HackTheBox - Forest

00:00 - Intro 01:15 - Running NMAP and queuing a second nmap to do all ports 05:40 - Using LDAPSEARCH to extract information out of Active Directory 08:30 - Dumping user information from AD via LDAP then creating a wordlist of users 12:10 - Creating a custom wordlist for password spraying with some bashfu and hashcat 18:30 - Using CrackMapExec to dump the password policy of Active Directory using a null authentication, then doing a Password Spray 22:00 - Enumerating information out of AD using rpcclient and null authentication 28:10 - Now that our PWSpray is running in the background, lets go through Impacket Scripts to see what works. 29:30 - Using GetNPUsers to perform an ASREP Roast (Kerberos PreAuth) with Null Authentication to extract SVC-ALFRESCO's hash. Then Cracking it. 36:20 - Using Evil-WinRM to get a shell on the box with SVC-ALFRESCO's credentials 37:30 - Setting up a SMBShare, using New-PSDRive to mount the share, then running WinPEAS 42:20 - Going over WinPEAS Output 44:20 - Downloading Bloodhound and the SharpHound Ingestor 48:50 - Importing the Bloodhound Results and finding an AD Attack Path 52:10 - Going over the Account Operators Group (will allow us to create an account) 53:30 - Using Net User to create a new user, then adding it to the Exchange Group 58:40 - Downloading the PowerSploit Dev Branch to utilize the function "Add-DomainObjectAcl" 01:01:40 - Some basic troubleshooting when the command goes wrong, then giving ippsec the DCSync Rights 01:02:30 - Performing SecretsDump to perform a DCSync and extract hashes, then PSEXEC with Administrator to gain access 01:07:10 - Going over the "--users" option in hashcat so you can easily identify whos hash was cracked 01:10:43 - Using the KRBTGT Hash to perform the GoldenTicket attack from Linux 01:35:11 - Showing it worked, Issues were we could not use IP Addresses anywhere in the command and need FQDN for the domain. Create entries in Host file if DNS is not there.