HackTheBox - Forest


01:15 - Running NMAP and queuing a second nmap to do all ports
05:40 - Using LDAPSEARCH to extract information out of Active Directory
08:30 - Dumping user information from AD via LDAP then creating a wordlist of users
12:10 - Creating a custom wordlist for password spraying with some bashfu and hashcat
18:30 - Using CrackMapExec to dump the password policy of Active Directory using a null authentication, then doing a Password Spray
22:00 - Enumerating information out of AD using rpcclient and null authentication
28:10 - Now that our PWSpray is running in the background, lets go through Impacket Scripts to see what works.
29:30 - Using GetNPUsers to perform an ASREP Roast (Kerberos PreAuth) with Null Authentication to extract SVC-ALFRESCO's hash. Then Cracking it.
36:20 - Using Evil-WinRM to get a shell on the box with SVC-ALFRESCO's credentials
37:30 - Setting up a SMBShare, using New-PSDRive to mount the share, then running WinPEAS
42:20 - Going over WinPEAS Output
44:20 - Downloading Bloodhound and the SharpHound Ingestor
48:50 - Importing the Bloodhound Results and finding an AD Attack Path
52:10 - Going over the Account Operators Group (will allow us to create an account)
53:30 - Using Net User to create a new user, then adding it to the Exchange Group
58:40 - Downloading the PowerSploit Dev Branch to utilize the function "Add-DomainObjectAcl"
01:01:40 - Some basic troubleshooting when the command goes wrong, then giving ippsec the DCSync Rights
01:02:30 - Performing SecretsDump to perform a DCSync and extract hashes, then PSEXEC with Administrator to gain access
01:07:10 - Going over the "--users" option in hashcat so you can easily identify whos hash was cracked
01:10:43 - Using the KRBTGT Hash to perform the GoldenTicket attack from Linux
01:35:11 - Showing it worked, Issues were we could not use IP Addresses anywhere in the command and need FQDN for the domain. Create entries in Host file if DNS is not there.

HackTheBox - Forest HackTheBox - Forest Reviewed by Anonymous on March 21, 2020 Rating: 5