Everything Is Just Dandy!

HackTheBox – Search

IppSec
IppSec
2022-04-30
https://www.youtube.com/watch?v=c8Qbloh6Lqg
00:00 – Intro
00:53 – Start of nmap
05:45 – Using Kerbrute to identify valid users
09:40 – Finding credentials for Hope.Sharp in an image on the website
10:40 – Showing Kerbrute paswordspray silently fails when time is out of sync
13:00 – Having troubles running the Python Bloodhound Ingestor, a digestmod error
15:50 – Giving up fixing my environment, creating a python virtual environment to run this script
18:00 – Uploading data to bloodhound, discovering a kerberoastable (web_svc) account, running GetUserSPN and Cracking the hash
23:20 – Parsing the raw Bloodhound Data with JQ and dumping all the valid usernames
25:20 – Using JQ select to show only the users that are enabled, its sql like syntax
28:50 – Running a password spray with kerbrute to find edgar.jacobs has the same credentials as Web_SVC
33:25 – Using CrackMapExec (CME) with the spider_plus module to dump all file names, then using JQ to parse the results with map_values(keys)
36:00 – Using SMBClient to download files, getting an excel document that has a protected row, modifying the document to remove the password and getting more passwords
40:00 – Using CME to run a large password spray guessing a single specific password for each user with the no bruteforce flag
41:25 – Back to Bloodhound, discovering our user can ReadGMSAPassword of an account that can reset password of an administrator
43:00 – Dumping files as Sierra.Frye with CME, discovering certificates, downloading them and then failing to crack them with John
49:10 – Using CrackPkcs12 to crack the PFX certificate, then loading it into our browser and accessing a Powershell WebConsole
57:20 – Gaining a powershell webconsole, flailing around a littlebit trying to read the GMSA Password
59:43 – Using Get-ADServiceAccount on to read information about the GMSA Account and get the password
1:03:00 – Running commands as the GMSA User with Powershell and Invoke-Command to reset Tristan.Davies Password… We could of psexec’d after this but I decided to do it the hard way.
1:08:00 – Getting a Nishang Reverse Shell, thought this would be easy but there’s quite a bit of AV Evasion we have to do
1:14:40 – Getting rid of some of the reverse shell output allows nishang to bypass AV
1:20:25 – Using John to Crack the PFX File, I forgot to use pfx2john prior.