HackTheBox - Sekhmet

00:00 - Intro 01:11 - Start of nmap 04:00 - Running ffuf to discover the portal virtual host 06:40 - Logging in with admin:admin and discovering a new cookie 09:15 - Looking at the Node-Serialize exploit 10:20 - Attempting to do the exploit and discovering modsecurity blocks us, then putting some unicode in the payload to evade it 16:20 - Whoops forgot to end the payload with (), so thats why we didn't get our shell 17:11 - EDIT Looking at how modsecurity is configured 19:33 - Showing the NGINX Error Log with modsecurity blocking, taking the unique ID going to the modsecurity log to get more information 25:00 - Looking at the JSDECODE transform for modsecurity to fix the rule 30:30 - Switching ModSecurity to Detection Only mode or Permissive so we don't block but get logs 31:42 - END OF EDIT, putting an SSH Key on the box 34:15 - Attempting to unzip the backup.zip, discovering a password but is using ZipCrypto, doing a plaintext crac with bkcrack to extract it 40:00 - Dumping the sssd.ldb database used to join the linux server to the domain. Getting a credential 44:20 - Using kinit to get a kerberos ticket, then ksu to switch to root 47:00 - Having trouble with tunneling, looking at iptables to see it blocks non-root users from accessing 192.168.0.0 52:30 - Looking at the shares to discover a powershell program to reset mobile phone numbers 1:02:30 - Modifying a phone number via ldap and seeing a script will execute what we put in the field 1:11:40 - Attempting to steal a NTLMv2 Hash, having trouble because NTLM is disabled 1:14:15 - Forwarding port 445 from the webserver to us, so we can use its DNS Name, but need to enable GatewayPorts in SSHD's config to listen on a non-loopback port 1:20:05 - Building a list of users with ldapsearch, then password spraying the password we cracked to get access to bob.wood 1:27:00 - Downloading dpapi keys and chrome/edge files then using pypykatz to decrypt saved passwords 1:36:11 - Got all the files on our box, using pypykatz to