HackTheBox - Resolute

Name: HackTheBox - Resolute
Uploaded: 2020-05-30T15:00:24Z
Channel: IppSec
Description: 00:00 - Intro 01:08 - Talking about my switch to Parrot 02:00 - Begin of nmap, discovering it is likely a Windows Domain Controller 04:30 - Checking if ...

IppSec · Intermediate ·🔐 Cybersecurity ·5y ago

00:00 - Intro 01:08 - Talking about my switch to Parrot 02:00 - Begin of nmap, discovering it is likely a Windows Domain Controller 04:30 - Checking if there are any open file shares 06:11 - Using RPCClient to enumerate domain users (enumdomusers) 07:55 - Using CrackMapExec to dump the PasswordPolicy 08:45 - Using RPCClient to dump Active Directory information (querydispinfo) 10:45 - Bruteforcing accounts via CrackMapExec with password of Welcome123! 14:30 - Using Evil-WinRM to remote into the server as Melanie 15:40 - Building the latest version of Seatbelt on CommandoVM (The DotNet version …

Watch on YouTube ↗ (saves to browser)

Chapters (25)

Intro

1:08 Talking about my switch to Parrot

2:00 Begin of nmap, discovering it is likely a Windows Domain Controller

4:30 Checking if there are any open file shares

6:11 Using RPCClient to enumerate domain users (enumdomusers)

7:55 Using CrackMapExec to dump the PasswordPolicy

8:45 Using RPCClient to dump Active Directory information (querydispinfo)

10:45 Bruteforcing accounts via CrackMapExec with password of Welcome123!

14:30 Using Evil-WinRM to remote into the server as Melanie

15:40 Building the latest version of Seatbelt on CommandoVM (The DotNet version is i

17:40 Explaining some cool bash one line tricks, then linking Egypt's "One liners to

24:40 Changing Seatbelt to compile to Version 4.0 then trying again.

26:30 Finally examining the Seatbelt output, see the PSTranscript Directory and a Cu

29:50 Using RPCClient to Enumerate members of the Contractors group (enumdomgroups/q

35:30 Running WinPEAS to compare the differences

38:30 Exploring hidden directories to see PSTranscripts, then finding credentials in

44:20 Using Evil-WinRM with the password from a PSTranscript File to get shell as Ry

45:40 Quickly going over how to execute code on a Domain Controller as a DNS Admin

46:10 Using MSFVenom to create a Reverse Shell DLL (we'll do this better at end of t

49:10 Using DNSCMD to have the DNS Server execute our MSFVenom created DLL from a SM

52:50 Using the DNS-EXE-Persistance to help us create a better to do the Reverse She

53:03 Explaining the DNSCMD Exploit path on how it can be used both foor lateral mov

54:50 Start of creating the DLL to use with this DNS Exploit

56:45 Grabbing a C++ Reverse Shell program from github to add to our DNS Exploit Pro

1:02:20 Showing that we get a Reverse shell an

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →