HackTheBox - Sizzle

01:04 - Begin of Recon 06:45 - Checking the web interfaces 07:20 - Discovering there is a Certificate Authority 08:50 - Taking a look at LDAP 10:55 - Examining SMB to find shares 12:00 - Searching the Operations and Department Shares 14:50 - Viewing permissions of a SMB Share with SMBCACLS 19:10 - Discovering a writeable share, dropping a SCF File to get a hash 22:04 - Using Hashcat to crack NetNTLMv2 24:40 - Using SMBMap to identify if this user has access to anything extra 25:40 - Discovering the CertSRV Directory 28:00 - Discovering Powershell Remoting 30:00 - Error from WinRM (Need SSL) 31:00 - Using openSSL to generate a private key 31:52 - Going to /CertSRV to sign our certificate as Amanda 34:00 - Adding the SSL Authentication to WinrM 35:15 - Playing with LDAP Again (with the Amanda Creds) 37:50 - Shell on the box with WinRM as Amanda 38:15 - Running SharpHound to enumerate Active Directory 40:29 - Applocker is on the box, lets move it in the windows directory 42:00 - Trying to get the bloodhound data off the box. 44:20 - Starting bloodhound 45:27 - File didn't copy lets load up Covenant 49:30 - Covenant is up and running - Create a HTTP Listener 50:30 - Hosting a Launcher 52:30 - Getting a grunt 54:40 - Running SeatBelt 57:00 - Running SharpHound 60:00 - Finally uploading the bloodhound data 01:01:18 - Running Bloodhound with all Collection Methods 01:05:15 - Discovering the MRLKY can DCSYNC 01:07:25 - Cannot kerberoast because of the Double Hop Problem, create token with MakeToken 01:12:30 - Cracked the Kerberoasted Hash, doing maketoken with mrlky and running DCSYnc 01:14:40 - Running WMIExec to get Administrator 01:22:00 - UNINTENDED Method 1: Amanda can write to Clean.bat 01:24:30 - UNINTENDED Method 2: Forensic artifacts leave MRKLY Hash in C:\windows\system32\file.txt