HackTheBox - Intelligence

IppSec · Beginner ·🔐 Cybersecurity ·4y ago
00:00 - Intro 01:02 - Start of nmap, discover Active Directory and a web server 02:45 - Doing some common checks against a Domain Controller 04:50 - Discovering PDF's with filenames based upon the date 05:25 - Building a customized wordlist based upon the date with the date command 08:30 - Downloading the PDF's with wget and then examining metadata 11:25 - Using Kerbrute to validate the usernames in the metadata are correct 12:50 - Using pdftotext to convert all the PDF's into text files, so we can grep through text 14:20 - Finding the password NewIntelligenceCorpUser987, then using KerBrute to perfrom a passwordspray 15:40 - Running CrackMapExec Spider_Plus while we do some other CME things 17:20 - Running Python Bloodhound with the credentials we got from the password spray 19:10 - Using JQ to parse the data from CME's spider_plus module to discover a powershell script 22:50 - Importing the bloodhound results and then searching for attack paths 26:00 - Discovering we probably need to get access to the SVC_INT GMSA (Group Managed Service Account) 27:50 - Going back over the powershell script we downloaded, and then creating a DNS Record with krbrelayx's dnstool 28:57 - Using dnstool to create an A Record on an Active Directory Server 32:30 - Using the MSF Capture http_ntlm module to capture an NTLMv2 Hash of people that access our webserver (Responder also would work but was broke on my box) 36:35 - Using John to crack the ntlmv2 hash and gaining access to the Ted Graves account 42:19 - Using gMSA Dumper to extract the svc_int hash 43:43 - Using impacket's getST to generate a SilverTicket which we can use for impersonating an administrator 46:00 - Using NTPDate to syncronize the time to our domain controller 48:30 - Using our ticket with psexec to gain access to the server
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
 2 HackTheBox - October
HackTheBox - October
IppSec
 3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
 4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
 5 HackTheBox - Bank
HackTheBox - Bank
IppSec
 6 HackTheBox - Joker
HackTheBox - Joker
IppSec
 7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
 8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
 9 HackTheBox - Devel
HackTheBox - Devel
IppSec
 10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
 11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
 12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
 13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
 14 HackTheBox - Charon
HackTheBox - Charon
IppSec
 15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
 16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
 17 HackTheBox - Europa
HackTheBox - Europa
IppSec
 18 Introduction to tmux
Introduction to tmux
IppSec
 19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
 20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
 21 HackTheBox - Jail
HackTheBox - Jail
IppSec
 22 HackTheBox - Blue
HackTheBox - Blue
IppSec
 23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
 24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
 25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
 26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
 27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
 28 HackTheBox - Node
HackTheBox - Node
IppSec
 29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
 30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
 31 HackTheBox - Sense
HackTheBox - Sense
IppSec
 32 HackTheBox - Minion
HackTheBox - Minion
IppSec
 33 VulnHub - Sokar
VulnHub - Sokar
IppSec
 34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
 35 HackTheBox - Inception
HackTheBox - Inception
IppSec
 36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
 37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
 38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
 39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
 40 HackTheBox - Tally
HackTheBox - Tally
IppSec
 41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
 42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
 43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
 44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
 45 How To Create Empire Modules
How To Create Empire Modules
IppSec
 46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
 47 HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
 48 HackTheBox - Bart
HackTheBox - Bart
IppSec
 49 HackTheBox - Aragog
HackTheBox - Aragog
IppSec
 50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
 51 HackTheBox - Silo
HackTheBox - Silo
IppSec
 52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
 53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
 54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
 55 HackTheBox - Poison
HackTheBox - Poison
IppSec
 56 HackTheBox - Canape
HackTheBox - Canape
IppSec
 57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
 58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
 59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
 60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related AI Lessons

Why Businesses Quietly Accept Technology Friction as “Normal”
Businesses often accept technology friction as normal, but it can have significant impacts on productivity and security
Medium · Cybersecurity
The Model You Just Downloaded Might Own Your Network — What I Learned Building Defenses Against AI…
AI models from public repositories can pose a significant threat to enterprise security due to poisoned weights, and learning to defend against them is crucial
Medium · Cybersecurity
I Found Backdoored AI Models on Hugging Face — And So Has Everyone Else Who Bothered to Look
Backdoored AI models are prevalent on Hugging Face, posing a significant security risk to the AI supply chain, and it's crucial to secure it
Medium · Cybersecurity
The XSS Escalation Playbook: From Basic Reflection to DOM Breakouts
Learn to escalate XSS attacks from basic reflection to DOM breakouts with this comprehensive playbook
Medium · Cybersecurity

Chapters (22)

Intro
1:02 Start of nmap, discover Active Directory and a web server
2:45 Doing some common checks against a Domain Controller
4:50 Discovering PDF's with filenames based upon the date
5:25 Building a customized wordlist based upon the date with the date command
8:30 Downloading the PDF's with wget and then examining metadata
11:25 Using Kerbrute to validate the usernames in the metadata are correct
12:50 Using pdftotext to convert all the PDF's into text files, so we can grep throu
14:20 Finding the password NewIntelligenceCorpUser987, then using KerBrute to perfro
15:40 Running CrackMapExec Spider_Plus while we do some other CME things
17:20 Running Python Bloodhound with the credentials we got from the password spray
19:10 Using JQ to parse the data from CME's spider_plus module to discover a powersh
22:50 Importing the bloodhound results and then searching for attack paths
26:00 Discovering we probably need to get access to the SVC_INT GMSA (Group Managed
27:50 Going back over the powershell script we downloaded, and then creating a DNS R
28:57 Using dnstool to create an A Record on an Active Directory Server
32:30 Using the MSF Capture http_ntlm module to capture an NTLMv2 Hash of people tha
36:35 Using John to crack the ntlmv2 hash and gaining access to the Ted Graves accou
42:19 Using gMSA Dumper to extract the svc_int hash
43:43 Using impacket's getST to generate a SilverTicket which we can use for imperso
46:00 Using NTPDate to syncronize the time to our domain controller
48:30 Using our ticket with psexec to gain access to the server
Up next
VPC Service Controls: Day Two Operations
Google Cloud
Watch →