HackTheBox - Escape

Name: HackTheBox - Escape
Uploaded: 2023-06-17T15:00:25Z
Channel: IppSec
Description: 00:00 - Introduction 01:00 - Start of nmap 03:10 - Examining SSL Certificates and seeing "sequel-DC-CA", which hints towards there being a Certificate A...

IppSec · Beginner ·🔐 Cybersecurity ·2y ago

00:00 - Introduction 01:00 - Start of nmap 03:10 - Examining SSL Certificates and seeing "sequel-DC-CA", which hints towards there being a Certificate Authority 05:45 - Using CrackMapExec to enumerate file shares 06:30 - Accessing the Public Share, downloading a PDF File and finding credentials in it, using CME again and using CME to test smb, winrm, and mssql 10:00 - Using mssqlclient to login to access MSSQL 10:50 - Using XP_DIRTREE to request a file off an SMB Share in order to intercept the hash of the user running MSSQL, then cracking it 18:45 - Using Evil-WinRM to login to the box with S…

Watch on YouTube ↗ (saves to browser)

Chapters (17)

Introduction

1:00 Start of nmap

3:10 Examining SSL Certificates and seeing "sequel-DC-CA", which hints towards ther

5:45 Using CrackMapExec to enumerate file shares

6:30 Accessing the Public Share, downloading a PDF File and finding credentials in

10:00 Using mssqlclient to login to access MSSQL

10:50 Using XP_DIRTREE to request a file off an SMB Share in order to intercept the

18:45 Using Evil-WinRM to login to the box with SQL_SVC account, uploading Certify.e

20:45 Looking at the error logs and discovering a user entered their password as a u

23:40 Running Certify again as Ryan and finding a vulnerable UserAuthentication Cert

25:00 Using Certify Scenario #3 to create a UserAuthentication certificate with Admi

26:00 Cannot use the certificate for WinRM because there isn't SSL (5986)

30:00 Uploading Rubeus and the PFX File to the box, so we can use the PFX to obtain

33:30 Showing an alternative method with Certipy which lets us run this attack from

37:40 Showing an alternate way to root via Silver Tickets and MSSQL, Explaining what

41:10 Generating the NTLM Hash from the password because that is what signs/encrypts

43:00 Using Ticketer.py to generate a silver ticket which lets us log into MSSQL as

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →