HackTheBox - Scrambled
Рет қаралды 31,366
Күн бұрын00:00 - Intro
01:00 - Start of nmap
04:00 - Viewing the website and discovering NTLM is disabled
07:45 - Using Kerbrute to enumerate valid users and then password spray with username
10:15 - Bad analogy comparing Kerberos works with TGT/TGS and Movie Theater Tickets
11:00 - Using Impacket's GetTGT Script to get Ticket Granting Ticket as Ksimpson and exporting KRB5CCNAME so Impacket uses it
12:30 - Using GetUserSPN to Kerberoast the DC with Kerberos Authentication and cracking to get SqlSVC's Password
16:40 - Both credentials we have cannot access MSSQL
18:15 - Creating a silver ticket to gain access to SQL
19:50 - Using GetPAC to get a Domain SID
20:30 - Showing getting Domain SID with LDAPSearch
24:00 - Creating the Silver Ticket with Impacket's Ticketer
26:30 - Showing Impacket creates the ticket with 10 years instead of 10 hours
27:40 - We now have MSSQL Access to the box, enabling xp_cmdshell and getting a reverse shell
30:00 - Using JuicyPotatoNG to escalate privileges because we have SeImpersonate Privilege
32:00 - Running the JuicyPotatoNG Exploit and getting a shell in the unintended way
34:00 - Enumerating the MSSQL Database and finding credentials
35:40 - Using Evil-WinRM to login with Kerberos Auth
39:40 - Accessing the box as MiscSvc and finding a dotnet Application
43:40 - Setting up our linux host as a router so our Windows host can communicate to the HTB Network through the linux box
47:20 - Sniffing the traffic from the dotnet application and discovering it talks to port 4411
50:20 - Looking at debug logs and seeing a serialized object
52:40 - Using YsoSerial.Net to create a malicious base64 object to send us a reverse shell
55:30 - Sending our payload and getting a reverse shell
@ronorocky 5 ай бұрын
i would have never ever able to solve this without help, makes me feel like how much is there to learn by the superb video and explanation, the tricks that u show gives me goosebump, may be by the end of this year i will able to acquire this level of knowledge and skill set, please keep making these videos.
@boogieman97 Жыл бұрын
They way you did this box was so clean, easy to understand and still touching every core concepts that has been brought into by the maker. Very well done!!
@zoes17 Жыл бұрын
smbclient also has the `--use-kerberos=required` switch. Not sure if that works with this box, but, a thought I had. Also it appears that kerbrute has a switch `--user-as-pass` under the passwordspray subcommand.
@vbscrub Жыл бұрын
Glad you enjoyed my machine :) and yeah I wish I could have disabled the xp_cmdshell thing but because the SQL server thinks you're admin (that's the whole point of the silver ticket part of course), it seemed like there was no way to stop people just re enabling it
@cookies4eva22 Жыл бұрын
One of your best vids imo. I usually just enjoy watching, but don't really learn much. This time I feel like I learned a lot, and also enjoyed lot more as a consequence. Keep it up!
@uaman11 9 ай бұрын
ok im not the only one 😂
@madanybah8635 Жыл бұрын
Great explanation as always. We learn a lot each time, thanks a lot
@umapessoa6051 Жыл бұрын
Awesome video as always, cheers from Brasil
@Frenzaahh Жыл бұрын
Learned a lot watching this video thank you!!
@readysetexploit Жыл бұрын
The NTLM Hash Generator site has a lowercase option built in. Just to save you a step in the future. Thank you for the video!
@shepshep-hn6pw 6 ай бұрын
thanks ippsec, learned so much. Very much appreciate the way you solve the box but go back to explore the path the author intended it shows so much respect. Also, awesome how that point...is when the doom music kicks in :D
@sand3epyadav Жыл бұрын
I was waiting windows boxes sir . Once again tq ...
@snarfallymunchacen85 Жыл бұрын
Excellent lesson for me, Thank you.
@armandkruger911 Жыл бұрын
Its called MDI now (Microsoft Defender for Identity). It hooks into the NIC and looks at all DC communication.
@garrettblackard2288 Жыл бұрын
whats crazy wild about this is the fact that impacket got an update for -dc-host support specifically for this box check the issues and you see the box creator talking about he wished this got fixed months ago when he created the box
@vbscrub Жыл бұрын
haha yeah it took 6 months for the machine to be approved by HTB so I really hoped they'd have fixed it by then. Looks like they have now though. That "dc-host" option that ippsec used in the video didn't exist before.
@wutangdaug Жыл бұрын
Hey Ippsec. I wonder if there are any other way to support you since your patreon is stopped. Do you prefer KZfaq subscription or some other way ?
@ippsec Жыл бұрын
KZfaq Subscription is the preferred method now.
@clarb027 Жыл бұрын
0days folder on the desktop as you do...
@bruddaman32491 10 ай бұрын
I know that we get Admin because we specified the id to be 500 in tickter but then why not just run a reverse shell executable with xp_cmdshell to get an Admin shell. Kinda confused as to how we go from Administrator to a low priv user again. Love the vids!
@venomcrane Жыл бұрын
How your Pwnbox is like this? The Pwnbox in HTB is different
@y.vinitsky6452 Жыл бұрын
maybe it's his box?
@garrettblackard2288 Жыл бұрын
yeah he did some modifications to the pwn box and runs it locally
@garrettblackard2288 Жыл бұрын
cant remember what vid he talks about that in
@infoanime3759 Жыл бұрын
merci beaucoup a toi :))
@abdlerhmanmohamed438 Жыл бұрын
yo bro, what operating system you are using, u r doing more than great, can i get your discord i wanna work with you, All the ebest
@mounir7320 Жыл бұрын
Great box from VbScrub as always. Thanks Ippsec for sharing your knowledge.
@david-sh2ty Жыл бұрын
haha I'm with you there
@tg7943 Жыл бұрын
Push!
@dusktime Жыл бұрын
thank you if you can help after
@NimbleSF 6 ай бұрын
Box was very awesome until goofy privesc at the end. Not that code analysis and understanding the technologies and stuff isn't valuable but man it should have just kept the AD theme going
@ffxx5565 Жыл бұрын
If you wont reset password call to ippsec ;)
@vitorsilva3019 Жыл бұрын
first
@dusktime Жыл бұрын
why is it when i crate a ticket and then export KRB5CCNAME=Administrator.ccache then i klist i get a error saying klist: krb5_cc_get_principal: refuses to open group/other readable files FILE:Administrator.ccahe
@spacenomad5484 Жыл бұрын
I won't ever play windows boxes. There are about 5 quintillion paths to authenticate. Passwords sometimes stored in plain text, sometimes as hashes, sometimes encrypted. Domain Users, Machine Users, SPNs, Managed Service Accounts. 12 gorillion permissions on Users, Machines, Services, AD Objects... I used to laugh at "security by obscurity".
@Xx-nd1rs 10 ай бұрын
lol it's insane really
@sotecluxan4221 Жыл бұрын
@dusktime Жыл бұрын
@ippsec
VillaRoot
Рет қаралды 2,8 М.