HackTheBox - Rebound
00:00 - Introduction
01:07 - Start of nmap then checking SMB Shares
04:05 - Using NetExec to do a RID Brute Force and increase the maximum to 10000
07:00 - Using vim g!/{string}/d to delete all lines that do not contain something to build wordlists
10:40 - Using ASREP Roasting to perform a Kerberoast attack without authentication
17:40 - Using NetExec to run Bloodhound as ldap_monitor
25:30 - Discovering Oorend can add themself to the ServiceMgmt group, which can take over the WinRM Account
28:30 - Spraying the password of the ldap_monitor account to discover it shares oorend's password
34:20 - Showing BloodyAD to add Oorend to ServiceMGMT then abusing the GenericAll to Service Users, so we can reset WinRM_SVC's password
40:30 - Showing a more opsec friendly way to take over WINRM_SVC by abusing shadow credentials so we don't change the accounts password
50:00 - As WINRM_SVC we cannot run some commands like qwinsta or tasklist. Using RunasCS, to switch our login to a non-remote login which will let us run these commands
54:10 - Performing a Cross Session attack with Remote Potato to steal the NTLMv2 Hash of another user logged into the same box we are
59:20 - Using NetExec to read GMSA Passwords as TBRADY
1:04:00 - Using findDelagation.py to show constrained delegation from the GMSA delegator account
1:11:20 - Using RBCD.py to setup the Resource-Based Constrained Delegation so we can get a forwardable ticket to abuse delegators delegation and impersonate users
1:18:20 - Using our ticket that impersonates DC01 and performing secretsdump and then getting Adminsitrator's hash so we can login
Watch video HackTheBox - Rebound online, duration hours minute second in high quality that is uploaded to the channel IppSec 30 March 2024. Share the link to the video on social media so that your subscribers and friends will also watch this video. This video clip has been viewed 15,120 times and liked it 393 visitors.
