HackTheBox - Acute

00:00 - Intro 01:00 - Start of nmap, the Server Header changes based upon DNS 04:00 - Navigating to the website, discovering the "New Starter Form" which has some key information like a welcome password and username convention 07:00 - Password spraying the Powershell Web Access (PSWA), discovering a valid credential but wrong host, word document had another host which is valid for edavies 09:15 - Playing around in the PSWA 10:00 - Looking at hidden files, discovering c:\utils\desktop.ini which states its a directory that is excluded by AV 12:00 - Making the mistake of running WinPEAS inside the PSWA 14:45 - Setting up ConPtyShell to get a proper PTY reverse shell on windows 15:40 - Making some light modifications to ConPtyShell in order to evade antivirus 16:50 - Getting the ConPtyShell and showing the colors/tab autocomplete 19:30 - Running WinPEAS to show another user is logged on (and the AV Exclusions) 21:55 - Switching to Metasploit, because it makes it easier to migrate into an interactive process, which allows us access to view the desktop of the logged in user 24:30 - Using Screenshot and Screenshare inside of meterpreter to record the screen and get a password that was typed onto a terminal (imonks) 29:00 - Creating a credential object with imonks, so we can Invoke-Command on the domain controller 31:00 - When specifying the correct configurationname our enter-pssession fails because we can't run measure-object. Running Get-Command and Get-Alias to view what commands we can run 35:00 - Discovering wm.ps1, which we can modify to get a shell as jmorgan on our desktop 40:00 - Creating a powershell one-liner to replace a string in a file with cat and set-content 44:40 - Screwed up our fail because of a random line break. Playing around with it until we can fix it. 47:30 - Shell returned as JMorgan, dumping the SAM/SYSTEM files and cracking local passwords on the workstation 58:30 - Looking at other Domain Users, attempting to password spray the users we don't