HackTheBox - University

00:00 - Introduction 01:00 - Start of nmap 04:00 - Looking at the website, discovering it is Django 11:25 - Exporting a profile, discovering it is using ReportLabs and xhtml2pdf 12:30 - Confirming RCE in Report Labs with ping, then getting a reverse shell 24:00 - Shell on the box, downloading the db, ca, and finding a password 33:00 - Running Rusthound and then looking into bloodhound 38:00 - Discovering other machines, getting the IP Addresses via DNS and/or powershell. Then setting up Chisel 54:50 - Testing our WAO Credential against the windows and linux machine, discovering we get on both. Can skip to MITM6/NTLMRELAYX if we want from here 01:00:30 - Signing our own certificate with the CA we downloaded earlier, then logging in with Nya. Then creating a malicious shortcut and using GPG to sign it 01:15:30 - Shell as Martin 01:21:40 - Showing a good GuidePoint article on Kerberos Delegation 01:22:55 - Using mitm6 and ntlmrelayx on the linux host to hijack a wpad request and own the WS-3 account 01:29:15 - Using getST to give ourselves administrator access to WS-3 then running Rubeus to extract TGT's, find Rose.L can read GMSA Passwords 01:38:45 - Using Rose.L's ticket to read GMSA password, then using that account to impersonate administrator on the domain