HackTheBox - Multimaster скачать в хорошем качестве

HackTheBox - Multimaster

00:00 - Intro 01:00 - Begin of nmap, going over what videos show KRB/LDAP/SMB enumeration 04:30 - Checking out the web page, finding an API that allows us to search employees 08:45 - Extracting usernames from the database using the above API 11:45 - Using wfuzz to fuzz this endpoing and discover there's a WAF that blocks us on BruteFoce and special characters 18:15 - Sending wfuzz to burpsuite so we can see why the page is giving us an HTTP 415 (hint: Its content-type!) 21:00 - Using unicode to bypass the bad character list, then launching a super slow SQLMap that never finishes 25:30 - While SQLMap runs, lets manually exploit this 28:15 - Found a union injection! Start of creating a Python Script, tons of issues around getting Request to send unicode 35:30 - Basic script is done, we can now send unicode data via python - Then convert to use the Cmd Module 41:00 - CmdLoop done, we can now send raw queries to the database. Lets make an option to do union injection 44:10 - Script now makes it easy to run UNION Commands and get the output, running through some basic MSSQL Injection to get data from the server 47:15 - Extracting database information (Table Names) 51:30 - Extracting Usernames and hashes from the Logins table, then cracking the passwords 01:01:15 - Performing a RID BruteForce via MS-SQL, getting and explaining the SID of Administrator. Then adding BruteForcing to our script 1:18:25 - Bruteforcing RID's to discover more usernames 1:23:08 - Using Evil-WinRM to get a shell as Tushikikatomo, then running WinPEAS and BloodHound to enumerate Active Directory 1:39:00 - Resetting the Neo4j Password Bloodhound uses by deleting auth dbms file 1:45:45 - Discovering a VS Code is running, and some random ports keep opening up. Debug ports? Downloading CEFDebug then running 1:53:34 - Testing CEF exploit with ping, then create a powershell cradle. Edit Nishang to bypass AMSI 1:58:10 - Shell returned as CYORK 2:01:00 - Discover a DLL in the web directory, run strings against it and discover a new password 2:03:30 - Updating bloodhound to see if we gained any new paths with the new compromised user (SBAUER) and we have GenericWrite to user 2:06:30 - Using SBAUER to enable DoesNotRequirePreAuth, so we can obtain a password hash (asrep 23) and crack it 2:12:30 - Shell as Jorden and we can edit services! Use SC to replace the binpath with a reverse shell and get root! 2:18:25 - ALTERNATE METHOD: Using ZeroLogon/ZeroLogin CVE-2020-1472... Failing to use impacket correctly 2:23:15 - Reverting my box, doing impacket the correct way (Installing in an Virtual Environment) 2:26:30 - Running the Zero Logon exploit to discover it worked! Running SecretsDump performs a DCSync and we can login as administrator... Rest of video is reverting what the exploit did to not leave a vulnerability! 2:30:50 - SecretsDump with the -history flag shows the previous passwords... Now how to set a machine account, and how to "pass the hash" when setting a password. 2:37:10 - Running mimikatz to see Defender deleted it, using MpCmdRunto delete all defender definitions. 2:38:45 - Defender bypassed mimikatz runs! 2:40:15 - Running mimikatz with lsadump::setntlm to restore the password