HackTheBox - PivotAPI скачать в хорошем качестве

HackTheBox - PivotAPI

00:00 - Intro 01:00 - Start of nmap, downloading files over FTP 05:25 - The contents of all the PDF's don't really help. Using exiftool to extract authors. 08:20 - Using Kerbrute to bruteforce valid users and getting ASREP Hash. It is ETYPE 18, which hashcat doesn't support. Use downgrade to generate ETYPE 23 and crack the hash 11:15 - Going into what ETPE Means 16:40 - Using CrackMapExec to dump a list of file shares, then using Spider_Plus plugin to dump files 17:30 - Doing some JQ Magic navigate the Spider_Plus data 20:15 - Converting the Outlook Message Files (MSG) to plaintext with msgconvert 25:00 - Running Restart-Oracle.exe with Process Monitor to find out the process is writing to a TEMP Directory 27:00 - Removing delete permissions on the Windows Temp Directory, so the Restart-Oracle program can't delete the files out of temp, finding based64 and getting another EXE 32:00 - Running the extracted executable with Process Monitor to discover it loads dotnet 34:50 - METHOD 1: Opening the extracted executable in x64debug, setting it to break upon EXIT then examining its memory to find the dotnet executable 38:48 - METHOD 1: Opening the dotnet in DNSPY to discover the password 40:25 - METHOD 2: Using API MONITOR to examine the API Calls the program makes and finding the password (Sorry for audio glitches here, chrome did weird things) 47:41 - Fixing the permissions on our TEMP Directory with icacls so our user can delete files again 49:45 - Using CrackMapExec to dump a list of all users because the Oracle credentials we got from reversing did not work. 53:00 - Discovering the MSSQL User and changing oracles password scheme to fit MSSQL 55:25 - Downloading Alamot's MSSQL_Shell and getting a shell on the box (unintended way, do more with this at the end) 58:40 - Downloading and running MSSQL Proxy, which will let us create a SOCKS Proxy through the MSSQL Service 1:12:10 - Setting proxychains up to utilize MSSQL Proxy and using Evil-WinRM to get a shell on the box, then downloading and cracking a Keypass Database 1:20:40 - Using SSH to get into the box, the trick here is telling our SSH Client to not use public key authentication 1:22:15 - Running Bloodhound.py to get Bloodhound data from Active Directory 1:27:20 - Examining bloodhound data to discover our user can reset passwords on several users, and showing Dr.Zaiuss can reset Superfume... Resetting each password to get to Superfume then downloading another exe out of developers 1:37:50 - Using DNSpy to edit the compiled dotnet program to print the password after it decrypts it 1:39:50 - Back to bloodhound with the new credential! Discovering Jari can reset Gibdeon who can add groups to LAPS 1:46:00 - Loading PowerView up in Evil-WinRM and Bypassing AMSI, then resetting Gibdeon's pw and adding him to groups 1:53:30 - Attempting to get the LAPS Password with Get-ADComputer and failing 1:55:20 - Using a Python Program to dump LAPS Password, then using PSExec to log into the box as administrador! 2:00:15 - Unintended method! Unconstrained delegation with the SQL User. Upload rubeus, use tgtdeleg 2:07:20 - Copying the ticket and using TicketConverter to conver the ticket from KIRBI to CCACHE then setting KRB5CCNAME to the ticket and having impacket use the ticket 2:10:32 - Impacket doesn't work because of clock skew, it doesn't tell us the error, showing CrackMapExec will display the error 2:11:10 - Using NTPDate to sync our time to the AD Server, then running secretsdump