HackTheBox - RustyKey

00:00 - Introduction 01:00 - Start of nmap 05:00 - Syncing our time with the DC via NTPDate 10:12 - Writing a custom Cypher Query in Bloodhound to show everything that users and computers can directly do, except for group memberships. Discover an oddity around IT-COMPUTER3 and seeing its password set date is also odd 14:00 - Using NetExec to perform a TimeRoast attack and then cracking the computer password 18:15 - Back in Bloodhound, we can see IT-Computer3 has a path to take over several users 22:45 - Using BloodyAD to add ourself to the helpdesk group and then reset BB.MORGAN's password 25:00 - Still cannot log in, discovering BB.MORGAN is a member of the Protected Users/Objects group. Trying to use AES instead of RC4 with impacket, still have issue. Assume the domain doesn't support it, this feels weird. 29:30 - Using BloodyAD to remove the user from the Protected Objects group, the logging in with BB.MORGAN 35:30 - Find a PDF and it talks about Context Menus and COM Objects with Zip programs 39:10 - Using Req Query to show CLSID's then identifying support can modify the one that points to 7-zip's dll 44:00 - Using RunAsCS to switch to the support user (ee.reed) as remote logins appeared to be disabled for them 46:00 - Performing the COM Hijack on 7-zip and getting a reverse shell as mm.turner. 49:55 - Shell returned as mm.turner, who has the AllowedToAct on the DC 53:30 - Using Set-ADComputer to set the delegation permission, then getST to impersonate BackupAdmin get admin 01:05:05 - Showing why EE.REED could not login, diving into looking at the secpol command to dump security policies