HackTheBox - Scrambled

Name: HackTheBox - Scrambled
Uploaded: 2022-10-01T15:38:12Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap 04:00 - Viewing the website and discovering NTLM is disabled 07:45 - Using Kerbrute to enumerate valid users and the...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·3y ago

00:00 - Intro 01:00 - Start of nmap 04:00 - Viewing the website and discovering NTLM is disabled 07:45 - Using Kerbrute to enumerate valid users and then password spray with username 10:15 - Bad analogy comparing Kerberos works with TGT/TGS and Movie Theater Tickets 11:00 - Using Impacket's GetTGT Script to get Ticket Granting Ticket as Ksimpson and exporting KRB5CCNAME so Impacket uses it 12:30 - Using GetUserSPN to Kerberoast the DC with Kerberos Authentication and cracking to get SqlSVC's Password 16:40 - Both credentials we have cannot access MSSQL 18:15 - Creating a silver ticket to gain …

Watch on YouTube ↗ (saves to browser)

Chapters (24)

Intro

1:00 Start of nmap

4:00 Viewing the website and discovering NTLM is disabled

7:45 Using Kerbrute to enumerate valid users and then password spray with username

10:15 Bad analogy comparing Kerberos works with TGT/TGS and Movie Theater Tickets

11:00 Using Impacket's GetTGT Script to get Ticket Granting Ticket as Ksimpson and e

12:30 Using GetUserSPN to Kerberoast the DC with Kerberos Authentication and crackin

16:40 Both credentials we have cannot access MSSQL

18:15 Creating a silver ticket to gain access to SQL

19:50 Using GetPAC to get a Domain SID

20:30 Showing getting Domain SID with LDAPSearch

24:00 Creating the Silver Ticket with Impacket's Ticketer

26:30 Showing Impacket creates the ticket with 10 years instead of 10 hours

27:40 We now have MSSQL Access to the box, enabling xp_cmdshell and getting a revers

30:00 Using JuicyPotatoNG to escalate privileges because we have SeImpersonate Privi

32:00 Running the JuicyPotatoNG Exploit and getting a shell in the unintended way

34:00 Enumerating the MSSQL Database and finding credentials

35:40 Using Evil-WinRM to login with Kerberos Auth

39:40 Accessing the box as MiscSvc and finding a dotnet Application

43:40 Setting up our linux host as a router so our Windows host can communicate to t

47:20 Sniffing the traffic from the dotnet application and discovering it talks to p

50:20 Looking at debug logs and seeing a serialized object

52:40 Using YsoSerial.Net to create a malicious base64 object to send us a reverse s

55:30 Sending our payload and getting a reverse shell

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →