HackTheBox - Support

00:00 - Intro 01:05 - Start of nmap 02:20 - Running CrackMapExec to enumerate open file share and downloading a custom DotNet Executable 05:00 - Showing that we can run DotNet programs on our linux machine (will show how I configured this at the end of the video) 06:00 - Using Wireshark to examine DNS Requests when running this application 06:50 - Using Wireshark to examine the LDAP Connection and discover credentials being send in cleratext 10:00 - Using the credentials from the program to run the Python Bloodhound Ingestor 12:45 - Playing around in Bloodhound 16:10 - Discovering the Shared Support Account has GenericAll against the DC 18:50 - Doing a LDAP Search to dump all information and finding a password stored in the Info field of Active Directory 21:50 - Examining what the Support user can do, showing the importance of looking at Outbound Object Control option in bloodhound 22:20 - Explaining how to abuse GenericAll to the Computer object 26:00 - Downloading dependencies 31:00 - Starting the attack, checking that we can join machines to the domain 31:30 - Starting the attack Creating a machine account, had some issues will redo everything later 40:30 - Redoing the attack, copying commands verbatim from Bloodhound 44:30 - Copying the ticket to our machine and then converting it from KIRBI to CCNAME format and using PSEXEC 51:50 - Extracting the LDAP Password through static analysis 55:00 - Installing DotNet on a linux machine