HackTheBox - Infiltrator

IppSec · Beginner ·🔐 Cybersecurity ·11mo ago

Skills: Network Security90%

00:00 - Introduction 01:00 - Start of nmap 04:10 - Using grep against a HTML Page to extract usernames, then username anarchy to build a userlist and kerbrute to find valid users 07:50 - Kerbrute automatically will ASREP Roast but outputs in the stronger hash that hashcat doesn't crack. Using downgrade to get the weaker hash 11:10 - Using NXC with our creds to dump a list of users and see a password in the description 13:34 - Using Rusthound stead of the python version of Bloodhound because it gets certificate information too 17:30 - Showing a couple paths in Bloodhound 22:00 - Explaining and performing the attack (dacledit, shadow credential, force password change, bloodyad) 32:50 - Discovering Output Messenger running, using chisel to forward ports 38:15 - Having trouble with the Linux client of Output Messenger, cannot download a file 44:30 - Switching to Windows, using a regular portforward on chisel so our windows box can hit infiltrator 52:30 - Using ilSpy n the dotnet binary and decrypting a static string which is another password 01:00:00 - Discovering the API Key in the notes, and exploring the API to dump chatroom messages 01:12:30 - Setting an event on Olivia's Output Messenger Calendar to send a shell 01:22:48 - Discovering a PCAP in Olivias downloaded files, using wireshark to extract objects which has a picture of a bitlocker key 01:32:40 - Accessing the box over RDP, decrypting the bitlocker drive, and then downloading the backup which is NTDS.DIT 01:40:40 - Using NTDISSECTOR to parse the NTDS.DIT which extracts a lot more data than secretsdump, discovering another password in a description 01:45:45 - Doing AD ESC4 and then AD ESC 1 to get root

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: Network Security

View skill →

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

Building a High-throughput VPN

Configuring Network Connectivity Center as a Transit Hub

VPC Flow Logs - Analyzing Network Traffic

HackTheBox - Intentions

HackTheBox - Intentions

Google Cloud Packet Mirroring with OpenSource IDS

Related AI Lessons

TorCT PHP RAT 2026

Learn about TorCT PHP RAT, a stealthy Remote Access Trojan written in PHP that operates without port forwarding, and understand its implications for cybersecurity.

QR Code Security Best Practices for Platforms

Learn essential QR code security best practices to protect your platform from potential threats

Dev.to · Nacho González

Why Hardened git clone Commands Matter in Modern Dev Tooling

Learn why using hardened git clone commands is crucial for secure dev tooling and how to implement them

Medium · Cybersecurity

Stop trusting your agent skills with vibes. Eliminate the context security risk.

Learn to eliminate context security risks by using specific tools to audit package installations, rather than relying on intuition

Dev.to · Tessl

Chapters (18)

Introduction

1:00 Start of nmap

4:10 Using grep against a HTML Page to extract usernames, then username anarchy to

7:50 Kerbrute automatically will ASREP Roast but outputs in the stronger hash that

11:10 Using NXC with our creds to dump a list of users and see a password in the des

13:34 Using Rusthound stead of the python version of Bloodhound because it gets cert

17:30 Showing a couple paths in Bloodhound

22:00 Explaining and performing the attack (dacledit, shadow credential, force passw

32:50 Discovering Output Messenger running, using chisel to forward ports

38:15 Having trouble with the Linux client of Output Messenger, cannot download a fi

44:30 Switching to Windows, using a regular portforward on chisel so our windows box

52:30 Using ilSpy n the dotnet binary and decrypting a static string which is anothe

1:00:00 Discovering the API Key in the notes, and exploring the API to dump chatroom m

1:12:30 Setting an event on Olivia's Output Messenger Calendar to send a shell

1:22:48 Discovering a PCAP in Olivias downloaded files, using wireshark to extract obj

1:32:40 Accessing the box over RDP, decrypting the bitlocker drive, and then downloadi

1:40:40 Using NTDISSECTOR to parse the NTDS.DIT which extracts a lot more data than se

1:45:45 Doing AD ESC4 and then AD ESC 1 to get root