HackTheBox - Monteverde скачать в хорошем качестве

HackTheBox - Monteverde

00:00 - Into 00:54 - Begin of recon 03:36 - Using rpcclient with null authentication and dumping active directory users 06:26 - Building a password list with hashcat --stdout (Forest Video does it better) 08:41 - CrackMapExec shows SABatchJobs:SABatchJobs are valid credentials 12:06 - Using SMBMap to list contents of directories 16:20 - Using SMBMap to download azure.xml which has a hardcoded credential in it then testing with WinRM to see if we can get a shell 19:50 - Downloading and running Seatbelt on the server 25:20 - Running WinPEAS for a second opinion 27:45 - Talking about the Azure Admins group 28:55 - Playing with SQLCMD to view the MSSQL Database 30:45 - Downloading and running PowerUpSQL to see if there's any obvious escalation paths 37:00 - Using XP_DIRTREE to connect to our Responder Instance and leak an NetNTLMv2 hash (I should of noticed its the machine account due to username ending with a $, these are pretty much never crackable) 39:45 - Searching google to find XPNSec's post on "Azure AD Connect for Red Teamers" 43:00 - Running through the commands with SQLCMD to understand what is going on 48:20 - Executing the Azure AD Connectdecryption script and having Evil-WinRM Crash on us 49:10 - Stepping through the script to see where it is failing 51:25 - Updating the SQL Connection script to work with our MSSQL Configuration, then fixing the script 55:40 - Running the updated script, and getting the administrator password then using PSExec to get a system shell on the box 58:30 - Using DNSPY to decompile the MCRYPT.DLL binary to just explore what is going on 1:03:50 - Dumping the DNS Zone for MEGABANK.LOCAL via powershell