HackTheBox - Ghost

00:00 - Intro 01:00 - Start of nmap 05:20 - Taking a look at all the websites 06:45 - Showing why you should be careful when enumerating VHOSTS, also using gobuster in DNS mode since there are multiple web services and a DNS Server 12:45 - Discovering LDAP Injection in intranet page 15:40 - Showing how our LDAP Injection is boolean injection which lets us enumerate data in LDAP 21:30 - Creating a python program to perform the boolean injection 33:15 - Got the password for gitea_temp_principal 35:00 - Looking at the Intranet Backend code that was in Gitea which is written in Rust using the Rocket Web Library, finding a RCE but it protected by auth 41:00 - Looking at the Blog project in Gitea, that shows there is a modification to the Ghost CMS Application which has a File Disclosure vulnerability 45:30 - Exploiting the File Disclosure in the blog, downloading the SQL Lite Database, Grabbing the API Key from the environment and then getting a shell through the Rust API 50:00 - Shell returned on intranet container, discovering a SSH Control Master socket, which lets us ssh into the dev workstation without a password 56:00 - On the workstation, Florence.Ramirez has a KRB Ticket, downloading it and then testing it 58:30 - Running bloodhound, which is giving us trouble because of some weird connection issues as Impacket isn't trying all the IP's given for a DC. 01:09:20 - Editing our bloodhound to hardcode the IP Address, which is a really hacky thing to do, but it worked. Then looking at Bloodhound and not seeing much 01:17:20 - Using dnstool to create a DNS Record on the domain controller, then responder to steal the hash of a user trying to connect to that item 01:21:00 - Got Justin.Bradley's password, who can grab dump the GMSA Password, getting the ADFS Service accounts password 01:27:15 - Dumping the ADFS Data (ADFSDump), then using ADFSpoof to perform the Golden SAML Attack to impersonate Administrator on a federated web login 01:42:00 - Logged into core as adminis