HackTheBox - Sizzle

Name: HackTheBox - Sizzle
Uploaded: 2019-06-01T15:00:22Z
Channel: IppSec
Description: 01:04 - Begin of Recon 06:45 - Checking the web interfaces 07:20 - Discovering there is a Certificate Authority 08:50 - Taking a look at LDAP 10:55 - Ex...

IppSec · Beginner ·🧠 Large Language Models ·6y ago

01:04 - Begin of Recon 06:45 - Checking the web interfaces 07:20 - Discovering there is a Certificate Authority 08:50 - Taking a look at LDAP 10:55 - Examining SMB to find shares 12:00 - Searching the Operations and Department Shares 14:50 - Viewing permissions of a SMB Share with SMBCACLS 19:10 - Discovering a writeable share, dropping a SCF File to get a hash 22:04 - Using Hashcat to crack NetNTLMv2 24:40 - Using SMBMap to identify if this user has access to anything extra 25:40 - Discovering the CertSRV Directory 28:00 - Discovering Powershell Remoting 30:00 - Error from WinRM (Need SSL) 3…

Watch on YouTube ↗ (saves to browser)

Chapters (36)

1:04 Begin of Recon

6:45 Checking the web interfaces

7:20 Discovering there is a Certificate Authority

8:50 Taking a look at LDAP

10:55 Examining SMB to find shares

12:00 Searching the Operations and Department Shares

14:50 Viewing permissions of a SMB Share with SMBCACLS

19:10 Discovering a writeable share, dropping a SCF File to get a hash

22:04 Using Hashcat to crack NetNTLMv2

24:40 Using SMBMap to identify if this user has access to anything extra

25:40 Discovering the CertSRV Directory

28:00 Discovering Powershell Remoting

30:00 Error from WinRM (Need SSL)

31:00 Using openSSL to generate a private key

31:52 Going to /CertSRV to sign our certificate as Amanda

34:00 Adding the SSL Authentication to WinrM

35:15 Playing with LDAP Again (with the Amanda Creds)

37:50 Shell on the box with WinRM as Amanda

38:15 Running SharpHound to enumerate Active Directory

40:29 Applocker is on the box, lets move it in the windows directory

42:00 Trying to get the bloodhound data off the box.

44:20 Starting bloodhound

45:27 File didn't copy lets load up Covenant

49:30 Covenant is up and running - Create a HTTP Listener

50:30 Hosting a Launcher

52:30 Getting a grunt

54:40 Running SeatBelt

57:00 Running SharpHound

1:00:00 Finally uploading the bloodhound data

1:01:18 Running Bloodhound with all Collection Methods

1:05:15 Discovering the MRLKY can DCSYNC

1:07:25 Cannot kerberoast because of the Double Hop Problem, create token with MakeTok

1:12:30 Cracked the Kerberoasted Hash, doing maketoken with mrlky and running DCSYnc

1:14:40 Running WMIExec to get Administrator

1:22:00 UNINTENDED Method 1: Amanda can write to Clean.bat

1:24:30 UNINTENDED Method 2: Forensic artifacts leave MRKLY Hash in C:\windows\system3

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Sizzle

Chapters (36)

Playlist

Lesson complete!