smbclient also has the `--use-kerberos=required` switch. Not sure if that works with this box, but, a thought I had. Also it appears that kerbrute has a switch `--user-as-pass` under the passwordspray subcommand.
Glad you enjoyed my machine :) and yeah I wish I could have disabled the xp_cmdshell thing but because the SQL server thinks you're admin (that's the whole point of the silver ticket part of course), it seemed like there was no way to stop people just re enabling it
They way you did this box was so clean, easy to understand and still touching every core concepts that has been brought into by the maker. Very well done!!
i would have never ever able to solve this without help, makes me feel like how much is there to learn by the superb video and explanation, the tricks that u show gives me goosebump, may be by the end of this year i will able to acquire this level of knowledge and skill set, please keep making these videos.
Box was very awesome until goofy privesc at the end. Not that code analysis and understanding the technologies and stuff isn't valuable but man it should have just kept the AD theme going
whats crazy wild about this is the fact that impacket got an update for -dc-host support specifically for this box check the issues and you see the box creator talking about he wished this got fixed months ago when he created the box
haha yeah it took 6 months for the machine to be approved by HTB so I really hoped they'd have fixed it by then. Looks like they have now though. That "dc-host" option that ippsec used in the video didn't exist before.
One of your best vids imo. I usually just enjoy watching, but don't really learn much. This time I feel like I learned a lot, and also enjoyed lot more as a consequence. Keep it up!
hi @ippsec i get the following error when using the JP.exe The privileged process failed to communicate with our COM Server :( Try a different COM port in the -l flag.
I may be wrong about this, I assumed they either Patched the box or implemented something to prevent this exploitation path. He mentions that this wasn't the intended way to privesc, and i ran into the same Error, even when using the -s option which is supposed to find a suitable COM Server. 😥
I know that we get Admin because we specified the id to be 500 in tickter but then why not just run a reverse shell executable with xp_cmdshell to get an Admin shell. Kinda confused as to how we go from Administrator to a low priv user again. Love the vids!
thanks ippsec, learned so much. Very much appreciate the way you solve the box but go back to explore the path the author intended it shows so much respect. Also, awesome how that point...is when the doom music kicks in :D
why is it when i crate a ticket and then export KRB5CCNAME=Administrator.ccache then i klist i get a error saying klist: krb5_cc_get_principal: refuses to open group/other readable files FILE:Administrator.ccahe
I won't ever play windows boxes. There are about 5 quintillion paths to authenticate. Passwords sometimes stored in plain text, sometimes as hashes, sometimes encrypted. Domain Users, Machine Users, SPNs, Managed Service Accounts. 12 gorillion permissions on Users, Machines, Services, AD Objects... I used to laugh at "security by obscurity".
smbclient also has the `--use-kerberos=required` switch. Not sure if that works with this box, but, a thought I had. Also it appears that kerbrute has a switch `--user-as-pass` under the passwordspray subcommand.
Glad you enjoyed my machine :) and yeah I wish I could have disabled the xp_cmdshell thing but because the SQL server thinks you're admin (that's the whole point of the silver ticket part of course), it seemed like there was no way to stop people just re enabling it
They way you did this box was so clean, easy to understand and still touching every core concepts that has been brought into by the maker. Very well done!!
i would have never ever able to solve this without help, makes me feel like how much is there to learn by the superb video and explanation, the tricks that u show gives me goosebump, may be by the end of this year i will able to acquire this level of knowledge and skill set, please keep making these videos.
0days folder on the desktop as you do...
Box was very awesome until goofy privesc at the end. Not that code analysis and understanding the technologies and stuff isn't valuable but man it should have just kept the AD theme going
Sir you are just awesome. Thank you for making these videos available to students like us for free. Long live ippsec.
whats crazy wild about this is the fact that impacket got an update for -dc-host support specifically for this box check the issues and you see the box creator talking about he wished this got fixed months ago when he created the box
haha yeah it took 6 months for the machine to be approved by HTB so I really hoped they'd have fixed it by then. Looks like they have now though. That "dc-host" option that ippsec used in the video didn't exist before.
The NTLM Hash Generator site has a lowercase option built in. Just to save you a step in the future. Thank you for the video!
One of your best vids imo. I usually just enjoy watching, but don't really learn much. This time I feel like I learned a lot, and also enjoyed lot more as a consequence. Keep it up!
ok im not the only one 😂
hi @ippsec i get the following error when using the JP.exe The privileged process failed to communicate with our COM Server :( Try a different COM port in the -l flag.
I may be wrong about this, I assumed they either Patched the box or implemented something to prevent this exploitation path. He mentions that this wasn't the intended way to privesc, and i ran into the same Error, even when using the -s option which is supposed to find a suitable COM Server. 😥
Awesome video as always, cheers from Brasil
I know that we get Admin because we specified the id to be 500 in tickter but then why not just run a reverse shell executable with xp_cmdshell to get an Admin shell.
Kinda confused as to how we go from Administrator to a low priv user again.
Love the vids!
thanks ippsec, learned so much. Very much appreciate the way you solve the box but go back to explore the path the author intended it shows so much respect. Also, awesome how that point...is when the doom music kicks in :D
Its called MDI now (Microsoft Defender for Identity). It hooks into the NIC and looks at all DC communication.
Learned a lot watching this video thank you!!
yo bro, what operating system you are using,
u r doing more than great,
can i get your discord i wanna work with you,
All the ebest
How your Pwnbox is like this? The Pwnbox in HTB is different
maybe it's his box?
yeah he did some modifications to the pwn box and runs it locally
cant remember what vid he talks about that in
Excellent lesson for me, Thank you.
I was waiting windows boxes sir . Once again tq ...
If you wont reset password call to ippsec ;)
why is it when i crate a ticket and then export KRB5CCNAME=Administrator.ccache then i klist i get a error saying klist: krb5_cc_get_principal: refuses to open group/other readable files FILE:Administrator.ccahe
thank you if you can help after
haha I'm with you there
Hey Ippsec. I wonder if there are any other way to support you since your patreon is stopped. Do you prefer RUclips subscription or some other way ?
RUclips Subscription is the preferred method now.
Great explanation as always. We learn a lot each time, thanks a lot
merci beaucoup a toi :))
Great box from VbScrub as always. Thanks Ippsec for sharing your knowledge.
Push!
first
@ippsec
I won't ever play windows boxes. There are about 5 quintillion paths to authenticate. Passwords sometimes stored in plain text, sometimes as hashes, sometimes encrypted. Domain Users, Machine Users, SPNs, Managed Service Accounts. 12 gorillion permissions on Users, Machines, Services, AD Objects...
I used to laugh at "security by obscurity".
lol it's insane really