HackTheBox - EscapeTwo

Name: HackTheBox - EscapeTwo
Uploaded: 2025-05-24T14:58:12Z
Channel: IppSec
Description: 00:00 - Introduction 00:45 - Start of nmap 03:00 - Doing some low-priv AD recon with NetExec (SMB, MSSQL, User Dump, Shares, Bloodhound, etc) 06:50 - Lo...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·10mo ago

00:00 - Introduction 00:45 - Start of nmap 03:00 - Doing some low-priv AD recon with NetExec (SMB, MSSQL, User Dump, Shares, Bloodhound, etc) 06:50 - Looking at the Spider_Plus output and seeing two interesting excel files 09:45 - Cannot open the Excel, unzipping it to look at the files manually and discover the SA password to MSSQL 13:20 - Running MSSQL Commands with NetExec and the SA user to get a shell on the box 15:30 - Discovering the SQL Install directory with a configuration file that has a password, spraying all users with that password to see it works with Ryan 19:00 - Looking at wha…

Watch on YouTube ↗ (saves to browser)

Chapters (13)

Introduction

0:45 Start of nmap

3:00 Doing some low-priv AD recon with NetExec (SMB, MSSQL, User Dump, Shares, Bloo

6:50 Looking at the Spider_Plus output and seeing two interesting excel files

9:45 Cannot open the Excel, unzipping it to look at the files manually and discover

13:20 Running MSSQL Commands with NetExec and the SA user to get a shell on the box

15:30 Discovering the SQL Install directory with a configuration file that has a pas

19:00 Looking at what our owned users can do via bloodhound

22:40 Showing SharpHound collects more data than the python ingestor

27:20 Showing an attack path of Ryan Taking over CA_SVC which can perform ESC4

29:30 Using OwnerEdit/DaclEdit to take over CA_SVC then Certipy to create a shadow c

32:00 Talking about the ESC4 Exploit

34:45 Performing the ESC4 Exploit to make the template vulnerable then performing ES

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →