Hack The Box - Flight

00:00 - Introduction 01:00 - Start of Nmap 03:00 - Playing with the web page, but everything is static doing a VHOST Bruteforce to discover school.flight.htb 07:10 - Discovering the view parameter and suspecting File Disclosure, testing by including index.php and seeing the source code 09:20 - Since this is a Windows, try to include a file off a SMB Share and steal the NTLMv2 Hash of the webserver then crack it 13:30 - Running CrackMapExec (CME) checking shares, doing a Spider_Plus to see the files in users 18:30 - Running CrackMapExec (CME) to create a list of users on the box then doing a password spray to discover a duplicate password 20:20 - Checking the shares with S.Moon and discovering we can write to the Shared Directory 21:30 - Using NTLM_Theft to create a bunch of files that would attempt to steal NTLM Hashes of users when browsing to a directory getting C.Bum's creds with Desktop.ini 26:18 - C.Bum can write to Web, dropping a reverse shell 29:30 - Reverse shell returned as svc_apache, discovering inetpub directory that c.bum can write to 32:40 - Using RunasCS.EXE to switch users to cbum 37:30 - Creating an ASPX Reverse shell on the IIS Server and getting a shell as DefaultAppPool 48:00 - Reverse shell returned as DefaultAppPool, showing it is a System Account 50:05 - Uploading Rubeus and stealing the kerberos ticket of the system account, which because this is a DC we can DCSync 52:50 - Running DCSync