HackTheBox - Reel

No video

HackTheBox - Reel

Рет қаралды 52,938

Күн бұрын

00:42 - Begin of Nmap
04:23 - Examining the anonymous FTP Directory and discovering email addresses in Meta Data
06:50 - Manually enumerating valid email addresses via SMTP
10:50 - Creating a "Canary Document" in Word to ping back to our server when a word document is opened
13:14 - Generating a malicious RTF Document (CVE-2017-0199)
26:28 - Shell Returned. Enumerating the AppLocker Policy
32:53 - Decrypting a PowerShell Secure String to reveal Tom's Password, Testing access with SSH
35:22 - Lets forget we had Tom and run Bloodhound from Nico!
40:30 - First time opening BloodHound on this box.
49:45 - Lets update Bloodhound, looks like some data is missing and there were errors when running it
53:25 - Finding a path from Nico to BACKUP_ADMINS and explaining Active Directory (AD) Security Objects (GenericWrite, WriteOwner,etc)
58:23 - Taking Ownership over Herman then allowing Nico to change his password and examining bloodhound
01:01:40 - Adding Herman to the Backup_Admins group
01:04:30 - Finding the Administrator Password within backup scripts.
01:07:00 - Attempting to run Watson (ends up not working)
01:23:22 - Using Metasploit to do the box
01:25:42 - Since Watson failed, lets just look at last patch times on the box to get an idea whats vulnerable.
01:27:19 - Attempting to do the ALPC Exploit within Metasploit
01:31:00 - That failed - Lets just prove the box is vulnerable, by overwriting a DLL

Пікірлер: 55

@CoachAcroTiger 4 жыл бұрын

I absolutely love that you keep all of your mistakes in your videos. It is wonderful to know that even the best at this fail and fail often. The point is to keep going until you get there. ;)

@mr.p7437 5 жыл бұрын

To much difficult box, I think need to see this vid so many times before full understand . RESPECT !

@getoutandgrill 5 жыл бұрын

Nice job ippsec. Very informative.

@0xMookster 5 жыл бұрын

I'm so happy you don't have hardcore dubstep in the background....

@bigbooduh 5 жыл бұрын

Im happy he doesnt explain it via notepad.exe

@f4rbs814 4 жыл бұрын

@@bigbooduh I know I'm late but both of your comments had me rolling on the floor lmao.

@kegnsec 3 жыл бұрын

time to cram for reel2!

@adityashinde8545 5 жыл бұрын

waiting for that hard machine :P

@aloufin 5 жыл бұрын

That was quite an indepth analysis on that fortinet.net site. Would a junior or intermediate infosec programmer be expected to understand that article 100% ? When it dropped into the C, assembly and hexcode levels, I was definitely in over my head lol

@flrn84791 3 жыл бұрын

What's an infosec programmer? C is kinda the basics to get into low-level stuff like assembly as software decompile into pseudo C code, and being able to read and understand assembly is a very important thing to have in one's arsenal for binary analysis

@leon1985ist 3 жыл бұрын

Hi ippsec 58:03 i know u learned all this commands over the years but what kind of books did u read or how did u learn all of this , is lot lot of commands to learn please share

@fir3wa1k3r2 5 жыл бұрын

Can you please suggest some good resources to learn Powershell ? Thanks!!!

@ippsec 5 жыл бұрын

The book Powershell in a month of lunches

@fir3wa1k3r2 5 жыл бұрын

Great,,, Thanks @@ippsec !!!

@angela2437 5 жыл бұрын

@@ippsec Can you suggest some resources for Active Directory as well? PS: respect for you! You're a source of inspiration!

@ippsec 5 жыл бұрын

@@angela2437 Setup Active Directory and play with things. No idea, learned mostly from being a sysadmin.

@dakshdubey2202 4 жыл бұрын

Hi Ippsec, I believe, if we use bloodhound we will get Events 4624 & 4634 logged on all users which is gonna raise a security flag. In a CTF enviroment it is completely fine but what would you suggest in real world ? Is there a way to bypass the alert ? Also, great video, learnt a lot. :)

@ippsec 4 жыл бұрын

Sorry I don’t give advice on this type of stuff due to the potential abuse.

@vineethsai7 4 жыл бұрын

You can try running on stealth mode on bloodhound. This will create lesser noise, or if you could just get the DC data in one LDAP pull which won't trigger any login events

@dakshdubey2202 4 жыл бұрын

@@ippsec I understand. Thanks for all the hard work in making these videos :)

@dakshdubey2202 4 жыл бұрын

@@vineethsai7 Thank you brother. :) I am gonna try this. :)

@tobiasmayer4492 5 жыл бұрын

Hello Ippsec. Nice Video, but I'm missing the point where you find out that Backup_Admins can view content in that backup folder. How would one search that thing? I happen to often be able to join a group but can't find out what to do with it. Especially selfmade groups.

@ippsec 5 жыл бұрын

Based upon name its pretty obvious "Backup_Admin" would be able to access the folder Backup. Otherwise you'd have to do like an icacls against the folder and read the permissions.

@tobiasmayer4492 5 жыл бұрын

Thanks @@ippsec for the replay. You are right. But i also got my own answer now. AD only controls structure for permissions, but it doesnt hold information about the usages. So when a group is allowed to use something, its not a given if i can enumerate that.

@aaravsinha6610 4 жыл бұрын

when I try copying into the smb shares folder it says "Access is denied"

@user-vl7fh5ki4l 5 жыл бұрын

Great video! How did you fix the error for compiling dll ? I keep getting this error cs1520 method must have a return type!

@medoangel8370 4 жыл бұрын

I think u need to do : int main() Then at the end in the method write : return 0;

@ditrizna 5 жыл бұрын

Thanks, ippsec! Nice video! Possible solution to tune architeture of .exe in Visual Studio is under Properties or project > Build > Platform target. Try out silenttrinity with execute-assembly next time? :)

@ippsec 5 жыл бұрын

That's already in the next video, just waiting for Saturday.

@hondatech5000 4 жыл бұрын

cant find instructions for neo4j on bloodhound wiki...

@hondatech5000 4 жыл бұрын

EDIT: /facepalm found it...

@underrated_mono9770 9 ай бұрын

SharpHound.ps1 in 4.0.2 version of BloodHound generated "empty" user.json file after uploading to BloodHound even though some said the version works. Does anyone suggest solution to solve it? My machine is Kali x64 on windows 10 and unzipped linux x64 version, which I supposed correct version.

@AnimeshRoy 5 жыл бұрын

you were trying x86 shell in meterpreter in x64 box. I think that may be the issue, I didn't did this box so not sure. and yeah it's been a long day 😅

@caseylgoodrich 5 жыл бұрын

I like to use pushd and popd for mapping network paths.

@Jopraveen18 3 жыл бұрын

Hmm tommorw reel2

@_DeProgrammer 5 жыл бұрын

nice video.

@bartekkasprzyk5926 5 жыл бұрын

hi guys, anybody else having trouble running Set-DomainObjectOwner command? 56:20 i cannot run powerview as nico.

@Utubejeff23 5 жыл бұрын

same here not sure if it may be the version of powersploit we are running.

@melid404 5 жыл бұрын

He is using powerview.ps1 from Empire project, not the one from PowerSploit. github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1

@bartekkasprzyk5926 5 жыл бұрын

Thank you @@melid404! It did the job.

@elysamsepi0l703 5 жыл бұрын

how to install the terminal as well as being? anyway, does anyone know?

@medoangel8370 4 жыл бұрын

Temux he has a video on it

@mubasher.s 5 жыл бұрын

I get error -bash ftp command not found. could anyone please help?

@MrVosman 5 жыл бұрын

Yeah Kali doesn't have ftp installed as default. You need to install it with 'apt install ftp'

@Nobody2day553 4 жыл бұрын

Can someone please upload a video showing how to use BloodHound...

@ippsec 4 жыл бұрын

Have you watched active and sizzle too?

@Nobody2day553 4 жыл бұрын

IppSec will do, thanks.

@elitedeciel 5 жыл бұрын

That picture belongs to BloodHoundAD @ github.com/BloodHoundAD/BloodHound. Hope you got their pension to use it.

@ippsec 5 жыл бұрын

Bloodhound is used heavily in this video It’s not the first time I’ve used a programs image in thumbnail, for example boxes that focus on Empire/Msf I have their logos. It’s to help people know what’s in the video when looking through a list.