HackTheBox - Reel2

00:00 - Intro 01:10 - Start of NMAP 04:20 - Gobuster using a case insensitive wordlist because windows 08:50 - Checking out the application on port 8080, wallstant 10:30 - OWA Discovering the Exchange version based upon login interface 12:00 - OWA How the "User Enumeration" of Exchange may work... It's time based 14:20 - Troubleshooting the Metasploit Module, SSL Error prevents it from loading ECONNRESET SSL_CONNECT 19:00 - Using Wallstant to build a username list to perform password spray 24:15 - Using Username Anarchy to take our list of names and build a wordlist of usernames 32:00 - For some reason when using Metasploit's OWA Password Spray, OWA_2010 is broken... but settiing it to OWA_2013 works. 34:30 - Showing SprayingToolkit to bruteforce OWA without metasploit 39:10 - Sending an email address to all users and seeing if anyone clicks the link 41:40 - Using Responder to attempt to force the user's computer to give up an NTLMv2 Hash over HTTP 47:00 - Cracking the NTLMv2 Hash of k.svensson 49:50 - Failing to use Evil-WinRM to access the box, switching to powershell on linux 54:10 - Using Powershell on Linux to Enter-PSSession on a Windows Box then finding out we are in constrainedlanguage mode 56:20 - Breaking out of ConstrainedLanguage Mode by creating a function 1:00:00 - Getting a reverse shell in FullLanguage mode, then looking at some PSRC and PSSC files 1:04:20 - Finding a link to StickyNotes on the desktop 1:06:50 - Doing a hex dump of the stickynote log to see there is a password written 1:08:30 - Attempting to use the JEA_TEST_ACCOUNT but failing without ConfigurationName parameter due to JEA 1:11:50 - Using an LFI Vulnerability in the function JEA can do in order to access any file 1:13:30 - Using the LFI to get root.txt 1:14:30 - Box is done.. Trying to dump the proces and flailing, never get it working but figured people may still enjoy it.