HackTheBox - Mist

00:00 - Introduction 01:10 - Start of nmap which contains pluck version 05:50 - Looking into CVE-2024-9405 which is a File Disclosure vulnerability 08:00 - Discovering a backup password, cracking it, then uploading a malicious plugin 13:00 - RCE Obtained, defender is blocking reverse shell, obfuscating the command to bypass 17:30 - Creating a malicious LNK file, then when someone clicks on it we get a shell as Brandon.Keywarp 31:00 - Setting up the Bloodhound Community Edition and fixing bug which isn't showing us any images 34:40 - Using Bloodhoudn to show we can enroll in various certificate templates 37:00 - Discovering Defender Exclusions as a low privilege user by reading the event log for event id 5007 43:10 - Using Certify to request a certificate and then Rubeus to use the pass the ticket attack to get our users NTLM Hash 56:45 - Explaining our NTLM Relay attack that we are about to do 1:02:30 - Installing a version of impacket that allows for shadow_creds within ldap and then setting up the ntlmrelayx to forward connections to the DC's ldap 01:07:10 - Using PetitPotam with Brandon's hash to get the MS01$ to authenticate to us, and showing why we need to start the Webclient Service 1:15:00 - Setting shadow_creds for MS01$ then using s4u to impersonate the administrator user, so we can access the filesystem. Dumping local hashes with secretsdump 1:27:50 - Discovering a Keypass database in Sharon's directory, cracking it 1:36:18 - Going back to Bloodhound and seeing OP_SHARON.MULLARD can read GMSA Passwords, using nxc to dump SVC_CA$ 1:38:56 - Looking at what SVC_CA$ can do, identifying a chain abusing ESC13 twice to jump through groups to get to the Backup Service 1:44:39 - Using PyWhisker to set the shadow credentials on svc_cabackup then using PKINITTools to get the NTHASH of SVC_CABACKUP 1:54:40 - Using Certipy to create a certificate within ManagerAuthentication to place ourself in the Certificate Managers Group 1:57:00 - Using Certipy to create a certifi