00:00 - Intro
01:00 - Start of nmap, getting hostname and
05:20 - Discovering the Server Header changes for virtualhost, probably navigating to a different box/container/etc [MasterRecon]
10:50 - Getting a good SSTI Fuzz String then identifying this string causes an error on the webserver. Removing parts of the string until we see the type of SSTI
13:40 - Playing with ASP Code in this SSTI or ASP Code Injection... Not sure what the vulnerability is
15:30 - Getting a VBScript One Liner to execute code and then getting a reverse shell
24:30 - Discovering a x509 certificate, decoding it with openssl, and discovering a second hostname
29:00 - Downloading and running chisel to setup a reverse socks proxy so we can attempt to pivot through this container
31:54 - Running nmap through the chisel socks proxy with proxychains
34:20 - Setting FoxyProxy to only send specific domains through our proxy
36:30 - Discovering the softwareportal.windcorp.htb attempts to install software on machines, set it to our machine and wireshark to see how 3it connects back to us
38:30 - Using responder to intercept the WinRM Connection and then use hashcat to crack the credentials
42:40 - Using CrackMapExec with our cracked credentials discovering we can access a file share that has Jamovi Files
45:00 - Installing Jamovi then finding out the XSS and proving RCE with Calc. Setting it to execute javascripts off of our webserver
53:20 - Creating a web cradle to execute a reverse shell, in typical ippsec fashion have a typo that we will fix later
56:20 - Fixed up the web cradle, reverse shell returned. Some light enumeration and talking about honey pots that have logon hours set to never
1:00:00 - Start of certificate exploit, downloading tools certify, rubeus, ADCS, PowerView
1:04:45 - Running Certify to find vulnerable certificates, we can edit the certificate template which enables us to enroll a smart card
1:08:00 - Running Get-SmartCardCertificate and then checking certificate store to see we didn't have anything. Showing we need to change the script because a weird thing with UPN's on this box
1:10:50 - Running Get-SmartCardCertificate again with our fix, then getting the certificate thumbprint and using Rubeus to get the credential
1:14:30 - Enabling RDP on the box so we can visually see the certificate
1:19:10 - Opening up MMC to see the certificate
1:23:20 - Doing the Certificate Exploit again but stepping through it all manually using Linux instead of Windows when possible
1:24:20 - Showing the vulnerable certificate template before modifying and what the certificate usage is
1:26:30 - Showing the certificate template after using Set-ADObject to modify the template
1:27:25 - Generating a Certificate Request
1:29:40 - Using CertReq to sign the certificate we generated
1:31:30 - Showing my Kerberos Configuration
1:32:50 - Using CertUtil to output the CA Certificate
1:33:50 - Setting up our port forwards so we can communicate with Kerberos
1:37:45 - Running kinit to login with our X509 Smart Card Certificate, get error show how to debug KINIT with trace
1:39:40 - Changing our time to match the DC and then running KINIT again and getting a session
1:40:50 - Using Evil-WinRM to get a shell with our kerberos certificate
Support the originator by clicking the read the rest link below.
