HackTheBox - Scepter

00:00 - Introduction 01:00 - Start of nmap 03:20 - Looking at the NFS Mount on Windows, then downloading the certificates 06:00 - Examining the certificates, dumping information to look at username and expiration. Then cracking PEM and PFX 13:50 - Using certipy to auth with the certificate, discovering some accounts are locked out 17:30 - Building a PFX File from the key and pem, then logging in and running RustHound with Kerberos since we only have NTLM Hash 24:40 - Looking at Bloodhound Data and seeing D.Baker can reset A.Carter's password who can take over D.Baker 27:50 - Running Certipy to look at certificates as D.Baker 30:45 - Examining LDAP to discover H.Brown has an Alternate Security Identity set 32:30 - Performing ESC14 by exploiting a chain to give ourself GenericAll then setting our email to H.Browns so we can impersonate h.brown 41:30 - Using WinRM with Kerberos to login as h.brown 42:40 - Using BloodyAD to show writable objects as h.brown to see they can write something to p.adams 43:58 - Running DSACLS to discover exactly what h.brown can write to see it is the Alternate Security Identity, setting it to be an email and then impersonating p.adams via ESC14 52:15 - Running SecretsDump to become administrator and grab the flag 53:24 - Beyond Root, enabling Remote Desktop so we can look at the Certificate Configuration and see why it isn't vulnerable to ESC9