HackTheBox - Sizzle
Рет қаралды 44,530
Күн бұрын01:04 - Begin of Recon
06:45 - Checking the web interfaces
07:20 - Discovering there is a Certificate Authority
08:50 - Taking a look at LDAP
10:55 - Examining SMB to find shares
12:00 - Searching the Operations and Department Shares
14:50 - Viewing permissions of a SMB Share with SMBCACLS
19:10 - Discovering a writeable share, dropping a SCF File to get a hash
22:04 - Using Hashcat to crack NetNTLMv2
24:40 - Using SMBMap to identify if this user has access to anything extra
25:40 - Discovering the CertSRV Directory
28:00 - Discovering Powershell Remoting
30:00 - Error from WinRM (Need SSL)
31:00 - Using openSSL to generate a private key
31:52 - Going to /CertSRV to sign our certificate as Amanda
34:00 - Adding the SSL Authentication to WinrM
35:15 - Playing with LDAP Again (with the Amanda Creds)
37:50 - Shell on the box with WinRM as Amanda
38:15 - Running SharpHound to enumerate Active Directory
40:29 - Applocker is on the box, lets move it in the windows directory
42:00 - Trying to get the bloodhound data off the box.
44:20 - Starting bloodhound
45:27 - File didn't copy lets load up Covenant
49:30 - Covenant is up and running - Create a HTTP Listener
50:30 - Hosting a Launcher
52:30 - Getting a grunt
54:40 - Running SeatBelt
57:00 - Running SharpHound
60:00 - Finally uploading the bloodhound data
01:01:18 - Running Bloodhound with all Collection Methods
01:05:15 - Discovering the MRLKY can DCSYNC
01:07:25 - Cannot kerberoast because of the Double Hop Problem, create token with MakeToken
01:12:30 - Cracked the Kerberoasted Hash, doing maketoken with mrlky and running DCSYnc
01:14:40 - Running WMIExec to get Administrator
01:22:00 - UNINTENDED Method 1: Amanda can write to Clean.bat
01:24:30 - UNINTENDED Method 2: Forensic artifacts leave MRKLY Hash in C:\windows\system32\file.txt
@ryanz8775 5 жыл бұрын
Better than Saturday morning cartoons, you'd probably have lots of viewers if this were a TV show.
@FerdinandRTvedt 5 жыл бұрын
Hey Ippsec, I love your videos, the description and how you categorize them in different playlists by their difficulty. Though would love to have a difficulty tag in the description too, so one does not have to open up playlists to find out how difficult you thought it was. Keep up the good work! :)
@adamnasreldin7042 5 жыл бұрын
You can Kerberoast directly from Amanda using Rubeus , I didn't do it through a C2 framework though , you can also exfiltrate the Bloodhound files by copying them as Amanda to ZZ_Archive or Public folders in the Department share then copying them from there
@jmullentech 5 жыл бұрын
FAAAACK. Good call!!! I spent about a week (off and on) trying to figure out if Kerberoasting was even possible on this box. I got her creds and legit hit a wall. Damn!
@zigzag5467 Ай бұрын
Hi,im getting an error when i try to import the tgt i create with Rubeus : *] Action: Import Ticket [X] Error 1450 running LsaLookupAuthenticationPackage (ProtocalStatus): Insufficient system resources exist to complete the requested service. I need it in order to do the kerberoasting with amanda because we still have the double hopping problem i think :( How did you manage this part ?
@fsor_ 4 жыл бұрын
I learned a lot from this video. Thanks IPPSec. Also , I used the knowledge learned from other ippsec video and applied it here. I was able to do kerberoast using impacket GetSPNuser. I used chisel to tunnel kerberos and ldap ports from the target back to my kali and launched the GetSPN towards my localhost. , packet goes to the loopback and tunneled back to the target. Then do the same certificate application towards mrlky to login to the box as that user.
@TheGhostom 5 жыл бұрын
Hey ! Nice vid as always. Just a quick comment on the smb enumeration : the -N option for smbclient does not correspond to the null session flag but it only suppress the password prompt. Furthermore for your smbmap enumeration, you might have specified the "anonymous" user : 'smbmap -H 10.10.10.103 -u anonymous' and this would have listed accessible shares !
@0x2d 5 жыл бұрын
You had to specify null password still. I did it with smbmap -R -H 10.10.10.103 -u root -p ''
@aarav3890 5 жыл бұрын
hell yeah, first on an IppSec vid. Keep up the great work, I've learned a great deal from you :)
@mofogie 2 жыл бұрын
I love how its called Covenant, seeing how Microsoft named their helper Cortana off of their beloved Halo franchise. We are the bad guys hahaha
@pswalia2u 3 жыл бұрын
idk why you were not able to mount the smb share.. mine woked fine maybe you should use creds while craeting share. Is there any way to get shell as mrlky user? I have tried runas but it requires interactive shell. Then I tried psexc(tranfered it to temp) but It don't shown the output of commands.
@nemowhere 13 күн бұрын
💪
@JuanBotes 4 жыл бұрын
great videos
@douglasfoster6212 2 жыл бұрын
Are there specific conditions required for an SCF file attack to work? I've been able to replicate the attack on a windows 7 victim but not windows 10. Thanks!
@kalilinux1228 3 ай бұрын
when i am trying to mount "Department Shares" into /mnt. it is saying access denied. can anyone tell me why plz
@0x07user 6 күн бұрын
If we remove all the complications like Double Hop, ADCS that box would be medium at most
@Stilleur 5 жыл бұрын
Hello Ippsec (and others reading) :) I'm wondering on what specs/hardwares/environment you are working with. I couldn't find any info and I'd be very very happy to have an insight of it. I guess this is a computer (and not a VM like me). But apart from that, I have no clue. Do you have another dedicated computer for hashcat runs for example ? What are the specs ? Any answer from you or anybody else would be like christmas. Best regards, me
@johnnicholson6571 5 жыл бұрын
I believe ippsec is using a VM for his HTB videos. When he uses hashcat you can see he remotes into a dedicated machine with 4 x GTX 1080s!
@Stilleur 5 жыл бұрын
@@johnnicholson6571 Thanks for the answer John. But, is this even possible to have a Kali VM running that good ? That's my dream ! I'm running one using Hyper-V and it's slow as hell. Should I switch to Virtualbox ? Do you have any advice to give ? :) Thanks in advance
@johnnicholson6571 5 жыл бұрын
@@Stilleur no problem. I'm using VMWare Workstation Pro 15 and it runs kali Linux fine, but my laptop is a new i7 and 16GB ram so that helps. I've tried running Kali in HyperV and the performance was terrible, so give VMWare or Virtual box a try
@Stilleur 5 жыл бұрын
@@johnnicholson6571 Awesome reply =) You're definitely the guy :p
@ippsec 5 жыл бұрын
Yes I use VMware on Windows for my Kali
@thedawnofslayer 5 жыл бұрын
@23:30 I use `john --format=ntlmv2 amanda.ntlmv2 --wordlist=/usr/share/wordlist/rockyou.txt`, an alternative to crack this sort of hash as well. EDIT: @29:50 I surely don't trust Ruby Language. Hence, I active a virtualenv for this installation. $ virtualenv poc $ source poc/bin/active # alternative for execution on kind of shell: bash (no extension); .csh; .fish; .ps1; .py ... $ deactivate # to get out of virtualenv. Simple and works fine.
@striple765 5 жыл бұрын
That was hard !
@kodazkodaz1512 5 жыл бұрын
How did you guess share names "Operations" and "Department Shares"? Are these something default?
@ippsec 5 жыл бұрын
Either smbmap or smbclient will show open shares. This was done earlier in the video
@kodazkodaz1512 5 жыл бұрын
@@ippsec Great, thank you! Great video, I couldn't pwn Sizzle when it was up :(
@sunnymishra5880 4 жыл бұрын
hey does anyone know how the process of the user (amanda) visiting the dekstop folder is being automated?
@ippsec 4 жыл бұрын
I believe it’s a powershell Get-Content loop around get-childitems - however you should pop the box yourself then look at schedules tasks 🙂
@sunnymishra5880 4 жыл бұрын
@@ippsec thanks
@user-vl7fh5ki4l 5 жыл бұрын
Thank you so much for this amazing video! anyone knows if IppSec used Watson in any of his videos?
@limingda728 5 жыл бұрын
He did use it on the Conceal video :)
@user-vl7fh5ki4l 5 жыл бұрын
@@limingda728 thank you :)
@madebeen 5 жыл бұрын
couldn't you have just used the ftp server with the amanda creds to download that file instead?
@jumpstep7085 4 жыл бұрын
Can you get code execution with this attack?
@FreezeLuiz 5 жыл бұрын
Can someone tell me what is ippsec's "kraken"? is it like an external computer that he uses just to crack passwords?
@aiqiangchen2997 5 жыл бұрын
it's a remote computer with very strong GPUs that he built to crack password or calculate hash
@yoeriyoeri4264 5 жыл бұрын
What is your clear terminal shortcut/keybind?
@robemmerson 5 жыл бұрын
Yoeri yoeri Ctrl-L to clear the screen, Ctrl-C to cancel the current line you are typing
@yoeriyoeri4264 5 жыл бұрын
Rob Emmerson thanks dude
@wolfrevokcats7890 Жыл бұрын
16:05 what is /Users ?
@luminougat4644 5 жыл бұрын
There is an open pull request for blacklisting of gobuster status codes: github.com/OJ/gobuster/pull/73 (pull request just needs rebasing to newest gobuster version...)
@TheEncodedCreeper 5 жыл бұрын
You should give rustbuster a look, it's super cool and I think its a good replacement for gobuster (I keep missing stuff because of that damn 401) github.com/phra/rustbuster
@ne12bot94 5 жыл бұрын
I'm new to channel ,What program are you running under ? I'm not you using Linux or python .
@mr.fakeman4718 5 жыл бұрын
This is a machine where I don't understand anything. Maybe I have to watch the video more carefully. Will edit my comment if I can come up with a concrete question.
@jmullentech 5 жыл бұрын
I managed to get the creds for Amanda and pretty much ran into a wall at that point. You're not alone! Hoping this video helps shed some light on wtf is going on here
@h.i.1359 5 жыл бұрын
SMB hacking that is not WannaCry :)
@Anonymouspock 5 жыл бұрын
You shouldn't need :set paste if you use the + register to get the Ctrl-C clipboard ("+p in vim) or the * register for the selection clipboard.
@fadiallo1 5 жыл бұрын
HackTheBox , can you reply please i have something to say . i really need that reply , before i do anything
@fadiallo1 5 жыл бұрын
@@ippsec w0h ? second time ? when the first time ? , is it now ?
@fadiallo1 5 жыл бұрын
ok
@fadiallo1 5 жыл бұрын
so that what i need to ask you first 1- did you watched "Black Mirror" 2 - do you know about "Electromagnetic waves" or "Electromagnetic energy" 3 - what not make me next to "Edward snowden" , or something like that because i have a leak
@ippsec 5 жыл бұрын
No I’ve never watched black mirror, I don’t know much about electroanything. I’m not interested in leaks of any nature. Sorry.
@fadiallo1 5 жыл бұрын
i recommend you watch "Arkangel" or "Black Museum" from black mirror
Демократиялы Қазақстан / Демократический Казахстан
Рет қаралды 332 М.
Funny superhero siblings
Рет қаралды 19 МЛН
Matt Brown
Рет қаралды 293 М.