OSCP Practice Lab: Active Directory Attack Path #3 (Advanced/Client-Side Exploits)

Рет қаралды 10,333

Күн бұрын

This video walks through one of the more advanced paths to complete domain compromise that I practiced for the OSCP. More specifically this is a longer walkthrough (sorry!) where we use a client-side exploitation method with MS Office, as well as, Active Directory enumeration via SharpHound/BloodHound.
Thank you for watching and I hope this helps you with your journey!
The link to setting up this lab environment will be posted in the near future.
0:00 Intro
0:55 OpenVPN
3:48 MS01 Enumeration
14:09 Web App Enum
25:21 Office Macro
51:43 MS01 Initial Foothold
1:02:34 Office Macro Alt Method
1:16:29 MS01 winPEAS
1:25:14 MS01 Priv Esc via Web Shell
1:42:55 Hunting for Active Directory Credentials
1:47:35 Pivoting with Ligolo-ng
1:54:30 NMAP Scan the LAN Subnet
2:02:10 Finding Deleted Credentials
2:08:10 Cracking Password Protected Word .doc File
2:32:58 MS01 Dumping Credentials with Mimikatz
2:45:22 MS01 SharpHound
2:51:01 MS01 BloodHound
3:01:06 LAPS
3:11:38 More BloodHound and ForceChangePassword
3:26:00 MS02 RDP Lateral Movement
3:40:18 MS02 BloodHound Additional Data
3:46:56 MS02 Mimikatz
3:50:13 Mimikatz rules
3:54:05 DC01 Pwned via psexec

Пікірлер: 46

@MalwareCube 4 ай бұрын

I cannot express how realistic, accurate, and useful these labs are. Thanks very much Derron, I owe a lot of why I passed to these videos. :)

@derronc 3 ай бұрын

🍾 congrats!!!! that is so amazing to hear and I'm stoked for your accomplishment! I know that is such a relief when you get that email

@0xA 6 ай бұрын

You have no idea how incredibly helpful this is - working on OSCP challenge labs and keep thinking back to techniques you use in this series. Find myself coming here before my own notes sometimes. Thank you!

@cosminduduc3016 3 ай бұрын

Derron, this is the first content i came across which really helped for my OSCP prep. Besides zillion of HowTo's, learning platforms, etc. I've felt this is the real deal. The way you explain all the details is amazing and I wanted to express my gratitude and thanks for this. It really helped me understand much better the attack vectors in the AD env. Thank you very much man! THANK YOU!

@derronc 3 ай бұрын

that is incredibly high praise, thank you so much!! It means a lot and I'm really glad this is helpful for you

@sergiocharruadas6518 6 ай бұрын

Very good content as always, can't wait for #4, thank you!

@ianp6742 6 ай бұрын

Heeeeyy glad to see another AD path from you!

@DocGMoney 3 ай бұрын

Dude your ability to talk through what your doing is next level. Super helpful and man I am stealing your box setup that's a great way to organize everything. Well done all around and a huge THANK YOU!

@spoon2k 7 ай бұрын

Superb content as always, thank you!

@ChadB_n00b 6 ай бұрын

Suggesting these vids to my OSCP study group. Good work!

@Ibr8kThingz 4 ай бұрын

Wow this was insanely helpful! I am much more confident now walking into the exam. Thank you so much again for your time and dedication!

@uaebikers 4 ай бұрын

Just finished the roughly 9 hours videos which I enjoyed so much. I wish the OSCP videos were this engaging. You are so talented and I wish you can make more videos. At least once a week. A challenge for you 😀

@heipablishenko851 5 ай бұрын

I was unaware of its existence. I am excited to discover what the next instalment in this series will bring.

@user-nm5qp4il6z 7 ай бұрын

Thank you, amazing content!

@Mabenchi6705 7 ай бұрын

This is gold, Thank you

@martindinchev5363 5 ай бұрын

Great videos continue !!!

@souirianas2571 4 ай бұрын

keep up the good work maan!

@hamzagamal4361 Ай бұрын

unbelievable keep going 💪💪🔥🔥

@Gonski-Cyber 6 ай бұрын

Great content!

@eniak2300 Ай бұрын

Hey bro you have such an amazing methodologies and your explanations are insane. But can I ask you where did you find those labs you are doing in these videos or you just built them? Also thank you really for this content !!

@cooki3cutt3r13 6 ай бұрын

good sir, you're a wizard

@maroofchaudhary543 6 ай бұрын

Brother amazing content keep it brother and try to upload more content like this

@TDay666 6 ай бұрын

Always happy to see these videos come out, I use these to refer some of my team for study purposes, as well as for me to prep for my OSCP coming up soon. Have you made these into an ISO/VM instance for download? would love to have my team try these custom boxes out.

@derronc 6 ай бұрын

thank you so much, I'm glad you find these helpful and are sharing them with your team 😊 I thought about how best to share the lab with everyone and that's how I ended up deciding on the "How to build..." videos. Unfortunately MSFT licensing doesn't work well with trying to package up the images into an ISO/VM for public consumption

@user-xo4rr5en3e 7 ай бұрын

Super muper content :)

@michaelwatts1186 6 ай бұрын

Hey Derron, great walkthroughs. Question- in terms of the office macro that you created is there a easier way to go about it it seems like a lengthy setup and was curious if there was a pre created office macro template from a resource to work with and tailor if you come across this attack method scenario and want to go this route? Also if you come across the upload function that you play with the extension format in order to upload a reverse shell if certain extension are restricted instead of going the office macros route. Just curious why you didn't explore that further? Ideally I would prefer to avoid the office macro exploit to get an initial foothold just because its potentially adding additional aspects to your attack approach, and having to get into a spun up Windows instance to initiate, when there could be a better more efficient way? Just want to see your thoughts on it?

@SeaTekMonstroso 6 ай бұрын

Great stuff man, my only comment is you should consider using the userpass file options for accounts you already know the passwords for. It will reduce clutter of trying username and password combinations you already know wont work.

@derronc 6 ай бұрын

totally agree! I forgot about the userpass option during the recording. Great call out and thank you for watching!

@johnwright6498 6 ай бұрын

Very helpful content. I take my oscp test in 2 days. The one I struggle is with web foothold. I'm being better though

@derronc 6 ай бұрын

best of luck on the exam!! 🤞

@johnwright6498 6 ай бұрын

@@derronc can't talk about it but your technique methodology help me got my first foothold in. I didn't pass I will sign up for hack the box academy and study on the weak areas. And will still look towards your videos. I will get it next time. 🤙🏾

@htpeof6943 6 ай бұрын

@@johnwright6498how many machines u got

@sandiproy9810 6 ай бұрын

hey derron , can you please share on which year did you passed the oscp ? I'm asking because, in many groups some peoples complains about the dificulty level of oscp has been increased recently . what do you think about that ?

@derronc 6 ай бұрын

I passed my OSCP back in Sept. of this year. I can't say I'm aware of what the previous versions of the exam difficulty were... but I can say that the OSCP exam for me was pretty difficult. I felt like I was going to fail until the last few hours when I managed to finally break through on the AD set. Once I did I pwned the AD set extremely quickly and that gave me enough points to pass. This is one of the reasons I decided to share my practice lessons on youtube: having the right process/comfort level can be the difference between passing/failing.

@1a4s4l7 6 ай бұрын

Once you have a foothold on the ms01, is it necessary to use pivoting techniques? Suppose you can download tools on the compromised box, as an alternative, can you just live off the land?

@derronc 6 ай бұрын

good question! I suppose you could try and live off the land and do everything from MS01, however it would definitely make things harder and may reduce your efficient use of time on the OSCP. I may take this on as a fun challenge though: see if you can do all of this without pivoting through MS01 😊

@eniak2300 Ай бұрын

Hey bro do you know why he didn't try to use impacket-GetUsersSPNs or impacket-GetNPUsers for kerberoasting and reproasating after obtaining the credentials of the first domain account?

@TheTacopai 4 ай бұрын

please more videos

@sakyb7 23 күн бұрын

How to did you set rules to crack that office hash?

@Laffinfpv 5 ай бұрын

I believe sekurlsa is supposed to be “secure LSA” 😊

@Claymore403 3 ай бұрын

First thing I have to say is thank you for your videos cause they are amazing, second thing is that I think you can inject macro in doc file directly from kali using minitrue or I think eviloffice (maybe it's useful info for someone)