HackTheBox - Coder

00:00 - Introduction 01:00 - Start of nmap 03:30 - Exploring the file share 07:15 - Finding Encrypter.exe, which is a dotnet encrypter. Discovering the seed is based upon time, modifying it to decrypt using metadata from the encrypted file to get the seed. 15:30 - The encrypted file was a Keepass Database, looking into it and seeing credentials and a uthenticator backup 19:45 - Installing the "Authenticator" app and seeing the backup format is the same 21:30 - Explaining why we want to just bruteforce AES vs Argon2id 25:50 - Creating a program in javascript to bruteforce the AES by decrypting and examining the contents of what was decrypted 40:40 - Cracking program done, then logging into TeamCity 45:45 - We can't modify the files on TeamCity but we can use the personal build, supply a dif and get it to execute code that way 49:50 - Defender blocked nishang reverse shell, doing some quick obfuscation to bypass defender and get a shell 55:50 - Discovering Teamcity keeps track of personal builds, looking at old ones and discovering powershell credentials. Decrypting the Secure String to get e.black's password 1:08:00 - Running the bloodhound python collector in a Docker 1:17:40 - Writing a bloodhound query to show Organization Units in active directory, then using Get-ACL to see unique privileges to each OU 1:24:15 - Explaining the attack path, e.blake can manipulate ADCS, s.blade can add machines to a specific OU. We can create a vulnerable ADCS Template and exploit this with Certifried 1:31:30 - Creating and publishing the Vulnerable Certificate. Cloning computer, then modifying msPKI-Enrollment-Flag 1:53:30 - Doing an easier vulnerable template, to make this box vulnerable to ESC1. Set msPKI-Enrollment-Flag, msPKI-Certificate-Name-Flag,