Like most people, when I receive an email with a link, I do a quick check to see if the url is legit.  I'll carefully read it, then I will mouse over it to make sure that the text and the url match.  I've seen that trick a few times and I've also seen a trick where there was what appeared to be an attached Word document but instead it was an image for a URL.  That was definitely clever.  I haven't seen that one too many times but I can see a user repeatedly clicking on it -- wondering why Word wasn't opening.

But let's say we get a link to an image.  I probably get at least one of these per day where a friend sends me to some meme or something of interest.  http:// blah blah blah / funnymeme.gif

I think at some point, I started this box but didn't finish it.  That's been known to happen -- I only allot so much time to this kind of thing.  As I wrapped up the box from yesterday, I saw this one, took a quick look and down the rabbit hole I went.  This box is interesting because I don't have a huge amount of experience with Node and I did a little bit of extra hunting.  Perhaps if I were more familiar with Node, I would have honed in on one piece sooner than later.

Anyway, I don't want to spoil anything so let's get rolling.  We kick off with Nmap:

Hashcat is one of those tools where I feel like I'm just scratching at the surface with respect to all of its capabilities.  Normally, I'm attempting to crack hashes with a wordlist to prove the strength of a password.  Or I'm playing some CTF where I need to retrieve a password.  In each case, I'm not brute forcing a password, I'm providing a wordlist which makes the process light years faster.  That being said, there are times when I've wanted to use a brute force attack but have shied away when confronted with reading the manual.  RTFM!

Dare I say this box was easy?  Maybe not for everyone, of course, but I will say this could be the quickest HtB box I've ever rooted.  There's a little bit of hunting and a little be of creativity required.  Aside from that, take a look at what's in your hand and do some Googling, you can figure this one out quickly.

We kick off with Nmap:

BambooInvoice 1.0.4 is affected by a Cross Site Request Forgery vulnerability due to a lack of CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.

I'm not even sure how I ended up down this rabbit hole but I strayed off the path for a talk that I'm giving next month.  I'm trying to show how to leverage PowerShell into doing the many things we do with various tools.  To some degree, you don't really need those tools. 

So this doesn't pluck the credentials out of memory or from the file system, we're going the old fashioned way -- we're tricking the user.  Imagine this -- a user is trying to work and Windows continues to prompt them for their credentials.  Will they ignore it?  No, they will enter their credentials. 

If you're on the local machine performing this trick, you don't need to specify domain\username.  However, if you end up on this machine through other means -- say Responder, you'll want to use the domain\username because it will throw an error prior to spawning the credential prompt.  Maybe that's not a bad thing but I'd rather do without it.