HackTheBox - Certificate

00:00 - Introduction 01:00 - Start of nmap 04:00 - Checking out the website and registering a user 07:15 - Discovering upload functionality, that lets us upload PHP Files. Explaining what a Null Byte will may do in a zip file 12:00 - Using BurpSuite to manipulate the hex and add a Null Byte in the filename shell.php..pdf, so when unzipped it becomes shell.php 16:00 - Talking about the Zip Stack or Concatenation Attack, where we stack two zips on top of eachother. Some Zip Programs read he first file, others read the second 20:30 - Shell on the box, dumping hashes out of the database and cracking hashes 27:00 - Getting a Shell as Sara.B, discovering a PCAP which contains a Kerberos Auth. Extracting the Hash and cracking (krb5pa) 36:10 - Shell as Lion.SK, looking at groups and also running RustHound to see we have permissions to a Certificate 39:50 - Running Certipy to list vulnerable certificates which shows ESC3, we can't request Administrator because it lacks an email address 43:20 - Running some powershell commands to look at groups and members of groups to discover Ryan.K has storage permissions, using ESC3 to get his account 48:00 - Exploiting SeManageVolumePrivilegee and then extracting the CA Certificate to perform Golden Ticket attack to forge a ticket from Administrator