Great content, really enjoyed this. Only thing I'd caution against is spraying all discovered hashes against all known user accounts unless you've first enumerated the lockout policy. Could be a bit chaotic haha! Thanks :)
New PE method to my knowledge thank you so much! Keep it up. Could you please give me the tool link you mentioned at 14:27 that automates this PE technique?
Hi xct, glad you are back! I wanted to ask, is there a difference between your privilege escalation path and using something like the "sam-the-admin" or noPAC tools?
Hi! Yes, they are completely different concepts. What you mentioned is CVE based so you need a vulnerable/unpatched d version of Windows as the target. For RBCD you need a misconfiguration (the user has GenericWrite/GenericAll on the computer object of the DC).
@@xct_de Got it, thank you very much. And just to be sure, can this GenericWrite/GenericAll be abused with impacket using something like ticketer.py or getST.py? Or a better question would be if there exists a Linux equivalent way of doing this privilege escalation attack?
Impacket errors out becuase there is no SAM file, the command should have been"impacket-secretsdump -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL" but anyways awseome video! Thanks!
![[Attack]tive Directory: Compromising a Network in 20 Minutes Through Active Directory](http://i.ytimg.com/vi/MIt-tIjMr08/mqdefault.jpg)
Welcome back, XCT!
I couldn't believe my notifications. Thanks pal pal, more videos pls! Literally the only hacking videos I enjoy, due to your way better format.
Welcome back man missed your videos. Another great walk through
Love the content. Short and concise. A+
Thanks you ! Your explanations are perfect to understand RBCD, I struggled on it most of the time but not anymore :D
Nice new video on an interesting topic. Also very relevant for HTB :)
Thanks! Hehe yeah, similar to a somewhat recent HTB machine.
I was stuck on the privesc part, thanks man!
Love your Videos, so much to learn. Shorts and very informative. 👏👍
Good content keep it up !
Great content, really enjoyed this. Only thing I'd caution against is spraying all discovered hashes against all known user accounts unless you've first enumerated the lockout policy. Could be a bit chaotic haha! Thanks :)
Thanks! Yeah for sure it's not opsec safe :)
nice to see you back : )
Finally a new video! And a good one aswell :).
Welcome back !!! I love your videos.
thanks! very helpful and learned a tons. looking forward to more!
Great to see you back!
the king is back 🔥🔥
The Return of the King
Welcome back! :)
Perfection🔥
New PE method to my knowledge thank you so much! Keep it up.
Could you please give me the tool link you mentioned at 14:27 that automates this PE technique?
It's linked in the blog post in the description :)
@@xct_de thank you so much
Hi xct, glad you are back! I wanted to ask, is there a difference between your privilege escalation path and using something like the "sam-the-admin" or noPAC tools?
Hi! Yes, they are completely different concepts. What you mentioned is CVE based so you need a vulnerable/unpatched
d version of Windows as the target. For RBCD you need a misconfiguration (the user has GenericWrite/GenericAll on the computer object of the DC).
@@xct_de Got it, thank you very much. And just to be sure, can this GenericWrite/GenericAll be abused with impacket using something like ticketer.py or getST.py? Or a better question would be if there exists a Linux equivalent way of doing this privilege escalation attack?
@@Hacsev Yes you can checkout the rbcd-attack repo linked in the blog post (see desc) - it has a description on how to do it from linux.
nice
In the Sharphound.exe command, can you please tell me why did you use -c all,gpolocalgroup? Doesn't -c all give us all the necessary data?
"All" does not cover that one (bloodhound.readthedocs.io/en/latest/data-collection/sharphound-all-flags.html)
What red team training I can take to learn such manual techniques?
You can join vulnlab :)
already did, but that's only partial of something to do to a red team engagement.
@@xct_de I saw vulnlab offering on access labs. Does it comes with guides, walkthrough, and video tutorials?
what kind of screen multiplexer do you use ?
This is i3.
@@xct_de and what is this γt promt in the terminal? Never seen before!
Impacket errors out becuase there is no SAM file, the command should have been"impacket-secretsdump -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL" but anyways awseome video! Thanks!