HackTheBox - Search
Вставка
- Опубліковано 16 чер 2024
- 00:00 - Intro
00:53 - Start of nmap
05:45 - Using Kerbrute to identify valid users
09:40 - Finding credentials for Hope.Sharp in an image on the website
10:40 - Showing Kerbrute paswordspray silently fails when time is out of sync
13:00 - Having troubles running the Python Bloodhound Ingestor, a digestmod error
15:50 - Giving up fixing my environment, creating a python virtual environment to run this script
18:00 - Uploading data to bloodhound, discovering a kerberoastable (web_svc) account, running GetUserSPN and Cracking the hash
23:20 - Parsing the raw Bloodhound Data with JQ and dumping all the valid usernames
25:20 - Using JQ select to show only the users that are enabled, its sql like syntax
28:50 - Running a password spray with kerbrute to find edgar.jacobs has the same credentials as Web_SVC
33:25 - Using CrackMapExec (CME) with the spider_plus module to dump all file names, then using JQ to parse the results with map_values(keys)
36:00 - Using SMBClient to download files, getting an excel document that has a protected row, modifying the document to remove the password and getting more passwords
40:00 - Using CME to run a large password spray guessing a single specific password for each user with the no bruteforce flag
41:25 - Back to Bloodhound, discovering our user can ReadGMSAPassword of an account that can reset password of an administrator
43:00 - Dumping files as Sierra.Frye with CME, discovering certificates, downloading them and then failing to crack them with John
49:10 - Using CrackPkcs12 to crack the PFX certificate, then loading it into our browser and accessing a Powershell WebConsole
57:20 - Gaining a powershell webconsole, flailing around a littlebit trying to read the GMSA Password
59:43 - Using Get-ADServiceAccount on to read information about the GMSA Account and get the password
1:03:00 - Running commands as the GMSA User with Powershell and Invoke-Command to reset Tristan.Davies Password... We could of psexec'd after this but I decided to do it the hard way.
1:08:00 - Getting a Nishang Reverse Shell, thought this would be easy but there's quite a bit of AV Evasion we have to do
1:14:40 - Getting rid of some of the reverse shell output allows nishang to bypass AV
1:20:25 - Using John to Crack the PFX File, I forgot to use pfx2john prior.
It's just insane how much I have learned from this box and from all of your videos. Thank you so much ippsec for doing this.
extremely good and great video, I enjoyed watching it. Keep up the great work man.
Awesome as always. Thank you for this content Ipp!!
Man i really need to thank you ippsec for your awesome videos, these videos really help me prepare for oscp exam. Thanks a lot 👍
Manh i literally had headaches while doing these jq stuffs when in actual it's very easy lol, nicely done ippsec...
It really does require much time and mental health to own those machines i see
This is Box is excellent! Showcases real-world attack path tactics used by a lot of ransomware threat actors before they drop. A lot of learning opportunities for both offensive and defensive
I like how ippsec tests things live, and they don't go the way that he expected. Makes me giggle every time. But I believe in you more than in myself.
i was just learning about ad exploitation, what a coincidence. thanks ipsec
that giggle at 25:03 though :3
Nice and learn a lot on this video, Thanks
The TGS that you got from Kerberoasting is encrypted using RC4 here, which is the default for user/trust accounts. Not 3DES. It can also be manually set to AES128 or AES256 (default for comp accounts) via the msDS-SupportedEncryptionTypes attribute. You can always request RC4 though (unless disabled domain wise) even if AES Etypes are configured for the account, although it may trigger encryption downgrade detection. RC4 is obviously preferable as it's much easier to crack. Good opsec to always check msDS-SupportedEncryptionTypes first though before requesting the TGS.
Nice rundown.
Ok, so I put a box like the Kracken on our student network. Decided to call it Phoenix. Why? --> Because it makes passwords rise from the hashes! --Thought it would be worth sharing. Love your work IppSec!
Thanks Dude, You're Awesome :D
Thank you
Gem
49:09 You have to run pfx2john on the file
Thank you ippsec, you are the best mentor & tutor in security field 🤓
Like ❤ befor watching 😅
Best notification for today
Man AD is such a complex thing. Watching this taught me a lot. Any more tips when you're new to AD and AD exploitation in general.
you are hero 🚀
The time difference in the Kerberos stuff probably only kicks in when you run some util which uses the date/time to validate against KDC or TGS. kinit for example...maybe querying for user names doesn't count...
2 mins later :-)
It was a great walkthrough writeup video as always. But is it just me or your voice has really changed lol ,
❤❤❤❤❤
Where the hell is my Notion note
Hi i'm watching your videos for a while and have a question - is 9001 port for reverse shell is like something special? Maybe special for you? Maybe there is some history behind this number? I mean i know you can use literally any port, but you are nearly always using 9001 so im curious
Just the over 9000 meme.
@@ippsec lol. Thanks for the answer!
I didnt made this box but wtf is this foothold?! Someone really find this without hint??? I mean i will never look and zoom on random website photos!!!
How come Bloodhound showed that KRBTGT was kerberoastable, but the impacket script did not retrieve its hash?
Krbtgt account is weird, if you look it’s actually disabled but it is still used to sign Kerberos things. However, it wasn’t pulled because it’s disabled
@@ippsec So kerberosting only works on enabled accounts, got it. Thanks!
@@Jake-nh4ek Also, you're going to have a hard time cracking a krbtgt hash generally, as they're set by machines not humans. However, I did read an article about it a while back from a tester who found out that the company had changed their krbtgt password! Not sure it's possible anymore but made me laugh.
There is no point retrieving krbtgt hash. because it is always very long random generated password. even if you change it to simple password. It will have long complex password eventually.
i found a tool called silenthound to do some of the stuff you were doing with ldap
Are you god
The password in the image tripped me up for a long while. Very annoying.
Tripped me up for hours !!!
Hey your voice changed from apr 26 -> 27 🤔🤐
Time of day probably.
Unzipping, editing and zipping the the xlxs speadsheet? Wow i should call you harry because you are a wizzard
.
Sério que havia uma senha numa imagem randômica do site?
aghahhahahaha q vergonha
I got the usernames in a different way. After having the first set of creds, I used them to query the domain users with rpcclient. Dropping this just in case anyone searches through comments for techniques just like me.
I struggled with the AV bypass too, ended up just pwning BIR-ADFS-GMSA$ over the web console and forcing tristin.davies password change too, and cme to get RCE.
AV was also fighting me on running sharphound too, but didnt feel like messing with AV bypassing so found a newer sharphound and it worked :P