HackTheBox - Sauna
Рет қаралды 70,501
Күн бұрын00:00 - Intro
01:05 - Running Nmap
02:07 - Poking at SMB with CrackMapExec, SMBMap, and RPCClient to get nothing
04:15 - Checking out the web page
06:00 - Playing with user input in the website and getting an error "HTTP VERB used is not allowed"
08:20 - Copying names from the website
10:50 - Using some VIM/VI Magic (macro) to convert names into potential usernames
12:40 - Identifying valid usernames by using KerBrute which can enumerate valid usernames
16:00 - Running some Impacket scripts and performing an ASREP Roast to extract password hash from Active Directory
18:20 - Running GetNPUsers to get the hash for a user and then using hashcat to crack ASREP$23
20:50 - Seeing a RICOH printer share, pulling EXIF data off website to get an idea if it may be exploitable
23:10 - Using Evil-WinRM to log into the box with FSMITH and run WinPEAS to get saved credentials
29:00 - Running BloodHound
34:25 - Identifying that svc_loanmgr can perform a DCSYNC
35:40 - Running SecretsDump with svc_loanmgr to perform a DCSYNC
37:45 - Performing a Pass The Hash with the administrator user using PSExec
@ExploitSecurity 3 жыл бұрын
Huge fan. I'm a Army veteran now in InfoSec and studying towards PenTesting. Watching your speed and efficiency is mesmerizing.
@yannickpeter8607 3 жыл бұрын
That vim magic was sweet! Gonna give me wet dreams tonight
@marlonmonge10 3 жыл бұрын
Yeah very impressive. I definitely need to learn how to use vim
@yunietpiloto4425 3 жыл бұрын
This channel is so underrated...damn, another awesome video man...keep the knowledge flowing :)
@patthetech 3 жыл бұрын
hashcat + multiple nvidia + rockyou is a deadly combo.
@MichaelJohnson-br7zz Жыл бұрын
Really great to see how the pieces come together. Very interesting video to watch. Thank you IppSec
@AnlStarDestroyer 3 жыл бұрын
Your walkthroughs have really helped me out. I’ve been trying to do more CTFs and I’ve yet to finish one without some form of a hint and I feel so dumb every time I watch you fly through these lol. Only way to learn is to fail though I suppose
@IND_Abhi 3 жыл бұрын
Face reveal on 100k lets go
@satryamahardhika522 2 жыл бұрын
Always enjoy seeing Ippsec videos ! One of the most interesting part for me is the Vim Magic part! Its absolutely cool ! Also, this box is one of the AD 101 Path on HTB, good to prepare for new format of OSCP Exam (With AD machines Included)
@mustafaismail5773 3 жыл бұрын
whenever I see how professionals like you use their tricks it motivates me but how to ever get that good with such all these information ? that's the trick , BTW it was a piece of art how you solved this box
@mehdiboujid8761 3 жыл бұрын
Here to enjoy another ippsec video
@Deaple 3 жыл бұрын
Hey ippsec, you only use this kracken machine to CTFs like HTB or in real world pentests? Also, it's a GPU based machine in some cloud provider like amazon/GC/azure?
@lazarvukasinovic4878 3 жыл бұрын
When firefox detects a potential virus in a download you can simply right click on the file and select "Allow Download"
@omaroobaniessa1821 3 жыл бұрын
I hope you're gonna reach 100k by the next week
@user-xv9wv8ef3n 5 ай бұрын
Amazing guide, thank you. Is there a specific reason psexec is used at the end to pass the hash for the administrator user? Can evil-winrm be used to perform the same thing? ie get shell access to the administrator user. Just trying to understand everything and the tools used for different use cases. Cheers !
@westernvibes1267 3 жыл бұрын
GetNPUser does the asreproast thing, GetUserSPN is kerberoasting, it request service tickets for accounts(usually service accounts) that has SPN set. There's actually no good reason when to run the GetNPUser script cuz we usually don't have enough privilege before an initial foothold to see which users have "do not require Kerberos pre auth" option enabled ( this is not practical in real world as a sysadmin would never do it ) so in ctfs if you have a list of usernames and password spraying didn't work always give it a try and GetUserSPNs usually work with service accounts, it's more of a post Exploitation script.
3 жыл бұрын
Love it !!
@yusufanything 3 жыл бұрын
hahahaha man that VIM magic was so good that I started laughing! Will I ever get this good?
@alexzander5948 3 жыл бұрын
Are you doing this box without any prep-work?
@TheMoogleee 3 жыл бұрын
Would love to see more condensed videos, thank you
@derickneriamparambil3371 3 жыл бұрын
Vim magic 💥👌
@radekslany1840 3 жыл бұрын
another great video, great job can you on next video in the end show how would you write report for that box? or make video about reporting for OSCP(what to put in, what dont put in, etc)?
@swift87100 3 жыл бұрын
That was neat!!
@Ms.Robot. 3 жыл бұрын
Very good show! ❤💗💋
@aminhatami3928 3 жыл бұрын
Thank you so much 💟
@dayton3375 Жыл бұрын
At this point I just added the impacket directory to the terminal's path since it's nice to just type the name of the python script without having to locate that path every time.
@elchurro250_4 3 жыл бұрын
what desktop environment is that or have you customised it?
@alexikeravnos 3 жыл бұрын
i think thats ParrotOS
@akmalsodikov5110 3 жыл бұрын
Amazing, thanks for your work If it’s possible Can you make win machine series ))
@lethian1 3 жыл бұрын
Admin password in a script under sysvol\policies not likely?
@cxdva8635 Жыл бұрын
winpeas can't finds autologon anymore, i was stuck at privilege escalation part and watched this video. Maybe i should also manuially check everything from now on...
@salluc1712 3 жыл бұрын
Where did you find Ricoh?
@pauliehorgan 3 жыл бұрын
This should be added to the oscp like boxes
@blackthorne-rose 8 ай бұрын
so if "nmap scans the most common 1000 ports for each protocol by default"... does that mean, say, the range for tcp would exclude ports specified for other protocols and therefore exceed the first 1000? My scan didn't bring up 3268, but yours did. same flags.
@ippsec 8 ай бұрын
I am not positive. I would try reverting the machine and trying again. I believe 3268 is LDAP over SSL, which requires a certificate. This is a very old machine so it is possible the certificate expired and then the service which listens on 3268 no longer launches. You could verify this by using like nc -zv 3268 and seeing if it says open.
@blackthorne-rose 8 ай бұрын
Thanks! I'll catch up soon... lol... coming in around "umpteen-thousanth" person to pwn these old machines... my goal is to work through all of your lists, staring with the easy playlists and working up. but yeah - my question more related to what "top 1000" means... will look it up - pls don't take any more time with this. do you have your own discord server? because I'd rather be hitting up your "community" with questions than you personally - i know you're busy. @@ippsec
@blackthorne-rose 8 ай бұрын
@@ippsec o.k. i understand - i was right about meaning of "top 1000" - I will check out your suggestion though. I know there are other ways to enum the port directly.
@blackthorne-rose 8 ай бұрын
Don't see what about your nmap scan config reveals ports outside of 1st 1000 range... no "scan all ports" there... ???
@allurbase 3 жыл бұрын
You can add a -B 2 to your ./hashcat --example-hashes | grep asrep to get the mode printed right there. Also i think you skipped showing how you get from the user called svc_loadmanager to it being called svc_loanmgr, that was a weird one.
@ziaratorres1988 Жыл бұрын
yeah that part confused me 🤔
@kam7621 Ай бұрын
This part looked to me like bullshit as well. The most legit way of doing that would be listing users with net user /domain and dir C:\Users in the results there is svc_loanmgr so it could ring the bell because it's similar to svc_loanmanager.
@as-kw8dt 3 жыл бұрын
Can you share a step by step of the marco by vim ?
@GuiltySpark 3 жыл бұрын
Why did your VIM have + for space and the $ for end of line that threw me off ?
@ML-dt2xe 3 жыл бұрын
i think its the parrot OS version of vim rather than the Kali one
@s23roy 3 жыл бұрын
vim in parrot os is actually an alias for neovim, which is basically a fork to vim and a will have a different default look
@GuiltySpark 3 жыл бұрын
@@s23roy Thank you for the knowledge. I wish dev people made things looks the same but oh well it must have been easier or cooler to build it that way
@MrTalhaarshad 3 жыл бұрын
You dont forget to mention 0xdf :D He is expert as well.
@jaysiddik 3 жыл бұрын
Ippsec make a video for the parrot os setup ! Could be helpful for many beginners
@claudehaddad9723 3 жыл бұрын
"If I can type" ☺️☺️
@LORDJPXX3 Жыл бұрын
Frigging Kerbrute dumps the hash in a $18$ format that Hashcat can't handle.
@akshaykhandhadia187 3 жыл бұрын
How to customise the terminal and add ip address and pwd like in the shell ippsec does have?
@uzair558 3 жыл бұрын
ZSH shell
@akshaykhandhadia187 3 жыл бұрын
@@uzair558 I will give that a try! Thanks!
@akshaykhandhadia187 3 жыл бұрын
@@uzair558 I don't want to change the shell theme...I want to add just IP address like this...when I edited .bashrc file, I was not able to change to what I require. Can you help me with the .bashrc file?
@lazarep1 3 жыл бұрын
why did you switch to parrot?
@taba1950 3 жыл бұрын
He replied to this before, if I can recall correctly he had issues with his Kali installation plus parrot is the official OS for hack the box
@TheSurvivor4 3 жыл бұрын
Why was it that we had the password in plaintext for SVC_loanmanager. I understand the credentials were saved, but why and where? Great video by the way, thanks a lot!
@kegnsec 3 жыл бұрын
They're stored in the registry. If you wanted to get them without winpeas, you can grab them with 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" '.
@Naveenkumar-pr2fe 3 жыл бұрын
@TheSurvivor4 Those credentials are stored in an autologon mechanism. Instead of the user enter their name and password everytime in the login prompt the autologin mechanism makes it easy by grabbing the cred from registry and let you in. So there is no need to enter name and pass each and every time. The password is in plaintext because the author of the machine wants us to know that storing a password by default config will be a security risk and it's the way to get on to the svc_loanmgr user
@TheSurvivor4 3 жыл бұрын
Thank you both very much for the explanation. Greatly appreciated. Is there a way to secure a system and still use the auto-login functionality without having to use the plain-text approach?
@diegosps 3 жыл бұрын
@@TheSurvivor4 Important The autologon feature is provided as a convenience. However, this feature may be a security risk. If you set a computer for autologon, anyone who can physically obtain access to the computer can gain access to all the computer's contents, including any networks it is connected to. Additionally, when autologon is turned on, the password is stored in the registry in plain text. support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows
@TheSurvivor4 3 жыл бұрын
@@diegosps Thanks a lot!
@cybersec0x009 3 жыл бұрын
I just can't get myself to learn more about vim...
@abdiwahabahmedomar2399 3 жыл бұрын
hey ippsc did i thing ur using hackthebox theme if yes { give me that theme } else { thank u }
@teachd.marshal1066 3 жыл бұрын
can u please share ur bashrc?
@franciscomoreno1742 3 жыл бұрын
can you help me with this problem? It is when I enter the hackthebox machines after setting as term = xterm and shell = bash, I assign corresponding rows and columns but the nano is deconfigured ibb.co/HhwrL4w
@stefantobler 3 жыл бұрын
This box was handing it to me
@b3twiise853 3 жыл бұрын
Feel.the heat!
@arshiyakhan6789 3 жыл бұрын
Try vulnhub hard boxes now
@ETTANSTALKKERISINCE20108 3 жыл бұрын
Sauna is finland and I sauna tuen is friday klo 6-7
@Evan-tt5kk Жыл бұрын
Pronunciation is Sawuuuna, not Sana. Sana is wrong lol 😆
@viorage2293 3 жыл бұрын
If you forget Bloodhound password: rm /usr/share/neo4j/data/dbms/auth then run: neo4j console and create a new one.
@netbin 3 жыл бұрын
ego testicle xD
@roadtocodex1961 3 жыл бұрын
Please Sir i want your heart plz it will be so so valuable to me i am your true true fan always watch your video before i sleep even if i don't understand much of the stuff but one day i will plz answer when u start in hacking and few steps for beginners to take at first.
@markgentry8675 3 жыл бұрын
LOL that sounds creepy
@roadtocodex1961 3 жыл бұрын
@@markgentry8675 by yor heart i mean love my comment btw after reading it one more time this is fuckin creepy :D
@hasnahasna4220 3 жыл бұрын
Marry me
@BiepaBiepa 2 жыл бұрын
For others trying to run the ldapsearch command, which seems to be changed in the meantime. Now working: ldapsearch -x -H ldap:// -s base namingcontexts
@enesozdemir9973 2 жыл бұрын
If you keep forgetting the password of neo4j, you can also disable authentication # /etc/neo4j/neo4j.conf dbms.security.auth_enabled=false
@securiti Жыл бұрын
Hi, I wonder how he got from user 'svc_loanmanager' to 'svc_loanmgr'?