HackTheBox - Access

Name: HackTheBox - Access
Uploaded: 2019-03-02T15:00:05Z
Channel: IppSec
Description: 00:58 - Begin of recon: ftp, telnet, IIS 7.5 03:00 - Downloading all files off an FTP Server with WGET 05:30 - Examining the "Access Control.zip" file. ...

IppSec · Intermediate ·📊 Data Analytics & Business Intelligence ·7y ago

00:58 - Begin of recon: ftp, telnet, IIS 7.5 03:00 - Downloading all files off an FTP Server with WGET 05:30 - Examining the "Access Control.zip" file. 06:30 - Cracking a zip file with John 07:45 - Creating a wordlist for cracking the zip (strings of the mdb file) 10:00 - Exploring the MDB Files (Access Database) with MDBTools (mdb-sql and mdb-tables) 12:30 - Grabbing the same password we cracked by checking the auth_user table 13:35 - Converting the PST File (Outlook Email) to PlainText via readpst 15:00 - Logging into telnet with the credentials from the email 15:45 - Switching to a Nishang …

Watch on YouTube ↗ (saves to browser)

Chapters (29)

0:58 Begin of recon: ftp, telnet, IIS 7.5

3:00 Downloading all files off an FTP Server with WGET

5:30 Examining the "Access Control.zip" file.

6:30 Cracking a zip file with John

7:45 Creating a wordlist for cracking the zip (strings of the mdb file)

10:00 Exploring the MDB Files (Access Database) with MDBTools (mdb-sql and mdb-table

12:30 Grabbing the same password we cracked by checking the auth_user table

13:35 Converting the PST File (Outlook Email) to PlainText via readpst

15:00 Logging into telnet with the credentials from the email

15:45 Switching to a Nishang Shell to execute powershell

18:15 Running JAWS (Just Another Windows Scanner)

23:34 Discovering Stored Credentials on the box for ACCESS\Administrator

25:11 Examining the Shortcut on PUBLIC\DESKTOP which shows us how the "Stored Creden

25:58 Using powershell to view information of a Shortcut

27:25 Using the Stored Credential via runas /savecred

30:31 Creating Base64 (UTF-16LE) on linux to use in as a Powershell EncodedCommand

31:54 Box done, Administrator returned.

32:38 Begin of decrypting the Stored Credential, uploading Mimikatz

33:40 Using powershell to download files

36:36 Discovering that I was trying to save mimikatz to a directory i cannot write t

37:15 Testing Applocker methods to bypass the Software Restriction Policy (Give up o

38:50 Trying to get Meterpreter shell via Unicorn (Fails, unknown reason)

41:28 Getting a Empire Agent running

43:35 Empire Agent Returned, Injecting meterpreter shellcode.

45:46 Attempting to use Mimikatz from within Meterpreter to decrypt dpapi::creds

46:52 Explaining Mimikatz Arguments when in "non-interactive" mode

54:20 Grabbing needed files to decrypt DPAPI::CREDS offline

56:09 Switing to Windows to run Mimikatz

1:02:32 Decrypting the Creds stored in DPAPI

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →