HackTheBox - Monteverde

Name: HackTheBox - Monteverde
Uploaded: 2020-06-13T15:01:04Z
Channel: IppSec
Description: 00:00 - Into 00:54 - Begin of recon 03:36 - Using rpcclient with null authentication and dumping active directory users 06:26 - Building a password list...

IppSec · Beginner ·📰 AI News & Updates ·5y ago

00:00 - Into 00:54 - Begin of recon 03:36 - Using rpcclient with null authentication and dumping active directory users 06:26 - Building a password list with hashcat --stdout (Forest Video does it better) 08:41 - CrackMapExec shows SABatchJobs:SABatchJobs are valid credentials 12:06 - Using SMBMap to list contents of directories 16:20 - Using SMBMap to download azure.xml which has a hardcoded credential in it then testing with WinRM to see if we can get a shell 19:50 - Downloading and running Seatbelt on the server 25:20 - Running WinPEAS for a second opinion 27:45 - Talking about the Azure Ad…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Into

0:54 Begin of recon

3:36 Using rpcclient with null authentication and dumping active directory users

6:26 Building a password list with hashcat --stdout (Forest Video does it better)

8:41 CrackMapExec shows SABatchJobs:SABatchJobs are valid credentials

12:06 Using SMBMap to list contents of directories

16:20 Using SMBMap to download azure.xml which has a hardcoded credential in it then

19:50 Downloading and running Seatbelt on the server

25:20 Running WinPEAS for a second opinion

27:45 Talking about the Azure Admins group

28:55 Playing with SQLCMD to view the MSSQL Database

30:45 Downloading and running PowerUpSQL to see if there's any obvious escalation pa

37:00 Using XP_DIRTREE to connect to our Responder Instance and leak an NetNTLMv2 ha

39:45 Searching google to find XPNSec's post on "Azure AD Connect for Red Teamers"

43:00 Running through the commands with SQLCMD to understand what is going on

48:20 Executing the Azure AD Connectdecryption script and having Evil-WinRM Crash on

49:10 Stepping through the script to see where it is failing

51:25 Updating the SQL Connection script to work with our MSSQL Configuration, then

55:40 Running the updated script, and getting the administrator password then using

58:30 Using DNSPY to decompile the MCRYPT.DLL binary to just explore what is going o

1:03:50 Dumping the DNS Zone for MEGABANK.LOCAL via powershell

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Monteverde

Chapters (21)

Playlist

Lesson complete!