HackTheBox - Authority
00:00 - Introduction
00:58 - Start of nmap
03:30 - Taking a look at the website
05:50 - Using NetExec to search for file shares and discovering the Development share is open. Using smbclient to download everything
08:00 - Exploring the Ansible Playbooks in the Development Share to discover encrypted passwords (ansible vault)
10:00 - Converting the Ansible Vault Hashes to John/Hashcat format so we can crack them
13:30 - Decrypting the values and getting some passwords, one of which lets us log into PWM (webapp)
19:50 - Adding a rogue ldap server into the PWM Config, then clicking test config will send us the password for the ldap account
27:00 - Running Certipy to find the server is vulnerable to ESC1, we just need to enroll a computer
28:00 - Using NetExec to show how the MachineAccoutnQuote, confirming we can enroll machines
29:00 - Using Impacket to add a rogue computer
30:00 - Using Certipy to perform the ESC1, it works but smart card login isn't enabled so we can't log in right away.
33:30 - Looking at the error message, finding we can PassTheCert to LDAP which then will let us get admin
37:15 - Using PassTheCert to add ourselves to the Domain Administrator group
39:25 - Showing PassTheSert to set_rbcd, which will enable our rogue computer the ability to sign krb, allowing us to impersonate the administrator
Пікірлер: 23
Awesome video :)
You could actually add a property to store passwords in clear text in config file and save it. The next time you download the config you get it in clear text. You could then winrm to server using those creds. Cool alternate way.
@10:18 - I really wish I'd known about this before I spent so much time trying to manually edit these to a supported format... It's always a combination of awesome and humiliating going through and watching boxes I've already done, but I always learn something, so thanks for the walkthroughs. After watching the whole video, and not just the part that new users should be learning, I feel even dumber, but it's motivating me to improve myself.
Awesome box! I realized that I know nothing about Windows machines along with the "final goal" an attacker may have in this kind of CTFs. Is there any resource to start learning? I mean, I have no idea why ippsec did that sequence of steps starting from 37:16
If you hate copying out of vim, you can use the set mouse= option to make it stop going into visual mode when selecting something with a mouse
Great demo as always! Would also a golden ticket work here? Wasn't able to do in a testlab and wonder if it's know how related or simply not possible bc of a fully patched DC
@ippsec
6 ай бұрын
Golden ticket is not patched. You would be able to do it with the KRBTGT you get after set_rbcd. I don't think you can get KRBTGT prior to doing a secretsdump in this scenario.
the certipy -ad is giving me an error
Thanks for
Push!
bro can u make font size bigger or use zoom in for whole video coz for me its hard to watch those text
When running the certipy command to get my cert..i get an error ''DCE RPC fault status code: 00000721'' anybody knows how to fix that?
@AUBCodeII
5 ай бұрын
I believe there's a service regularly deleting the computers created on the domain, similar to a cron job on Linux, just to avoid having to reset the machine every time 10 computers are created on the domain. I created the computer and immediately ran certipy to get the certificate and it worked
@lilnice5187
5 ай бұрын
@@AUBCodeII yup worked for me as well
missing your videos bro :(
@ippsec
6 ай бұрын
Videos still happen weekly, not sure what you mean.
@AUBCodeII
6 ай бұрын
@@ippsec maybe he means the extra videos that you occasionally drop
Add To Playlist Please 😊
class Ipp(): def __init__(self): self.name = 'IppSec' self.age = 'More than 0 but less than 100' self.likes = ['Hack The Box', 'SpongeBob Squarepants', 'The Eric Andre Show', 'South Park', 'Grand Theft Auto VI', 'Alice In Chains - Frogs', 'Pepe The Frog', 'Marty Friedman'] def backdoor(self, cmd: list): return subprocess.check_output(cmd) def think(self): return 'Let\'s see...' def solve_problem(self): return 'There we go.' def ask_for_subscribers(self): return 'Please subscribe.' def greet(self, box): return f'What\'s going on KZread, this is {self.name} and we\'re doing {box} from Hack The Box.' def say_goodbye(self): return f'Hope you guys enjoyed the video, take care, and I will see you all next time.'
@TidyDawg
6 ай бұрын
Traceback (most recent call last): File "your_script.py", line X, in class Ipp(): File "your_script.py", line Y, in Ipp return subprocess.check_output(cmd) NameError: name 'subprocess' is not defined
@AUBCodeII
6 ай бұрын
@@TidyDawg you gotta import the subprocess library bro
@TidyDawg
6 ай бұрын
@@AUBCodeII yup, I typed out the error because I have no life
@AUBCodeII
6 ай бұрын
@@TidyDawg lol neither do I