HackTheBox - Access
00:58 - Begin of recon: ftp, telnet, IIS 7.5
03:00 - Downloading all files off an FTP Server with WGET
05:30 - Examining the "Access Control.zip" file.
06:30 - Cracking a zip file with John
07:45 - Creating a wordlist for cracking the zip (strings of the mdb file)
10:00 - Exploring the MDB Files (Access Database) with MDBTools (mdb-sql and mdb-tables)
12:30 - Grabbing the same password we cracked by checking the auth_user table
13:35 - Converting the PST File (Outlook Email) to PlainText via readpst
15:00 - Logging into telnet with the credentials from the email
15:45 - Switching to a Nishang Shell to execute powershell
18:15 - Running JAWS (Just Another Windows Scanner)
23:34 - Discovering Stored Credentials on the box for ACCESS\Administrator
25:11 - Examining the Shortcut on PUBLIC\DESKTOP which shows us how the "Stored Credential" is used.
25:58 - Using powershell to view information of a Shortcut
27:25 - Using the Stored Credential via runas /savecred
(some flailing around, darn windows quotes)
30:31 - Creating Base64 (UTF-16LE) on linux to use in as a Powershell EncodedCommand
31:54 - Box done, Administrator returned.
(Flailing around until 54:20)
32:38 - Begin of decrypting the Stored Credential, uploading Mimikatz
33:40 - Using powershell to download files
36:36 - Discovering that I was trying to save mimikatz to a directory i cannot write to :(
37:15 - Testing Applocker methods to bypass the Software Restriction Policy (Give up on this one)
38:50 - Trying to get Meterpreter shell via Unicorn (Fails, unknown reason)
41:28 - Getting a Empire Agent running
43:35 - Empire Agent Returned, Injecting meterpreter shellcode.
45:46 - Attempting to use Mimikatz from within Meterpreter to decrypt dpapi::creds
46:52 - Explaining Mimikatz Arguments when in "non-interactive" mode
54:20 - Grabbing needed files to decrypt DPAPI::CREDS offline
56:09 - Switing to Windows to run Mimikatz
01:02:32 - Decrypting the Creds stored in DPAPI