HackTheBox - Querier


00:50 - Begin of Reocn
03:30 - Using SMBMap to enumerate fileshares
05:45 - Discovering an Excel Macro File
09:25 - Using olevba to extract macro from the document to discover credentials
11:15 - Using MSSQLClient.py from Impacket to log into the SQL Server
12:15 - Doing the SQL CMD:XP_DIRTREE to read a file off a UNC Share to steal the hash with Responder
13:15 - Cracking the NetNTLMv2 Hash
14:11 - Explaining the Responder Database file to view previously captured hashes
16:30 - Logging into the SQL Server with the cracked account, then doing XP_CMDSHELL to run commands
17:50 - Getting a Nishang Reverse Shell
22:00 - Running PowerUp, doing Invoke-ServiceAbuse and discovering creds in an old Group Policy Object
** For some reason the user created with Invoke-ServiceAbuse cannot write to C$ so no psexec :(
26:30 - Going back to the password disclosed via Group Policy and discovering they are an administrator
28:00 - Explaining how the PowerUp module decrypted a password out of Group Policy
29:10 - Getting VIM to highlight the syntax of Powershell
34:50 - Rooting the box with Invoke-ServiceAbuse

HackTheBox - Querier HackTheBox - Querier Reviewed by Anonymous on June 22, 2019 Rating: 5