HackTheBox - Vintage

00:00 - Introduction 01:05 - Start of nmap 05:20 - Running Bloodhound 07:55 - Bloodhound, Shortest Path to Tier 0 shows us two ADM users which can add themselves to Delegated Admins 09:45 - Dumping Password set time of users in bloodhound with JQ to see any passwords set at the same time 13:00 - Discovering the GMSA account, looking at it and discovering it can add themselves to ServiceManagers and that FS01 can ReadGMSAPassword 13:50 - FS01 is a member of the Pre Windows 2000 Compatible Access Group, which sets the password of the account to the hostname of the box 16:30 - NXC failed us, using bloodyAD to read the GMSA Password 18:50 - Opening up wireshark to look at why NXC Failed but BloodyAD Worked, quickly modifying NXC to fix the issue (it defaulted to ldaps when gmsa is used) 23:20 - Bloodhound, Looking at what ServiceManagers can do, it has GENERICALL to many service accounts, one is disabled. 25:40 - Using BloodyAD to re-enable the SVC_SQL account and then running TargetedKerberoast to dump hashes, also manually dump them with bloodyad and nxc by setting an spn 36:50 - Spraying the password from SVC_SQL with users of the domain, finding c.neri has the same password 40:30 - Using NXC to generate the KRB5 Config File, then using evil-winrm to login to the box 42:55 - Dumping the users encrypted credential blob and dpapi information, then manually decrypting with pypykatz 52:50 - Bloodhound, c.neri_adm can perform RBCD Attack to impersonate users of the domain 55:30 - Using BloodyAD to add FS01 to the DelegatedAdmin group, then getST to impersonate DC01 and perform secretsdump to get root 1:04:30 - Beyond Root: Exploring the Sensitive Flag in bloodhound to prevent the RBCD Attack 1:11:10 - Protected Users Group did stop it, but Bloodhound didn't set sensitive to true! Manually setting the protection via BloodyAD to validate bloodhound is identifying sensitive accounts