HackTheBox - Rebound

00:00 - Introduction 01:07 - Start of nmap then checking SMB Shares 04:05 - Using NetExec to do a RID Brute Force and increase the maximum to 10000 07:00 - Using vim g!/{string}/d to delete all lines that do not contain something to build wordlists 10:40 - Using ASREP Roasting to perform a Kerberoast attack without authentication 17:40 - Using NetExec to run Bloodhound as ldap_monitor 25:30 - Discovering Oorend can add themself to the ServiceMgmt group, which can take over the WinRM Account 28:30 - Spraying the password of the ldap_monitor account to discover it shares oorend's password 34:20 - Showing BloodyAD to add Oorend to ServiceMGMT then abusing the GenericAll to Service Users, so we can reset WinRM_SVC's password 40:30 - Showing a more opsec friendly way to take over WINRM_SVC by abusing shadow credentials so we don't change the accounts password 50:00 - As WINRM_SVC we cannot run some commands like qwinsta or tasklist. Using RunasCS, to switch our login to a non-remote login which will let us run these commands 54:10 - Performing a Cross Session attack with Remote Potato to steal the NTLMv2 Hash of another user logged into the same box we are 59:20 - Using NetExec to read GMSA Passwords as TBRADY 1:04:00 - Using findDelagation.py to show constrained delegation from the GMSA delegator account 1:11:20 - Using RBCD.py to setup the Resource-Based Constrained Delegation so we can get a forwardable ticket to abuse delegators delegation and impersonate users 1:18:20 - Using our ticket that impersonates DC01 and performing secretsdump and then getting Adminsitrator's hash so we can login