HackTheBox - Absolute

00:00 - Intro 01:00 - Start of nmap discovering Active Directory (AD) 04:15 - Using wget to mirror the website, then a find command with exec to run exiftool and extract all user names in metadata 06:45 - Using Username Anarchy to build a wordlist of users from our dump and then Kerbrute to enumerate valid ones 13:55 - Building Kerbrute from source to get the latest feature of auto ASREP Roasting 16:20 - Kerbrute pulled the wrong type of hash, using the downgrade to pull etype 18 of the hash 21:30 - Running Bloodhound with D.Klay, using Kerberos authentication 24:50 - Going over the bloodhound data and finding some attack paths 31:13 - Manually parsing the Bloodhound with JQ to show descriptions for all users and finding the SVC_SMB password in the Description 34:45 - EDIT: Don't want to use Blodhound? Showing LdapSearch with Kerberos, and why the FQDN has to be first in the /etc/hosts file 40:30 - End of edit: Using SMBClient with SVC_SMB and Kerberos to download files 46:22 - Sharing my internet connection from Linux to Windows, so I can run test.exe on Windows 53:45 - Running test.exe and getting m.lovegod's password from LDAP 56:30 - Going back to Bloodhound, and now we can perform the attack of adding a member to a group then creating shadow credentials for winrm_user 57:30 - Pulling a version of Impacket that has DACLEDIT and building it 1:01:00 - Running DaclEdit to give m.lovegod permission to add users to a group and then net rpc to add him 1:08:20 - Running Certipy to add shadow credentials to winrm_user so we can login 1:12:00 - Using WinRM to login to the box with our shadow credential 1:15:30 - Start of fumbling around with KRBRelay to privesc 1:18:40 - Using RunasCS to change our LoginType which may allow us to run KRBRelay 1:27:40 - Pulling the CLSID of TrustedInstaller which works and allows us to add ourselves to the administrator group