HackTheBox - Escape

00:00 - Introduction 01:00 - Start of nmap 03:10 - Examining SSL Certificates and seeing "sequel-DC-CA", which hints towards there being a Certificate Authority 05:45 - Using CrackMapExec to enumerate file shares 06:30 - Accessing the Public Share, downloading a PDF File and finding credentials in it, using CME again and using CME to test smb, winrm, and mssql 10:00 - Using mssqlclient to login to access MSSQL 10:50 - Using XP_DIRTREE to request a file off an SMB Share in order to intercept the hash of the user running MSSQL, then cracking it 18:45 - Using Evil-WinRM to login to the box with SQL_SVC account, uploading Certify.exe and not finding a vulnerable certificate 20:45 - Looking at the error logs and discovering a user entered their password as a username so it got logged. Logging in as Ryan.Cooper 23:40 - Running Certify again as Ryan and finding a vulnerable UserAuthentication Certificate 25:00 - Using Certify Scenario #3 to create a UserAuthentication certificate with Administrator as the Alt Name which lets us authenticate as them 26:00 - Cannot use the certificate for WinRM because there isn't SSL (5986) 30:00 - Uploading Rubeus and the PFX File to the box, so we can use the PFX to obtain the local administrator NTLM Hash 33:30 - Showing an alternative method with Certipy which lets us run this attack from our attacker box without uploading files to the box 37:40 - Showing an alternate way to root via Silver Tickets and MSSQL, Explaining what a TGS Ticket is and why this attack works 41:10 - Generating the NTLM Hash from the password because that is what signs/encrypts kerberos tickets 43:00 - Using Ticketer.py to generate a silver ticket which lets us log into MSSQL as Administrator