HackTheBox - Absolute

Name: HackTheBox - Absolute
Uploaded: 2023-05-27T15:00:29Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap discovering Active Directory (AD) 04:15 - Using wget to mirror the website, then a find command with exec to run exi...

IppSec · Beginner ·🔐 Cybersecurity ·2y ago

00:00 - Intro 01:00 - Start of nmap discovering Active Directory (AD) 04:15 - Using wget to mirror the website, then a find command with exec to run exiftool and extract all user names in metadata 06:45 - Using Username Anarchy to build a wordlist of users from our dump and then Kerbrute to enumerate valid ones 13:55 - Building Kerbrute from source to get the latest feature of auto ASREP Roasting 16:20 - Kerbrute pulled the wrong type of hash, using the downgrade to pull etype 18 of the hash 21:30 - Running Bloodhound with D.Klay, using Kerberos authentication 24:50 - Going over the bloodhound…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Intro

1:00 Start of nmap discovering Active Directory (AD)

4:15 Using wget to mirror the website, then a find command with exec to run exiftoo

6:45 Using Username Anarchy to build a wordlist of users from our dump and then Ker

13:55 Building Kerbrute from source to get the latest feature of auto ASREP Roasting

16:20 Kerbrute pulled the wrong type of hash, using the downgrade to pull etype 18 o

21:30 Running Bloodhound with D.Klay, using Kerberos authentication

24:50 Going over the bloodhound data and finding some attack paths

31:13 Manually parsing the Bloodhound with JQ to show descriptions for all users and

34:45 EDIT: Don't want to use Blodhound? Showing LdapSearch with Kerberos, and why t

40:30 End of edit: Using SMBClient with SVC_SMB and Kerberos to download files

46:22 Sharing my internet connection from Linux to Windows, so I can run test.exe on

53:45 Running test.exe and getting m.lovegod's password from LDAP

56:30 Going back to Bloodhound, and now we can perform the attack of adding a member

57:30 Pulling a version of Impacket that has DACLEDIT and building it

1:01:00 Running DaclEdit to give m.lovegod permission to add users to a group and then

1:08:20 Running Certipy to add shadow credentials to winrm_user so we can login

1:12:00 Using WinRM to login to the box with our shadow credential

1:15:30 Start of fumbling around with KRBRelay to privesc

1:18:40 Using RunasCS to change our LoginType which may allow us to run KRBRelay

1:27:40 Pulling the CLSID of TrustedInstaller which works and allows us to add ourselv

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →