HacktheBox - Giddy

Home Blog


Hey all,

Thought I would do another write up for one of the boxes that recently retired. This was a really good Windows box to learn from. There were many ways to get a reverse shell (I found 2). Whats interesting about this machine is that there is Windows Defender which blocks executables.

The first intial foothold was a tricky one. I was able to inject sql commands from everywhere. Further to this, I was able to obtain the password by dumping NTLM hashes through the use of xp_dirtree vulnerability. I had to firstly set up a fake smb share by using an impacket module, then used the xp_dirtree to connect to the share, thus dumping the hashes.

There are many ways to evade Windows Defender, I chose a metasploit module. The Priv Esc was the method of starting and stopping a service called unifivideoservice. There is an application called taskkill.exe within unifivideo which kills the task of starting and stopping the service.

Firstly, I could see that I was able to write in the directory with the tool icacls. This is where I uploaded an executable which was able evaded Windows Defender. You could use things like Phantom Evasion as well which is in the link below.. I hope you guys like the video (No sound and I blazed right through it)

Enjoy!

Phantom Evasion:
https://github.com/oddcod3/Phantom-Evasion/tree/master/Modules

Click here to view my walkthrough