HackTheBox - Resolute

00:00 - Intro 01:08 - Talking about my switch to Parrot 02:00 - Begin of nmap, discovering it is likely a Windows Domain Controller 04:30 - Checking if there are any open file shares 06:11 - Using RPCClient to enumerate domain users (enumdomusers) 07:55 - Using CrackMapExec to dump the PasswordPolicy 08:45 - Using RPCClient to dump Active Directory information (querydispinfo) 10:45 - Bruteforcing accounts via CrackMapExec with password of Welcome123! 14:30 - Using Evil-WinRM to remote into the server as Melanie 15:40 - Building the latest version of Seatbelt on CommandoVM (The DotNet version is incompatible) 17:40 - Explaining some cool bash one line tricks, then linking Egypt's "One liners to rule them all" talk 24:40 - Changing Seatbelt to compile to Version 4.0 then trying again. 26:30 - Finally examining the Seatbelt output, see the PSTranscript Directory and a Custom group in DNSAdmins 29:50 - Using RPCClient to Enumerate members of the Contractors group (enumdomgroups/querygroupmem) 35:30 - Running WinPEAS to compare the differences 38:30 - Exploring hidden directories to see PSTranscripts, then finding credentials in a powershell log 44:20 - Using Evil-WinRM with the password from a PSTranscript File to get shell as Ryan 45:40 - Quickly going over how to execute code on a Domain Controller as a DNS Admin 46:10 - Using MSFVenom to create a Reverse Shell DLL (we'll do this better at end of the video) 49:10 - Using DNSCMD to have the DNS Server execute our MSFVenom created DLL from a SMB Network Path... Works but hangs the DNS Server 52:50 - Using the DNS-EXE-Persistance to help us create a better to do the Reverse Shell 53:03 - Explaining the DNSCMD Exploit path on how it can be used both foor lateral movement and privesc 54:50 - Start of creating the DLL to use with this DNS Exploit 56:45 - Grabbing a C++ Reverse Shell program from github to add to our DNS Exploit Project, then modify it to execute as a thread 01:02:20 - Showing that we get a Reverse shell an