HackTheBox - Monteverde
00:00 - Into
00:54 - Begin of recon
03:36 - Using rpcclient with null authentication and dumping active directory users
06:26 - Building a password list with hashcat --stdout (Forest Video does it better)
08:41 - CrackMapExec shows SABatchJobs:SABatchJobs are valid credentials
12:06 - Using SMBMap to list contents of directories
16:20 - Using SMBMap to download azure.xml which has a hardcoded credential in it then testing with WinRM to see if we can get a shell
19:50 - Downloading and running Seatbelt on the server
25:20 - Running WinPEAS for a second opinion
27:45 - Talking about the Azure Admins group
28:55 - Playing with SQLCMD to view the MSSQL Database
30:45 - Downloading and running PowerUpSQL to see if there's any obvious escalation paths
37:00 - Using XP_DIRTREE to connect to our Responder Instance and leak an NetNTLMv2 hash (I should of noticed its the machine account due to username ending with a $, these are pretty much never crackable)
39:45 - Searching google to find XPNSec's post on "Azure AD Connect for Red Teamers"
43:00 - Running through the commands with SQLCMD to understand what is going on
48:20 - Executing the Azure AD Connectdecryption script and having Evil-WinRM Crash on us
49:10 - Stepping through the script to see where it is failing
51:25 - Updating the SQL Connection script to work with our MSSQL Configuration, then fixing the script
55:40 - Running the updated script, and getting the administrator password then using PSExec to get a system shell on the box
58:30 - Using DNSPY to decompile the MCRYPT.DLL binary to just explore what is going on
1:03:50 - Dumping the DNS Zone for MEGABANK.LOCAL via powershell