HackTheBox - Multimaster

00:00 - Intro 01:00 - Begin of nmap, going over what videos show KRB/LDAP/SMB enumeration 04:30 - Checking out the web page, finding an API that allows us to search employees 08:45 - Extracting usernames from the database using the above API 11:45 - Using wfuzz to fuzz this endpoing and discover there's a WAF that blocks us on BruteFoce and special characters 18:15 - Sending wfuzz to burpsuite so we can see why the page is giving us an HTTP 415 (hint: Its content-type!) 21:00 - Using unicode to bypass the bad character list, then launching a super slow SQLMap that never finishes 25:30 - While SQLMap runs, lets manually exploit this 28:15 - Found a union injection! Start of creating a Python Script, tons of issues around getting Request to send unicode 35:30 - Basic script is done, we can now send unicode data via python - Then convert to use the Cmd Module 41:00 - CmdLoop done, we can now send raw queries to the database. Lets make an option to do union injection 44:10 - Script now makes it easy to run UNION Commands and get the output, running through some basic MSSQL Injection to get data from the server 47:15 - Extracting database information (Table Names) 51:30 - Extracting Usernames and hashes from the Logins table, then cracking the passwords 01:01:15 - Performing a RID BruteForce via MS-SQL, getting and explaining the SID of Administrator. Then adding BruteForcing to our script 1:18:25 - Bruteforcing RID's to discover more usernames 1:23:08 - Using Evil-WinRM to get a shell as Tushikikatomo, then running WinPEAS and BloodHound to enumerate Active Directory 1:39:00 - Resetting the Neo4j Password Bloodhound uses by deleting auth dbms file 1:45:45 - Discovering a VS Code is running, and some random ports keep opening up. Debug ports? Downloading CEFDebug then running 1:53:34 - Testing CEF exploit with ping, then create a powershell cradle. Edit Nishang to bypass AMSI 1:58:10 - Shell returned as CYORK 2:01:00 - Discover a DLL in the web directory, run string