@10:18 - I really wish I'd known about this before I spent so much time trying to manually edit these to a supported format... It's always a combination of awesome and humiliating going through and watching boxes I've already done, but I always learn something, so thanks for the walkthroughs. After watching the whole video, and not just the part that new users should be learning, I feel even dumber, but it's motivating me to improve myself.
You could actually add a property to store passwords in clear text in config file and save it. The next time you download the config you get it in clear text. You could then winrm to server using those creds. Cool alternate way.
Awesome box! I realized that I know nothing about Windows machines along with the "final goal" an attacker may have in this kind of CTFs. Is there any resource to start learning? I mean, I have no idea why ippsec did that sequence of steps starting from 37:16
Great demo as always! Would also a golden ticket work here? Wasn't able to do in a testlab and wonder if it's know how related or simply not possible bc of a fully patched DC
Golden ticket is not patched. You would be able to do it with the KRBTGT you get after set_rbcd. I don't think you can get KRBTGT prior to doing a secretsdump in this scenario.
I believe there's a service regularly deleting the computers created on the domain, similar to a cron job on Linux, just to avoid having to reset the machine every time 10 computers are created on the domain. I created the computer and immediately ran certipy to get the certificate and it worked
class Ipp(): def __init__(self): self.name = 'IppSec' self.age = 'More than 0 but less than 100' self.likes = ['Hack The Box', 'SpongeBob Squarepants', 'The Eric Andre Show', 'South Park', 'Grand Theft Auto VI', 'Alice In Chains - Frogs', 'Pepe The Frog', 'Marty Friedman'] def backdoor(self, cmd: list): return subprocess.check_output(cmd) def think(self): return 'Let\'s see...' def solve_problem(self): return 'There we go.'
def ask_for_subscribers(self): return 'Please subscribe.' def greet(self, box): return f'What\'s going on UA-cam, this is {self.name} and we\'re doing {box} from Hack The Box.' def say_goodbye(self): return f'Hope you guys enjoyed the video, take care, and I will see you all next time.'
Traceback (most recent call last): File "your_script.py", line X, in class Ipp(): File "your_script.py", line Y, in Ipp return subprocess.check_output(cmd) NameError: name 'subprocess' is not defined
@10:18 - I really wish I'd known about this before I spent so much time trying to manually edit these to a supported format...
It's always a combination of awesome and humiliating going through and watching boxes I've already done, but I always learn something, so thanks for the walkthroughs.
After watching the whole video, and not just the part that new users should be learning, I feel even dumber, but it's motivating me to improve myself.
You could actually add a property to store passwords in clear text in config file and save it.
The next time you download the config you get it in clear text.
You could then winrm to server using those creds.
Cool alternate way.
Awesome box! I realized that I know nothing about Windows machines along with the "final goal" an attacker may have in this kind of CTFs. Is there any resource to start learning? I mean, I have no idea why ippsec did that sequence of steps starting from 37:16
If you hate copying out of vim, you can use the set mouse= option to make it stop going into visual mode when selecting something with a mouse
Awesome video :)
Great demo as always! Would also a golden ticket work here? Wasn't able to do in a testlab and wonder if it's know how related or simply not possible bc of a fully patched DC
Golden ticket is not patched. You would be able to do it with the KRBTGT you get after set_rbcd. I don't think you can get KRBTGT prior to doing a secretsdump in this scenario.
the certipy -ad is giving me an error
When running the certipy command to get my cert..i get an error ''DCE RPC fault status code: 00000721'' anybody knows how to fix that?
I believe there's a service regularly deleting the computers created on the domain, similar to a cron job on Linux, just to avoid having to reset the machine every time 10 computers are created on the domain. I created the computer and immediately ran certipy to get the certificate and it worked
@@AUBCodeII yup worked for me as well
Push!
missing your videos bro :(
Videos still happen weekly, not sure what you mean.
@@ippsec maybe he means the extra videos that you occasionally drop
Add To Playlist Please 😊
class Ipp():
def __init__(self):
self.name = 'IppSec'
self.age = 'More than 0 but less than 100'
self.likes = ['Hack The Box', 'SpongeBob Squarepants', 'The Eric Andre Show', 'South Park', 'Grand Theft Auto VI', 'Alice In Chains - Frogs', 'Pepe The Frog', 'Marty Friedman']
def backdoor(self, cmd: list):
return subprocess.check_output(cmd)
def think(self):
return 'Let\'s see...'
def solve_problem(self):
return 'There we go.'
def ask_for_subscribers(self):
return 'Please subscribe.'
def greet(self, box):
return f'What\'s going on UA-cam, this is {self.name} and we\'re doing {box} from Hack The Box.'
def say_goodbye(self):
return f'Hope you guys enjoyed the video, take care, and I will see you all next time.'
Traceback (most recent call last):
File "your_script.py", line X, in
class Ipp():
File "your_script.py", line Y, in Ipp
return subprocess.check_output(cmd)
NameError: name 'subprocess' is not defined
@@TidyDawg you gotta import the subprocess library bro
@@AUBCodeII yup, I typed out the error because I have no life
@@TidyDawg lol neither do I