HackTheBox - Mist

Name: HackTheBox - Mist
Uploaded: 2024-10-26T15:00:04Z
Channel: IppSec
Description: 00:00 - Introduction 01:10 - Start of nmap which contains pluck version 05:50 - Looking into CVE-2024-9405 which is a File Disclosure vulnerability 08:0...

IppSec · Beginner ·🔐 Cybersecurity ·1y ago

00:00 - Introduction 01:10 - Start of nmap which contains pluck version 05:50 - Looking into CVE-2024-9405 which is a File Disclosure vulnerability 08:00 - Discovering a backup password, cracking it, then uploading a malicious plugin 13:00 - RCE Obtained, defender is blocking reverse shell, obfuscating the command to bypass 17:30 - Creating a malicious LNK file, then when someone clicks on it we get a shell as Brandon.Keywarp 31:00 - Setting up the Bloodhound Community Edition and fixing bug which isn't showing us any images 34:40 - Using Bloodhoudn to show we can enroll in various certificate…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Introduction

1:10 Start of nmap which contains pluck version

5:50 Looking into CVE-2024-9405 which is a File Disclosure vulnerability

8:00 Discovering a backup password, cracking it, then uploading a malicious plugin

13:00 RCE Obtained, defender is blocking reverse shell, obfuscating the command to b

17:30 Creating a malicious LNK file, then when someone clicks on it we get a shell a

31:00 Setting up the Bloodhound Community Edition and fixing bug which isn't showing

34:40 Using Bloodhoudn to show we can enroll in various certificate templates

37:00 Discovering Defender Exclusions as a low privilege user by reading the event l

43:10 Using Certify to request a certificate and then Rubeus to use the pass the tic

56:45 Explaining our NTLM Relay attack that we are about to do

1:02:30 Installing a version of impacket that allows for shadow_creds within ldap and

1:07:10 Using PetitPotam with Brandon's hash to get the MS01$ to authenticate to us, a

1:15:00 Setting shadow_creds for MS01$ then using s4u to impersonate the administrator

1:27:50 Discovering a Keypass database in Sharon's directory, cracking it

1:36:18 Going back to Bloodhound and seeing OP_SHARON.MULLARD can read GMSA Passwords,

1:38:56 Looking at what SVC_CA$ can do, identifying a chain abusing ESC13 twice to jum

1:44:39 Using PyWhisker to set the shadow credentials on svc_cabackup then using PKINI

1:54:40 Using Certipy to create a certificate within ManagerAuthentication to place ou

1:57:00 Using Certipy to create a certifi

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →