HackTheBox - Sizzle
HTML-код
- Опубликовано: 1 фев 2025
- 01:04 - Begin of Recon
06:45 - Checking the web interfaces
07:20 - Discovering there is a Certificate Authority
08:50 - Taking a look at LDAP
10:55 - Examining SMB to find shares
12:00 - Searching the Operations and Department Shares
14:50 - Viewing permissions of a SMB Share with SMBCACLS
19:10 - Discovering a writeable share, dropping a SCF File to get a hash
22:04 - Using Hashcat to crack NetNTLMv2
24:40 - Using SMBMap to identify if this user has access to anything extra
25:40 - Discovering the CertSRV Directory
28:00 - Discovering Powershell Remoting
30:00 - Error from WinRM (Need SSL)
31:00 - Using openSSL to generate a private key
31:52 - Going to /CertSRV to sign our certificate as Amanda
34:00 - Adding the SSL Authentication to WinrM
35:15 - Playing with LDAP Again (with the Amanda Creds)
37:50 - Shell on the box with WinRM as Amanda
38:15 - Running SharpHound to enumerate Active Directory
40:29 - Applocker is on the box, lets move it in the windows directory
42:00 - Trying to get the bloodhound data off the box.
44:20 - Starting bloodhound
45:27 - File didn't copy lets load up Covenant
49:30 - Covenant is up and running - Create a HTTP Listener
50:30 - Hosting a Launcher
52:30 - Getting a grunt
54:40 - Running SeatBelt
57:00 - Running SharpHound
60:00 - Finally uploading the bloodhound data
01:01:18 - Running Bloodhound with all Collection Methods
01:05:15 - Discovering the MRLKY can DCSYNC
01:07:25 - Cannot kerberoast because of the Double Hop Problem, create token with MakeToken
01:12:30 - Cracked the Kerberoasted Hash, doing maketoken with mrlky and running DCSYnc
01:14:40 - Running WMIExec to get Administrator
01:22:00 - UNINTENDED Method 1: Amanda can write to Clean.bat
01:24:30 - UNINTENDED Method 2: Forensic artifacts leave MRKLY Hash in C:\windows\system32\file.txt
Better than Saturday morning cartoons, you'd probably have lots of viewers if this were a TV show.
Hey Ippsec, I love your videos, the description and how you categorize them in different playlists by their difficulty. Though would love to have a difficulty tag in the description too, so one does not have to open up playlists to find out how difficult you thought it was. Keep up the good work! :)
hell yeah, first on an IppSec vid. Keep up the great work, I've learned a great deal from you :)
I learned a lot from this video. Thanks IPPSec.
Also , I used the knowledge learned from other ippsec video and applied it here.
I was able to do kerberoast using impacket GetSPNuser. I used chisel to tunnel kerberos and ldap ports from the target back to my kali and launched the GetSPN towards my localhost.
, packet goes to the loopback and tunneled back to the target. Then do the same certificate application towards mrlky to login to the box as that user.
You can Kerberoast directly from Amanda using Rubeus , I didn't do it through a C2 framework though , you can also exfiltrate the Bloodhound files by copying them as Amanda to ZZ_Archive or Public folders in the Department share then copying them from there
FAAAACK. Good call!!! I spent about a week (off and on) trying to figure out if Kerberoasting was even possible on this box. I got her creds and legit hit a wall. Damn!
Hi,im getting an error when i try to import the tgt i create with Rubeus : *] Action: Import Ticket
[X] Error 1450 running LsaLookupAuthenticationPackage (ProtocalStatus): Insufficient system resources exist to complete the requested service. I need it in order to do the kerberoasting with amanda because we still have the double hopping problem i think :( How did you manage this part ?
Hey ! Nice vid as always. Just a quick comment on the smb enumeration : the -N option for smbclient does not correspond to the null session flag but it only suppress the password prompt. Furthermore for your smbmap enumeration, you might have specified the "anonymous" user : 'smbmap -H 10.10.10.103 -u anonymous' and this would have listed accessible shares !
You had to specify null password still. I did it with smbmap -R -H 10.10.10.103 -u root -p ''
I love how its called Covenant, seeing how Microsoft named their helper Cortana off of their beloved Halo franchise. We are the bad guys hahaha
great videos
idk why you were not able to mount the smb share.. mine woked fine maybe you should use creds while craeting share. Is there any way to get shell as mrlky user? I have tried runas but it requires interactive shell. Then I tried psexc(tranfered it to temp) but It don't shown the output of commands.
Are there specific conditions required for an SCF file attack to work? I've been able to replicate the attack on a windows 7 victim but not windows 10. Thanks!
@23:30
I use `john --format=ntlmv2 amanda.ntlmv2 --wordlist=/usr/share/wordlist/rockyou.txt`, an alternative to crack this sort of hash as well.
EDIT:
@29:50 I surely don't trust Ruby Language. Hence, I active a virtualenv for this installation.
$ virtualenv poc
$ source poc/bin/active # alternative for execution on kind of shell: bash (no extension); .csh; .fish; .ps1; .py
...
$ deactivate # to get out of virtualenv.
Simple and works fine.
How did you guess share names "Operations" and "Department Shares"? Are these something default?
Either smbmap or smbclient will show open shares. This was done earlier in the video
@@ippsec Great, thank you! Great video, I couldn't pwn Sizzle when it was up :(
Thank you so much for this amazing video! anyone knows if IppSec used Watson in any of his videos?
He did use it on the Conceal video :)
@@limingda728 thank you :)
16:05 what is /Users ?
Hello Ippsec (and others reading) :) I'm wondering on what specs/hardwares/environment you are working with. I couldn't find any info and I'd be very very happy to have an insight of it. I guess this is a computer (and not a VM like me). But apart from that, I have no clue. Do you have another dedicated computer for hashcat runs for example ? What are the specs ? Any answer from you or anybody else would be like christmas. Best regards, me
I believe ippsec is using a VM for his HTB videos. When he uses hashcat you can see he remotes into a dedicated machine with 4 x GTX 1080s!
@@johnnicholson6571 Thanks for the answer John. But, is this even possible to have a Kali VM running that good ? That's my dream ! I'm running one using Hyper-V and it's slow as hell. Should I switch to Virtualbox ? Do you have any advice to give ? :) Thanks in advance
@@Stilleur no problem. I'm using VMWare Workstation Pro 15 and it runs kali Linux fine, but my laptop is a new i7 and 16GB ram so that helps. I've tried running Kali in HyperV and the performance was terrible, so give VMWare or Virtual box a try
@@johnnicholson6571 Awesome reply =) You're definitely the guy :p
Yes I use VMware on Windows for my Kali
hey does anyone know how the process of the user (amanda) visiting the dekstop folder is being automated?
I believe it’s a powershell Get-Content loop around get-childitems - however you should pop the box yourself then look at schedules tasks 🙂
@@ippsec thanks
💪
when i am trying to mount "Department Shares" into /mnt. it is saying access denied. can anyone tell me why plz
Can you get code execution with this attack?
What is your clear terminal shortcut/keybind?
Yoeri yoeri Ctrl-L to clear the screen, Ctrl-C to cancel the current line you are typing
Rob Emmerson thanks dude
couldn't you have just used the ftp server with the amanda creds to download that file instead?
That was hard !
Can someone tell me what is ippsec's "kraken"? is it like an external computer that he uses just to crack passwords?
it's a remote computer with very strong GPUs that he built to crack password or calculate hash
If we remove all the complications like Double Hop, ADCS that box would be medium at most
I'm new to channel ,What program are you running under ? I'm not you using Linux or python .
There is an open pull request for blacklisting of gobuster status codes: github.com/OJ/gobuster/pull/73 (pull request just needs rebasing to newest gobuster version...)
This is a machine where I don't understand anything. Maybe I have to watch the video more carefully. Will edit my comment if I can come up with a concrete question.
I managed to get the creds for Amanda and pretty much ran into a wall at that point. You're not alone! Hoping this video helps shed some light on wtf is going on here
You shouldn't need :set paste if you use the + register to get the Ctrl-C clipboard ("+p in vim) or the * register for the selection clipboard.
You should give rustbuster a look, it's super cool and I think its a good replacement for gobuster (I keep missing stuff because of that damn 401) github.com/phra/rustbuster
SMB hacking that is not WannaCry :)
HackTheBox , can you reply please
i have something to say . i really need that reply , before i do anything
@@ippsec w0h ?
second time ?
when the first time ? , is it now ?
ok
so that what i need to ask you first
1- did you watched "Black Mirror"
2 - do you know about "Electromagnetic waves" or "Electromagnetic energy"
3 - what not make me next to "Edward snowden" , or something like that
because i have a leak
No I’ve never watched black mirror, I don’t know much about electroanything. I’m not interested in leaks of any nature. Sorry.
i recommend you watch "Arkangel" or "Black Museum"
from black mirror