HackTheBox - Intelligence

Name: HackTheBox - Intelligence
Uploaded: 2021-11-27T15:14:02Z
Channel: IppSec
Description: 00:00 - Intro 01:02 - Start of nmap, discover Active Directory and a web server 02:45 - Doing some common checks against a Domain Controller 04:50 - Dis...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 01:02 - Start of nmap, discover Active Directory and a web server 02:45 - Doing some common checks against a Domain Controller 04:50 - Discovering PDF's with filenames based upon the date 05:25 - Building a customized wordlist based upon the date with the date command 08:30 - Downloading the PDF's with wget and then examining metadata 11:25 - Using Kerbrute to validate the usernames in the metadata are correct 12:50 - Using pdftotext to convert all the PDF's into text files, so we can grep through text 14:20 - Finding the password NewIntelligenceCorpUser987, then using KerBrute t…

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

1:02 Start of nmap, discover Active Directory and a web server

2:45 Doing some common checks against a Domain Controller

4:50 Discovering PDF's with filenames based upon the date

5:25 Building a customized wordlist based upon the date with the date command

8:30 Downloading the PDF's with wget and then examining metadata

11:25 Using Kerbrute to validate the usernames in the metadata are correct

12:50 Using pdftotext to convert all the PDF's into text files, so we can grep throu

14:20 Finding the password NewIntelligenceCorpUser987, then using KerBrute to perfro

15:40 Running CrackMapExec Spider_Plus while we do some other CME things

17:20 Running Python Bloodhound with the credentials we got from the password spray

19:10 Using JQ to parse the data from CME's spider_plus module to discover a powersh

22:50 Importing the bloodhound results and then searching for attack paths

26:00 Discovering we probably need to get access to the SVC_INT GMSA (Group Managed

27:50 Going back over the powershell script we downloaded, and then creating a DNS R

28:57 Using dnstool to create an A Record on an Active Directory Server

32:30 Using the MSF Capture http_ntlm module to capture an NTLMv2 Hash of people tha

36:35 Using John to crack the ntlmv2 hash and gaining access to the Ted Graves accou

42:19 Using gMSA Dumper to extract the svc_int hash

43:43 Using impacket's getST to generate a SilverTicket which we can use for imperso

46:00 Using NTPDate to syncronize the time to our domain controller

48:30 Using our ticket with psexec to gain access to the server

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →