HackTheBox - Tombwatcher

Name: HackTheBox - Tombwatcher
Uploaded: 2025-10-11T15:01:30Z
Channel: IppSec
Description: 00:00 - Introduction 00:45 - Start of nmap 03:50 - Running RustHound with the credentials we were given 06:40 - Clicking outbound control a few times fr...

IppSec · Beginner ·🤖 AI Agents & Automation ·5mo ago

00:00 - Introduction 00:45 - Start of nmap 03:50 - Running RustHound with the credentials we were given 06:40 - Clicking outbound control a few times from Henry to see an obvious (but long) attack path 09:30 - Using BloodyAD to perform the Targeted Kerberoast attack 13:20 - Using BloodyAD to add ourself to a group then NetExec to reaed GMSA Passwords 15:50 - Using BloodyAD to change the password of a user and then use Certipy to create a Shadow Credential for the next user 19:30 - Looking at certificates in Bloodhound and Certipy to see one certificate has a SID under Enrollers 21:30 - Using p…

Watch on YouTube ↗ (saves to browser)

Chapters (12)

Introduction

0:45 Start of nmap

3:50 Running RustHound with the credentials we were given

6:40 Clicking outbound control a few times from Henry to see an obvious (but long)

9:30 Using BloodyAD to perform the Targeted Kerberoast attack

13:20 Using BloodyAD to add ourself to a group then NetExec to reaed GMSA Passwords

15:50 Using BloodyAD to change the password of a user and then use Certipy to create

19:30 Looking at certificates in Bloodhound and Certipy to see one certificate has a

21:30 Using powershell to show and restore deleted objects

25:15 Running Certipy with Cert_Admin to see it is vulnerable to ESC15

32:55 Performing ESC15 by generating a certificate with Certificate Request Agent pr

35:20 Beyond Root: Fixing the CA_MD_TOO_WEAK error by creating a new OpenSSL Config

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →