never looked at on the channel but without any further ado let's get started so i already have uh the nmap scan uh saved on into my hack the box directory and the arctic so i have it if i can just list the files here you can see we have it under nmapscan.txt so i'm just going to cut it and let's see the results all right so you can go ahead and look at my scan arguments right over here so we have you know banner grabbing default scripts advanced scan and operating system detection and i out output it uh into a normal into a normal file uh and you can see right over here under txt file so we we can have a look at the services that are currently running so we have a microsoft rpc port running on port 135 which is pretty standard uh we have a port 8500 open and is telling us that the service is fmtp which i was unfamiliar with but after some research it is quite an interesting uh port or service and i'll explain probably in another video what it does and there is a sort of a mystery with this box i'll explain in a second and we have another microsoft rpc uh so we have the microsoft rpc service running on port four nine one five uh four nine one five four and uh pretty much we if we go take a look at the operating system detection we get everything from you know windows phone all the way to windows server 2008 service pack 2 or r2 service pack 1 which is pretty much what it is it is running windows so this is another windows operating system all right so what really caught my attention was obviously uh the port 8500 and of course i tried to access it and the first thing i tried to do is try to access it as a web server so let me just do that right now so 10.10.10.11 and we're running it on port 85 so i hit enter and i was pretty much getting nothing so i i thought that you know what what exactly is going on here because it seemed to be loading forever and i simply minimized it and started to look at the other ports when i when actually came back i did find a web server running on it that contained cold fusion now the other way that i could have done this of course which i should have uh i should have done before was run you know curl or simply check what's running on on this service so if you take a look right over here uh it gives us a directory of files here so we have as the cfide which is the core fusion directory uh we then have cf docs and the user files so we can go ahead and take a look at user files which is what i did and also run a derb scan but it didn't didn't give me anything that i couldn't find right over here all right so we'll just wait for that to load and this is the other thing the other interesting thing about this uh particular box is the fact that uh it actually has a delay in its loading and i'm i'm pretty sure this has something to do with the fmtp protocol of course as i mentioned i am going to be performing a lot of research on that protocol but do let me know for those of you have actually solved this box whether it is the port that's causing the delay or the timeout uh essentially when loading the cycles it does look like it has a timed period of or a set period of time in which it essentially is loading and then gives you the results now for some reason right over here uh we have a file that's running and i'm not sure i think i should have reset the machine but i don't think it should interfere with uh with our penetration test so what i'm going to do is i'm just going to go back into the standard directory so we're going to wait for that to load now of course i did run a few other scanners on it so i run my you know my derb or dub buster whatever is comfortable with you uh i did try and use um dot dot dot phone for the directory traversal but i didn't find anything which is really interesting because later in the video i am going to find a directory traversal a vulnerability so let's just go back and see if this is loaded so we're going to go into the cf ide directory right over here let me just zoom in so you guys can see what i'm talking about apologies if you couldn't before and cf ide is simply called fusion now when exploiting cold fusion it's very important to know the version uh the version number so if you know you have cold fusion uh you have cold vision eight called fusion nine etc and right over here we we have all the cold fusion files and you can go and take a look at these scripts and i simply inspected it and once i clicked on administrator it takes you to the administrator panel which is very interesting and that means that we can potentially exploit it so the next thing i did was crack open search split so let me just open up my terminal here let's clear this up search split and we have cold fusion cool fusion 8 right over here and immediately we get a few good or really good looking exploits so we have directory traversal which is with metasploits so we'll check we'll take a look at that right now uh we then have the arbitrary file upload which i believe is for the version 2018 uh for the other versions which is server 8.0.1 cross-site scripting and these are pretty much all cross-site scripting vulnerability so the one that i took a a look at was the directory traversal which did not work and as i said as i mentioned i'll get to that in a second uh and then we have the arbitrary file upload uh execution which again did not work for me those were my my first uh sort of uh instincts to go with the arbitrary file upload execution but of course i did not have much information in regards to the exact version that's running over here uh so we can pretty pretty much see that the username is stuck to admin which means we have to find the password so i'm not too sure about the exact version of code fusion eight so uh my my other choice then was to run search plate uh but omitting uh or omitting the uh the version number which is search exploit dates uh so we just called fusion eight sorry so called uh so called fusion right over here and we can see that we now have very interesting exploits here so we have cold fusion cross-site scripting directory traversal which i ran first so let me just copy this exploit right over here so i'm just going to say cp uh user share exploit exploit db and we're going to then paste in the directory of the exploit itself and we'll copy to my current directory which is on my on my desktop here and it's under a hack the box and arctic all right so i'm going to save the exploit right over here and now let me inspect it with nano it is a python exploit so i'm just going to hit enter and immediately tells me that uh we can get the working get request courtesy of carnal right so go to c2 kernel orange really and this right over here will essentially give us the password properties right over here so what i did is i simply copied it or actually you just simply need to copy this right over here the administrator link is over here so we are essentially using this uh property which is really weird because after running dot dot pawn i really didn't get anything which that would have hinted to a potential directory to traversal vulnerability but in any case what i did is i simply pasted it in right over here and i hit enter and of course there is going to be a sort of a delay uh with the the the requests and the responses so we're just going to wait for that to run out i think it's probably about i would say about eight to ten seconds although i haven't timed it so i'm gonna try and time it right now in fact so let me just get out my stopwatch and once we reload the page i'll start it off again all right so we can see that this directory traversal vulnerability does give us the password properties and they are encrypted because it does give us this little flag right over here so it gives us the password uh and the uh the encrypted equals true flag right over here so this password right over here is encrypted and we need to decrypt it and of course it belongs to the administrator so we're going to copy that right over here and we're going to bring out our very handy hash identifier so hash identifier and we're going to paste this right in here i'm going to hit enter and we can see that the possible hashes are we have a sha1 which is pretty much what it is and it could be a mysql5 sha-1 with the password so salted so we're just going to open up a website and we're going to say uh we're just going to say decode sha1 or unencrypt sha-1 whatever you want to use there we are reverse decryption so we're just going to open up this website here really doesn't matter what website you use you can also use crackstation.net so let's see if this site actually does give us our results uh well we want to decrypt uh so this is the hash string here is this sha1 i'm not sure let me just decode this so it's going to check and it's going to give us the password for the administrator so we have to click the pictures of the cats here which this is a really really i think that's a dog this is a really really poor capture that looks like a cat i'm just going to give it a check uh hopefully it decrypts us for us uh so it's still checking here and nothing to hash well that's over there so i'm pretty sure this site is not gonna give us what we're looking for but it's still checking which is really weird uh so i'm just gonna go back to google and that's uh that is really annoying when something like that happens so i'm just going to open up one right over here so uh we're going to decrypt this and sorry this is not in our hash database so uh let's go back here um and we're going to say sha 1 decrypt pretty sure i actually did this uh sorry if you are one uh decrypt and we're just going to get one of these sites to run here md5 hashing hash killer i'm not too sure which is the correct one let me just use xiao one decrypter right over here or actually i can actually use john so let me just paste in the hash here actually don't remember what site i even used to decode i think i use john if i'm not wrong so sha so seven one x y x all right and i'm gonna submit that captcha and again we're gonna be prompted to enter our captcha which is really annoying at this point uh knmp i'm going to submit and there we are we get the the result which is telling us that the password is happy day excellent so i'm glad that works so we don't waste any more time so what i'm going to do is i'm just going to reload the administrator right over here and we're going to try and log in so we'll give that a second the password is happy day which is quite simple actually quite a relief uh relieved when i actually saw that fact that we don't we don't really have to wait for that uh to be cracked so this is a very very cool site uh this is the only site that managed to decrypt it so i'll keep that in mind all right so the password is happy day and we're just gonna log in now and it looks like it does a hash the password after you enter it and it gives us the sha one right over here which is really weird so let's see if this does actually go through or when what actually thought before is through my previous experiences with cold fusion is that i have to actually go and modify uh the post uh the the the post from burp suite we have to actually change it into the password to change it back into the hashed format which is really weird in any case i think this should work let's give that a few seconds and of course i'm going to time it and yep that is coming to about 10 seconds so there we are it takes us into the administration panel for cool fusion now this server seems to be quite slow right now uh when i had done it first it was actually quite fast but uh looks to be quite slow so let me just close that right over here so we're just going to wait for the administration panel to open so there we are we get the administration panel and with coldfusion the best way now is of course we have administration administrator access into this server that means we can pretty much muck around or play around with files and with core fusion when it comes down to exploitation we can pretty much uh get uh scheduled tasks to be executed which you can see right over here and from my experience with cold fusion well actually did right uh it executes it can execute php files or jsp files so that means we would have to create uh a jsp payload with msf phenom all right and uh so if we just create click on schedule a new task essentially you can see schedule tasks can create a static web page from dynamic data sources so that means you can actually get files from a web server which we're going to set up right now and once we've actually set up our web server we can then uh we can then have our payload on it and we can then use it to grab it and uh then we have the schedule task right over here so i'm going to call the task we'll just call it shell all right and uh the frequency i wanted to run one time i don't want to it to keep on running which is going to interrupt with things um so what i'm going to do is let me just exit out of hash identify and clear this out so i'm going to service uh start apache 2 let me start my web server whoops service apache 2 start apologies for that uh start like so so i'm going to start my apache 2 web server and now we have to generate the jsp reverse shell so we can do that with msf venom now i think i do have my previous files inside the web server so var www and html let me just see if i have the previous files yes i do so i'm just going to get rid of them so i'm going to say remove or actually let me let me change my directory in in that but uh in any case i'm just going to remove i'm just going to remove uh we'll go to var www and html right over here we're going to remove the interpreter.exe and the shell.jsp so i'm going to generate those one more time so shell.jsp and there we are so uh what i'm going to do now is i'm going to use msf venom to generate the jsp or the java reverse shell which is via tcp so msf venom the payload is java and then we're using the jsp which is reverse jsp reverse or actually gsp reverse or jsp shell reverse tcp yes that's what it is and then we have our lhost which is going to be ton 0 if i can just split this right now config that's going to be my ip so yes there we are 10.10.14.27 so i'm going to close this up right over here so this is pretty much standard for you guys if you have if you've ever used msf venom it's really very simple so we're going to set our l port here and i'm going to sell my i'm going to set my outpour to 444 and the format is going to be raw format and we're going to save this into our web directory and our web server sorry so far uh www.html and we're going to save it as shell.jsp and i'm going to hit enter all right so we're going to wait for this to generate our jsp shell for us and we're going to confirm that it is in our web server so give that a few seconds to generate the shell uh let's see if i got anything wrong in terms of the syntax uh yeah there we are it it worked successfully so ls uh and we'll list the files in the the www and the html there we are shell.jsp all right so i've started the apache server so let's actually test if it does work um then it actually copy the our tunnel zero ip right over here there we are uh shell.jsp actually just opened the web server like so there we are so it does work so shell.jsp excellent so now we can get started so i'm just gonna get the shell.jsp file opened up here and it will not execute on our server because of course it's not running code fusion so i'm going to copy the url now this is the static url so there we are and i'll get rid of that previous http right over here uh no username or password nothing required there the proxy server nothing much and we want to then save it to the uh the cold fusion directory which is uh as follows so if this is your first time we can see it i have it right over here so cold fusion uh fusion which is under the wwe route which is running windows so cold fusion 8 right over here and www root like so and we have the cf ide so cf ide and we're going to save it as the shell.jsp and then once we go to the shell.jsp directory under this the corefusion uh directory then we will be able to execute it so we want to save our output into a file and it's going to save it as shell.jsp which means we'll be able to execute it all right so we pretty much should be good to get started here so i'm going to hit submit and i'm going to set up a listener now with netcat so i'm going to clear this up so netcat four four four nvlp4444 that is the uh that is the port we had set and we're going to wait for this to complete so uh don't worry if it does give you this issue with loading as i mentioned there is a sort of a delay with the server and i think that was there to actually throw people off so we're just going to wait for this to be completed and we'll give that a few seconds here it shouldn't take too much time then once that started we then have to run the task and then once it's run we should be able to execute the shell.jsp file so there we are so we can now uh run the schedule task again that's going to take quite a while and over here we can say 10.10.10.11. uh 8500 and we're looking for the shell actually the cfid directory which is what it was under before if this was correctly configured they would have simply put it in the root uh the root directory of the server where you can see it's uh it's uh incorrectly uh configured so we're gonna say shell shell.jsp so we're going to wait for this to be executed and there we are the scheduled task was completed successfully and we're going to run this right over here and if it was successful we should get a reverse shell here giving us windows should be it should give us a windows prompt right over here so or a windows shell whatever you want to call it so i'm going to wait for that site to complete loading and we'll see if we do get a reverse shell over here so uh there we are it executed correctly and there we are welcome to windows so looks like we are in the box and uh this is not a meterpreter so that means we are stripped of all functionality and we simply have a reverse shell similar to the one we created in the c programming series where we actually took take a look at took a look at how to create our own reverse shell with c uh all right so let me just get rid of that right over here and uh if we just list the files we can see that we are in the in the root directory uh so if i yeah well well actually the first thing i want to do is or to show you is who am i uh it doesn't give us any information which is really weird now uh we are currently on in inside the directory so if we go back here and we just check where we are we can see that we are in one of the web directories here that has core fusion so yes we are in the core fusion directory all right now the interesting thing about this is if we just check the users over here we can get the user's flag right now all right so cd users we do not have administrator access which was really weird for me uh because i thought we would be able to do it one time through here but getting a meterpreter shell was really important for me so you can see that we have the administrator and the user called tolis which is i guess the user for this box uh called arctic so we're going to change our directory into tolus uh and uh we if we see we can we have the files right over here in desktop so in our desktop that is pretty much where the box has the flags so there we are we have the user.txt flag all right so yeah we've already got that nothing much to get excited about now who am i for yeah there we are we get the information so we are we are running arctic and dolly so uh at this point i was actually now a bit concerned as to how we are actually going to go about exploiting this and uh of course i need to get some more information about the server so uh it led me to to now getting an interpreter onto this system so the first thing i did was i wanted to check what utilities it had installed of course every windows operating system comes with powershell the other easy way of getting files onto onto your computer from one you know or transferring files you know from your operating system onto your target is by ftp and i'm talking of this from windows of course on linux it's much simpler you know you have curl you have wget and it's so much simpler on the next spot with windows yeah the utilities are very limited of course given the fact that this is running windows server 2008 i doubt ftp was installed but it was and it is non-interactive which means it pretty much breaks the functionality of the reverse shell so i'm going to have to run that one more time so we're going to reload the shell here all right so just give that a few seconds again to give us the shell back again and at this point i pretty much had to use powershell and some partial syntax to actually download the file using the net web client uh function or the the network client function for those of you who have used powershell you know how to use it so it's very easy to transfer the file so now at this point we want to generate an interpreter we want to send a material to this computer so that we can get a reverse uh reversal multiplier you know so we can we can go ahead with the post exploitation so that's what i'm going to do now so i'm going to generate a reverse shell here on my temperature windows reverse shell so again we're going to use msf phantom for this so let me just clear that out so msf venom the payload is windows and we're looking for the meterpreter so meter windows interpreter and we're looking for the reverse tcp and we're gonna then set uh our l host which is let me just get it right now i keep on forgetting what my uh my ton my tunnel ip is sorry if config i have config and we'll just get it there one more time and i'll close this right over here all right so that's our l host i'm gonna set the l port to uh i'll set it to triple 4 so that we don't mix it up with this shell because we will need it to execute the interpreter the interpreter.exe file all right so that's the l port um now i'm going to save this as uh an exe and we're gonna output it into our into our uh web server so we're gonna use powershell again on the target to actually var uh to actually transfer the file from our web server onto the target so uh html and we're going to save this as met.exe i'm going to hit enter and we're going to wait for that payload to be generated with msf venom all right so we're going to give that a few seconds right over here and we'll wait for it like so and there we are no platform was selected that's true uh we actually should have selected it but i'll show you how to do this uh it's a very it's a very important uh thing to learn uh actually changing the architecture of your of your interpreter from 32-bit to 64-bit i'll i'll show you how to do that right now in that case we already have the meterpreter.exe file generated and stored in our web server which is excellent now we need to use powershell right over here to actually get the file onto our target so we'll do it in our current in our current working directory which has some very interesting files we have a jran we have jrun svc we have migrate.exe which is really weird i tried running it so oops sorry let me just open this up so i tried running migrate.exe uh and it runs but it tells us to specify the directory of jron which means we need we need to run jrun all right now we talk about copying files over with powershell it really is very simple and i've promised many times to make the video i just can't seem to find the time but in any case this is scheduled for the next set of releases this this week so that'll be a very interesting video all right so when you're transferring files with powershell you essentially need to create a new object assign the uh you need to call the system.net web client function and then from that you can then you have a vast functionality like the download file functionality that allows you to select a web server uh and and the file that you want to download obviously and you can then save this you can then save it as a file all right so we're going to say new object new object and we're going to call the system dot net dot web client dot web client and uh we are going to close this and we're going to call the download file function uh download file and in here is where we specify the url so http where we have the url right over here and we know that the file is called meterpreter.exe and we will be saving this file as [Applause] meterpreter.exe and we'll close this and we will close that with our double quotation marks let me just check the syntax one more time so we've created a new object assigned the function uh system.net or web client yes and we're using the download file function then we specify the url and we're going to save it as the interpreter.exe so i'm going to enter and uh powershell well actually should have specified that with the fact that we're using exe so let me actually do that one more time now that's the other interesting thing when running so let's see if this did give us the interpreter so there we are fantastic that was actually weird with previous windows xp boxes that i've done uh you have to actually specify powershell.exe to actually get it to run which was very interesting so we did get the meterpreter.exe file right over here so what we're gonna do now is i am going to uh open up metasploit and we're going to use the uh the exploit multi handler so clear that out msf console all right and we'll wait for this to open up the metaplay console and of course we're going to run the temperature when we're ready right over here so the port i remember was triple 4 if i'm not wrong let me just keep that in mind so i don't forget it because that can cause really uh quite a bit of issues so we're going to use the exploit sorry that is exploit exploit multi exploit multihandler show options we need to set the payload itself set payload windows which we know is the windows reverse material reverse tcp windows uh meter printer and reverse tcp um that is the that is the payload that we used so we're going to show the options now uh we need to set the l host here let me just resize this so we can see what's going on all right there we are set uh lhost uh and that is the ip that we copied or our ip that act the box assigned to us for tunneling or you know the the turn zero whatever you want to call the interface uh we're going to set l port here l port and port l port is going to be triple four and uh we are going to hit run and it's gonna it's gonna listen off connections we're gonna run the meterpreter.exe file here interpreter.exe i'm gonna run that and there we are we get here we see that it is sending the stage and we should get in the temperature session right now all right so we're just going to wait for this to complete running and voila we get the interpreter session which is excellent so uh so the first thing i really like running is cis info getting a bit of a an idea of what's going on with the box we're trying to attack so the computer name is arctic we knew that it's running windows 2008 windows server 2008 build 7600 uh and we have the architecture of the box remember it's very different uh the the architecture of the box and the interpreter architecture is very different we then have the system language which is english i don't know is that english and greek i'm not too sure hack the box locked on users is one so i think i'm the only one right now but in any case so at this point uh you know you can try all of your you know your rookie commands so you can say get system i believe is one of the oops sorry that is one of the comments that people actually like running so all of them failed which these exploits really just work are to some extent on windows xp boxes so for those of you actually targeting windows xp quite a lot those ones might work at this point what i want to do is i really need to migrate uh this right away into a 64-bit interpreter session so to do that i'll check the current running processes and you'll see something very interesting especially when i did this is uh for us to actually find one you need to look at the architecture so you have your process id the name uh the architecture then the session of course which is really not important right now and the user so we're looking for 64-bit architecture and it looks like these files were the ones that we had right over here so we have we have the uh the jron and the jrun svc so let us try and migrate to the jruan.exe right over here and let's see if we can do it so we need the process id so the process id is 4j run is going to be is that the one is that the one yeah one one six eight so to migrate we simply say migrate uh and we're going to provide uh sorry actually forgot what it is uh apologies for that guys one one six eight so we're gonna provide the process id one one six eight let me just confirm that's correct and we're gonna hit enter so it's gonna migrate your process from 788 which is from 32-bit to a 64-bit uh session so give that a few seconds and there we are so sysinfo and we should be able to see yes we have a 64-bit uh 64-bit interpreter session running excellent at this point i like to now whip out my uh my exploit suggester which requires a 64-bit uh interpreter session so i'm gonna just move this to the background move this thread to the background it's gonna uh if we just open up the chest the sessions menu here we can see this is under session one which is excellent so it's very important to know the id if you have multiple sessions open so we're gonna search for the uh the suggester which is pretty much only one for windows so this is the multi recon local exploit suggester so we're gonna copy that and use it so i'm just going to hit use and we'll specify that right over here show the options and uh we need to set the session that's pretty much the only property we need to set so we're going to say set session here to session one and we're gonna hit run and we're gonna wait and see what exploits we can run all right so uh by the way you can also search for the exact build of the of the windows of windows of the windows server which is right over here and you can actually search that on the database that i created i'll be posting the image in the description section of the video i have this image that i compiled that contains all the versions of windows and the appropriate exploits that work with the appropriate uh post exploitation or privilege escalation exploits are in a github repository uh so i hope that that is helpful for you all right so we're just gonna wait for this to complete now in the meantime uh well actually we really don't have much to do we have one session running that's under port four four four four this one is running under port triple four so we'll wait for this uh to actually complete collecting the local exploits and of course this is really about trial and error and uh the resource that i have actually did help me because i was able to get the exploit that i was looking for uh or you know the privilege escalation exploit that i was looking for really really easily so um we're just going to wait for this to complete for some reason it's taking quite a while so let's just wait for this to complete in the meantime yeah there we are 10 exploits are being tried and we have all of them right over here all right so we have three exploits that we can try we have the uh ms 1092 shell evator which is the one that does work i did try the others just to see if they did work but these really don't work they require specific services to be installed during the windows server uh installation or configuration so this is the only one that worked here so we're just going to copy it right over here and of course we're going to say use and provide the exploit name right over here let us just clear the all the data that we have now uh so if i just check the sessions that we have uh yes all right so that is session one sorry just keep on forgetting that for some reason all right so now if we just show the options here uh we need to set this session so set uh session to session one oops sorry that is incorrect syntax apologies for that guys we just can wait for this to return the error all right so set session uh set session one all right and now we need to set the payload so payload uh we're going to say windows interpreter windows meterpreter reverse tcp and that should be enough for us and we say show the options here uh oh my god i did that once again i actually have forgotten my ifconfig command here so show options all right so we need to set our host and airport so i'll set a different port this time so we're going to set l host and run the ifconfig command here we get the tunnel 0 there we are let me just clear that one more time so uh show options and we're gonna say set l host um so set l host and we're gonna provide the value right over here set l port we don't to use uh the four four four four because we already have one connected on that port we're just gonna set it to one two 3 4 and i'm just going to run all right so the exploit should run now so it's going to prepare the payload creating that it's going to create the task and we have elevator running now enabling the task looks like it's there looks like it's running and we do get our interpreter session so cis info and whoops uh well actually it does should be able to give us the information that there we are arctic and it is a it is well it is telling us that it is gone back to a 32-bit version but in any case you can go ahead and look at your directory right now here so let us just change back uh into we can actually get the root uh the root flag right now uh something well i actually i don't know what there we are so we were inside one of we i don't think we are inside the windows uh yeah we are inside the windows directory so i'm just gonna go step back here we're going to list the directories in here we're looking for it looks like we're still inside here so um yeah we should be able to go into users now cd users and directory and administrator we should be able to autocomplete fantastic we can list the files in the administrator and we'll change our file into the desktop here and we should be able to get the root.txt so there you are we can actually just list it uh well should i list it uh yeah i'm pretty sure i can anyway root.txt and there you are so that's pretty much how to uh how to exploit or pawn uh arctic on hack the box it was a very very good machine i like it uh because the flow was very uh it was very intuitive uh which is sometimes very good thing because it reinforces your methodology uh and it really uh the the most important bit for me that i really need to teach on the channel now is post exploitation where essentially transferring files to and from different systems uh and getting them to run but if you want me to cover anything that you saw in this video that you don't know let me know in the comment section uh and let me let me know what you guys think about the new microphone whether you want me to improve anything else in regards to the video on audio quality i am open to any suggestions or feedback uh and yeah that's pretty much going to be it for this video guys thank you so much for watching if you have any questions or suggestions let me know in the comment section on my social networks on my website and i'll be seeing you in the next video peace guys [Music] you

Info

Channel: HackerSploit

Views: 21,230

Rating: undefined out of 5

Keywords: hackersploit, hackthebox jerry, hackthebox access, hackthebox invite, hackthebox active, hackthebox sunday, hackthebox waldo, hackthebox curling, hackthebox invite code tutorial, hackthebox hawk, hackthebox lame, hackthebox, hackthebox walkthrough github, lame hackthebox walkthrough, poison hackthebox walkthrough, jerry hackthebox walkthrough, hackthebox challenges walkthrough, hacking, kali linux, hacker exploit, hack the box, htb, hackthebox arctic

Id: EIPalRovo48

Channel Id: undefined

Length: 38min 25sec (2305 seconds)

Published: Sun Jan 13 2019