HackTheBox - Cascade

Рет қаралды 33,140

Күн бұрын

00:00 - Intro
00:50 - Begin of nmap
02:45 - Enumerating RPC to identify usernames
04:45 - Setting up a bruteforce and creating a custom wordlist with hashcat
08:45 - Enumerating LDAP with LDAPSEARCH
10:55 - Discovering the cascadeLegacyPwd LDAP Attribute which has a password
12:45 - Using CrackMapExec to test the credential found in LDAP
14:30 - Installing the latest CrackMapExec to gain access to the Spider_Plus Module
17:30 - Using the spider_plus module of CME (CrackMapExec) to crawl the SMB Share as R.Thompson
20:10 - Mounting the SMB Share as R.Thompson in order to view the files in Data share
26:10 - Discovering the VNC Install.reg file which contains an encrypted password
30:10 - Using Metasploit IRB to decrypt TightVNC's password
32:30 - Using the VNC Password to gain a WinRM Session to Cascade as s.smith discovering he is in the Audit Group
37:20 - Using DNSPY to decompile the CascAudit DotNet application
39:50 - Setting a breakpoint in DNSPY where the password is decrypted and viewing the variable after it decrypts the pw
42:10 - Gaining e remote shell as ArkSvc to discover this user is in the AD Recycle Bin Group
43:10 - Viewing deleted Active Directory items to see the TempAdmin has the CascadeLegacyPwd field and discovering this is the PW for administrator

Пікірлер: 91

@mehdiboujid8761 3 жыл бұрын

Santa: what s your wish ? me: i want a dragon Santa: i can t me : ok give me ippsec s knowledge Santa: which color do you want for the dragon?

@UN5T48L3 3 жыл бұрын

Do not underestimate yourself. He is a human just like you and he learned all of these knowledge with hard works & patience. You can do it too! Peace!

@mehdiboujid8761 3 жыл бұрын

@@UN5T48L3 u are my friend from now on

@aqeebhussain9032 3 жыл бұрын

@@UN5T48L3 We need more people like you in this type of industry. Thank you for being a positive light.

@pswalia2u 3 жыл бұрын

His, years of experience is clearly visible in these videos.

@TalsonHacks 2 жыл бұрын

@@pswalia2u yup, he has more than 8 years of experience in IT in general.

@Ancientlaws 3 жыл бұрын

Watching you do this stuff is so cool. In my environment there are very few people who know or care about IT. Its inspiring to see someone like you work who's skilled at their craft. Hats off to you sir

@ananthulal8901 3 жыл бұрын

29:58 msfdb run .. that's the command.. I learned that from you.. thanks.. 😅👍🏻

@ryanjosephsacatanireganit7355 2 жыл бұрын

Thank you sir. I watch your videos daily and am using it to prepare for oscp. Keep up the awesome work

@0xc0ffee_ 3 жыл бұрын

So he just debugged and fixed a crackmap exec version bug without googling... this guy is the type of dude posting answers on Stackoverflow o.o

@jonag97 3 жыл бұрын

lol

@bdorr17 3 жыл бұрын

I just wouldn't have used it, and it would have taken me 30 more minutes to figure out if at all...He moves around the box like it is nothing

@zigginzag584 3 жыл бұрын

I want to see a hack-off between IppSec and EngineerMan.

@justduulga 3 жыл бұрын

Watched the whole ad to support xD

@ExploitSecurity 3 жыл бұрын

Solid methodology; killer efficiency!

@MaximusIA 3 жыл бұрын

Thanks @ippsec i learn a lot with your vidéo demo 👍👍👍👍🥂

@gladwinmohlamonyane4033 8 ай бұрын

The enumeration was so good.

@EmanuelLopesS2 3 жыл бұрын

Almost 100k subs, congrats :)

@ralesarcevic 3 жыл бұрын

That crackmapexec foolery with it not being the newest is the number 1 reason there should be an Arch-based distro with all the packages, wordlists and everything that comes packaged with Kali Everything's always the latest verison and you don't have to care what's the version of the dependencies 'cause the newest version of programs usually use the latest dependencies Nevertheless, another great video 🔥

@BlackHermit 3 жыл бұрын

This one was relatively simple. Solved it exactly like you did.

@cyb3rboy1986 3 жыл бұрын

We're counting down on 100k

@elvi7major577 3 жыл бұрын

You are the best ipp Peace and love

@socat9311 3 жыл бұрын

Could you maybe make a short video with your opinion of parrot vs kali? I have kali 2020 loaded on rpi4 and i quite like it but open to opinions

@Ms.Robot. 3 жыл бұрын

Thanks sweetheart. 💗💋 Better than TV.

@westernvibes1267 3 жыл бұрын

How much ram and cores have you given to your parrotos? Your cme bruteforce goes pretty fast

@aliangel5007 3 жыл бұрын

@@veeppiaar1722 He said he made took the pwnbox and made it a vm.

@kylehagerman7018 3 жыл бұрын

does anyone know how to get the bruteforce with crackmap to work? when i run the username and password list it says status account disabled

@jumpstep7085 3 жыл бұрын

Could you do more windows AV stuff? What do you enjoy teaching the most?

@roadtocodex1961 3 жыл бұрын

Sir commented on ur last video as well how i get knowledge like u any course u can suggest i am willing to pay for the courses

@Groszkin77 3 жыл бұрын

@IppSec You promised video about fuzzing. It would be great to see that.

@user-ut3xl1ik9l 3 жыл бұрын

awesome as always

@MrApan112 3 жыл бұрын

Do you prefer Parrot over Kali nowadays or is it just for these videos? I'm well versed in many of the tools bundles with Kali but I've never used Parrot, should i give it a try when doing boxes on HTB?

@DHIRAL2908 3 жыл бұрын

Parrot looks cooler with the KDE Plasma desktop I use..

@MASAbirokou 2 жыл бұрын

the result of ldap scan by nmap didn't show that legacypwd😥

@ethicalmath3963 3 жыл бұрын

Are you from Long Island?

@Siik94Skillz Жыл бұрын

Whats most impressive is how he knows every single command + its flags by heart. Sure often they are quite intuitive like -p for password but I believe him knowing every single command is a true testament to how much time and effort Ippsec has dedicated to his craft. This is years of experience showing. Truly inspiring! keep it up brother, you doing great work!

@abdulrahmanfaisal288 3 жыл бұрын

Hi please can you tell us what cyber security certificates you havr

@wolfrevokcats7890 8 ай бұрын

ippsec? Watched one of his interviews before, I believe he has OSCP

@aaroncamus7414 3 жыл бұрын

🤩

@kushalrahatkar4568 3 жыл бұрын

hi, i am new. can someone explain me more deeply what exactly sir ippsec did?

@kushalrahatkar4568 3 жыл бұрын

@@johncollins9466 i need to understand the process flow

@kushalrahatkar4568 3 жыл бұрын

@@johncollins9466 broo thanks a lot. Thanks. Thanks for your time and efforts 👍. I completely understood it. And it will surely help me to build the psychology and methodology on such boxes. Thanks once again. Can we connect on Reddit or discord? Thank you once again.

@kushalrahatkar4568 3 жыл бұрын

@@johncollins9466 bro can you recheck the username. I am not able to find you. Can you add me? My username @Amrteza#5814

@cimihan4816 3 жыл бұрын

can somebody help me ?Whenever I enable '127.0.0.1:8080' or localhost ip from foxyproxy I get 'The proxy server is refusing connections'

@cimihan4816 3 жыл бұрын

@@duckie4670 😂😂 Thanks mate I forgot about it

@wolfrevokcats7890 8 ай бұрын

something else already use that port I guess? Run ss -ant to find out

@0xc0ffee_ 3 жыл бұрын

What software does he use to switch OS?

@lixiao4259 3 жыл бұрын

what did you mean? he run parrot os and command vm in vmware.

@0xc0ffee_ 3 жыл бұрын

@@lixiao4259 he also switched to windows. Id like to replicate such environment

@lixiao4259 3 жыл бұрын

@@0xc0ffee_ Can you tell me when he did it in the video ?

@0xc0ffee_ 3 жыл бұрын

@@lixiao4259 37:42

@lixiao4259 3 жыл бұрын

@@0xc0ffee_ Oh! that is vmware switch bar, if you run one more vm boxes that you can use it by move your mouse on the top when vm box in full screen mode

@DeShooter3 3 жыл бұрын

Is "awk" best for trimming the result? why not using others like "cut", "tr". I'm just curious about it. Is it a preference or using "cut" twice is clunky etc.?

@ippsec 3 жыл бұрын

Just personal preference. I spent time learning the awk syntax, I don't know cut/tr off the top of my head.

@netrunner1145 3 жыл бұрын

Is that parrot? or kali with some tweaks?

@elvi7major577 3 жыл бұрын

This is parrot htb start support parrot this year

@netrunner1145 3 жыл бұрын

John Collins thank you john, it’s a specific iso?

@netrunner1145 3 жыл бұрын

@@johncollins9466 Thank you bro, I know it, but what always impress me it's how smooth is the kali/perrot install used by ippsec.

@akshaykhandhadia187 3 жыл бұрын

@@johncollins9466 I am already using ParrotO. All I want is to display IP add as it is seen in Ippsec's terminal. Help me!

@ripmeep 3 жыл бұрын

This looks like an awesome linux distro for CTFs. Can i download it from anywhere?

@Gvinfinity 3 жыл бұрын

It's parrot os a pretty common distro for this kinda stuff, you can download it from their official site, just google it.

@ripmeep 3 жыл бұрын

@@Gvinfinity thanks for the reply :) I know it's parrot os I meant if it was some kind of special release of it for Hackthebox but I find a git repo to convert it into this. Thanks tho!

@daedreaming6267 3 жыл бұрын

@@ripmeep Could you share that repo?

@ripmeep 3 жыл бұрын

@@daedreaming6267 Sure thing, here it is. Its a manual setup so follow the instructions specified and itll turn into a cool looking hackthebox themed parrot OS box! github.com/theGuildHall/pwnbox

@hadrian3689 2 жыл бұрын

lol 26:52 "WHAT?!" I relate to that

@wolfrevokcats7890 8 ай бұрын

LOL. Had the same issue. I used dos2unix to convert the file, then shud be able to grep it

@wolfrevokcats7890 8 ай бұрын

35:01 How did you know that c:\shares\audit is there and accessible as there's no permission to access c:\shares from s.smith user? Anyway, thanks for the awesome video

@brypleb5792 6 ай бұрын

he can know that audit is a directory name from the fact that audit is the name of a share in smb and if the shares directory has the shares (which can be assumed from the name) then audit must be there.

@redeth-or3oh 3 жыл бұрын

Cascade Download Link ?

@DHIRAL2908 3 жыл бұрын

I love CommandoVM! But 20 gbs download of windows 10 for vbox😢

@izaak791 3 жыл бұрын

Can the 3 dislikers leave a comment, i dont understand the motives

@aromus1c 3 жыл бұрын

they are frustrated because they dont understand anything :/

@IND_Abhi 3 жыл бұрын

wating for it #facereveal #100k

@ippsec 3 жыл бұрын

I wouldn’t count on that happening

@ichigok2594 3 жыл бұрын

Better to be anonymous :) what’s important for me is IPPsec is shares his knowledge and that precious. 🙏

@dayisnow 3 жыл бұрын

Why do you want to be so invasive? Be thankful IppSec provides quality offensive security content and leave sharing information about his personal life to his own discretion. Comments like this are just silly to me.

@Ancientlaws 3 жыл бұрын

Imagine asking a security conscious guy to reveal his face

@robinhood3841 3 жыл бұрын

Are you want to marry him ?!

@michaelw9852 3 жыл бұрын

not to bash ippsec but this ctf isn't realistic. i'm not a hacker, just a developer and best practices would have those keys stored as part of the environment and not hard coded. I mean its good hackers are learning these exploits but even the most noobest developer these days knows not to do this vulnerability...

@ippsec 3 жыл бұрын

It was listed as a medium machine and moreso just there to get you to open up compiled dotnet code to inspect what it does, never know when you'll find something that's just hidden. Sure a credential may break best practices, but it wouldn't surprise me to see s3 creds and a bucket an application could access that unauthenticated people can't. Lastly, I still come across people putting passwords in fileshares that are accessible to everyone, never underestimate what people will do

@kikaelephant 2 жыл бұрын

I still hear about passwords in excel. Just plain text.. so it is not so not possible. You'd be suprised.