HackTheBox – Absolute

00:00 – Intro
01:00 – Start of nmap discovering Active Directory (AD)
04:15 – Using wget to mirror the website, then a find command with exec to run exiftool and extract all user names in metadata
06:45 – Using Username Anarchy to build a wordlist of users from our dump and then Kerbrute to enumerate valid ones
13:55 – Building Kerbrute from source to get the latest feature of auto ASREP Roasting
16:20 – Kerbrute pulled the wrong type of hash, using the downgrade to pull etype 18 of the hash
21:30 – Running Bloodhound with D.Klay, using Kerberos authentication
24:50 – Going over the bloodhound data and finding some attack paths
31:13 – Manually parsing the Bloodhound with JQ to show descriptions for all users and finding the SVC_SMB password in the Description
34:45 – EDIT: Don’t want to use Blodhound? Showing LdapSearch with Kerberos, and why the FQDN has to be first in the /etc/hosts file
40:30 – End of edit: Using SMBClient with SVC_SMB and Kerberos to download files
46:22 – Sharing my internet connection from Linux to Windows, so I can run test.exe on Windows
53:45 – Running test.exe and getting m.lovegod’s password from LDAP
56:30 – Going back to Bloodhound, and now we can perform the attack of adding a member to a group then creating shadow credentials for winrm_user
57:30 – Pulling a version of Impacket that has DACLEDIT and building it
1:01:00 – Running DaclEdit to give m.lovegod permission to add users to a group and then net rpc to add him
1:08:20 – Running Certipy to add shadow credentials to winrm_user so we can login
1:12:00 – Using WinRM to login to the box with our shadow credential
1:15:30 – Start of fumbling around with KRBRelay to privesc
1:18:40 – Using RunasCS to change our LoginType which may allow us to run KRBRelay
1:27:40 – Pulling the CLSID of TrustedInstaller which works and allows us to add ourselves to the administrator group